File name:

523e3a307421539d0d7288098359a3e1

Full analysis: https://app.any.run/tasks/8fd39436-514e-4533-8b4a-620c74a11da0
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: May 20, 2022, 16:13:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
formbook
trojan
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

523E3A307421539D0D7288098359A3E1

SHA1:

688C1F1C47B0BBB3D3D889C2C639652F3E9E29C2

SHA256:

DE2CBF081557F75987C719476B820B152632DF1A1EE2480941227635EFFE5317

SSDEEP:

6144:B0YUXp/nJO1cJP+VzCRmT2YR9YlU0bS2tQphZ5:I9jPAms6IWlU0bgf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • 523e3a307421539d0d7288098359a3e1.exe (PID: 2876)

    • Application was dropped or rewritten from another process

      • nfueyjoofx.exe (PID: 3152)
      • nfueyjoofx.exe (PID: 3056)

    • FORMBOOK detected by memory dumps

      • systray.exe (PID: 3356)

    • FORMBOOK was detected

      • Explorer.EXE (PID: 1296)

    • Connects to CnC server

      • Explorer.EXE (PID: 1296)

  • SUSPICIOUS

    • Reads the computer name

      • 523e3a307421539d0d7288098359a3e1.exe (PID: 2876)
      • nfueyjoofx.exe (PID: 3056)

    • Checks supported languages

      • 523e3a307421539d0d7288098359a3e1.exe (PID: 2876)
      • nfueyjoofx.exe (PID: 3152)
      • nfueyjoofx.exe (PID: 3056)

    • Executable content was dropped or overwritten

      • 523e3a307421539d0d7288098359a3e1.exe (PID: 2876)

    • Drops a file with a compile date too recent

      • 523e3a307421539d0d7288098359a3e1.exe (PID: 2876)

    • Application launched itself

      • nfueyjoofx.exe (PID: 3152)

    • Reads Environment values

      • systray.exe (PID: 3356)

  • INFO

    • Manual execution by user

      • systray.exe (PID: 3356)

    • Checks supported languages

      • systray.exe (PID: 3356)

    • Reads the computer name

      • systray.exe (PID: 3356)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x32fa
UninitializedDataSize: 1024
InitializedDataSize: 119808
CodeSize: 23040
LinkerVersion: 6
PEType: PE32
TimeStamp: 2007:06:08 23:48:38+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 08-Jun-2007 21:48:38
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 08-Jun-2007 21:48:38
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000059AC
0x00005A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.45808
.rdata
0x00007000
0x0000117A
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.17514
.data
0x00009000
0x0001AFD8
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.98111
.ndata
0x00024000
0x00008000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0002C000
0x00000900
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.94449

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.00226
491
UNKNOWN
English - United States
RT_MANIFEST
103
2.16096
20
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.66174
256
UNKNOWN
English - United States
RT_DIALOG
106
2.88094
284
UNKNOWN
English - United States
RT_DIALOG
111
2.48825
96
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start 523e3a307421539d0d7288098359a3e1.exe nfueyjoofx.exe no specs nfueyjoofx.exe no specs #FORMBOOK systray.exe no specs #FORMBOOK explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
1296C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2876"C:\Users\admin\AppData\Local\Temp\523e3a307421539d0d7288098359a3e1.exe" C:\Users\admin\AppData\Local\Temp\523e3a307421539d0d7288098359a3e1.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\523e3a307421539d0d7288098359a3e1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3056C:\Users\admin\AppData\Local\Temp\nfueyjoofx.exe C:\Users\admin\AppData\Local\Temp\dgfoeiC:\Users\admin\AppData\Local\Temp\nfueyjoofx.exenfueyjoofx.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nfueyjoofx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3152C:\Users\admin\AppData\Local\Temp\nfueyjoofx.exe C:\Users\admin\AppData\Local\Temp\dgfoeiC:\Users\admin\AppData\Local\Temp\nfueyjoofx.exe523e3a307421539d0d7288098359a3e1.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nfueyjoofx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\resutils.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
3356"C:\Windows\System32\systray.exe"C:\Windows\System32\systray.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Systray .exe stub
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\systray.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
Total events
723
Read events
723
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2876523e3a307421539d0d7288098359a3e1.exeC:\Users\admin\AppData\Local\Temp\dgfoeibinary
MD5:
SHA256:
2876523e3a307421539d0d7288098359a3e1.exeC:\Users\admin\AppData\Local\Temp\nfueyjoofx.exeexecutable
MD5:
SHA256:
2876523e3a307421539d0d7288098359a3e1.exeC:\Users\admin\AppData\Local\Temp\i1452n33fabinary
MD5:
SHA256:
2876523e3a307421539d0d7288098359a3e1.exeC:\Users\admin\AppData\Local\Temp\nsp917A.tmpbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
13
DNS requests
17
Threats
56

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1296
Explorer.EXE
GET
91.189.114.8:80
http://www.gavrishev.com/tgdh/?v6=44UUxfumUOvjBqHlsrEiM9tSf94dP8lgTNccNx4xYfFpqzBGReyJHyXqyG/djNUc/5TDvg==&1b=V6oPQBMX
RU
malicious
1296
Explorer.EXE
GET
104.223.211.55:80
http://www.socialmediacowgirl.com/tgdh/?v6=+rVQ4iMqt7Xe86yKJhUGKtl3Unozp9KKlvFxKVM6MbmOjpccAh096VsuH7DOzfBAPcKyGg==&1b=V6oPQBMX
US
malicious
1296
Explorer.EXE
GET
404
188.114.96.10:80
http://www.floristeriascasablanca3.com/tgdh/?v6=ZiOdQcdCZdxX2Q8LfQ0s5I3dZIhycVz4J/wm8vJToSDUIl3wfZZ8kstrEaKDJt5xzNbkdw==&1b=V6oPQBMX
US
html
3.40 Kb
malicious
1296
Explorer.EXE
GET
154.23.181.118:80
http://www.49000yyy.com/tgdh/?v6=VVPsAepxcyiOQKLk1ZFwhqpJlWza2IR+5JQSnGSMQB0u9QoGoJFYYRXFpD0Qd78gO+CnfQ==&1b=V6oPQBMX
US
malicious
1296
Explorer.EXE
GET
200
23.202.231.167:80
http://www.determineui.site/tgdh/?v6=Nsh71O9DYtkbvtknA6Wza1hgah1aXoCrVzrvyRkZCGGcsblfNYKAg7l5uGelhBYm6BBDxg==&1b=V6oPQBMX
US
html
379 b
malicious
1296
Explorer.EXE
GET
403
34.102.136.180:80
http://www.club2more.site/tgdh/?v6=p1xtLapP2ocRIz1MyKX7qrh18slg1ExUjs43qZuDHlErpV9iB//M4oZNfwZfWwO2jweU9g==&1b=V6oPQBMX
US
html
291 b
malicious
1296
Explorer.EXE
GET
302
170.178.194.226:80
http://www.szlgi.com/tgdh/?v6=bFL4NVDPO6dWd3QxSOzpzbtqiYPh46YkADVXKhWcMTcVUEMkMAxmZWHamA8DqKNJ18UCmA==&1b=V6oPQBMX
US
malicious
1296
Explorer.EXE
GET
404
66.96.160.128:80
http://www.efraly.com/tgdh/?v6=+fgQh7eLfkVVFdmfD7snyAYfFcrPeAKj+c9tCQ28naPEg0iRfaBhc2V394rkJYkqd4ruSw==&1b=V6oPQBMX
US
html
867 b
malicious
1296
Explorer.EXE
GET
301
172.104.44.134:80
http://www.imisukabumi.com/tgdh/?v6=AojNT9ulWHwLJKiYQuoIWdwxvz2IUKy2akCxwFInGUM1plzDQ9VLRsOzjJwFHFKoTx+wLg==&1b=V6oPQBMX
SG
html
143 b
malicious
1296
Explorer.EXE
GET
302
213.186.33.5:80
http://www.lychee.solutions/tgdh/?v6=UlKbuswi3Y94wkkr3FQ89d1PQ+7W2P8S37KfK5fMXAO8xBwAZ7A9X9sISJQ9nZaIVRBCUQ==&1b=V6oPQBMX
FR
html
138 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1296
Explorer.EXE
34.102.136.180:80
www.club2more.site
US
whitelisted
1296
Explorer.EXE
188.114.96.10:80
www.floristeriascasablanca3.com
Cloudflare Inc
US
malicious
1296
Explorer.EXE
170.178.194.226:80
www.szlgi.com
MULTACOM CORPORATION
US
malicious
1296
Explorer.EXE
160.124.207.221:80
www.crossfit3110.com
ZA
malicious
1296
Explorer.EXE
154.23.181.118:80
www.49000yyy.com
US
malicious
1296
Explorer.EXE
66.96.160.128:80
www.efraly.com
The Endurance International Group, Inc.
US
malicious
1296
Explorer.EXE
172.104.44.134:80
www.imisukabumi.com
Linode, LLC
SG
malicious
1296
Explorer.EXE
91.189.114.8:80
www.gavrishev.com
Hosting Center LLC
RU
malicious
1296
Explorer.EXE
23.227.38.74:80
www.bodi8.com
Shopify, Inc.
CA
malicious
1296
Explorer.EXE
104.223.211.55:80
www.socialmediacowgirl.com
Global Frag Networks
US
malicious

DNS requests

Domain
IP
Reputation
www.club2more.site
  • 34.102.136.180
malicious
www.didgaulab2.net
unknown
www.floristeriascasablanca3.com
  • 188.114.96.10
  • 188.114.97.10
malicious
www.onepasscare.com
unknown
www.szlgi.com
  • 170.178.194.226
malicious
www.crossfit3110.com
  • 160.124.207.221
malicious
www.49000yyy.com
  • 154.23.181.118
malicious
www.briantheanalyst.com
  • 34.102.136.180
malicious
www.efraly.com
  • 66.96.160.128
malicious
www.imisukabumi.com
  • 172.104.44.134
malicious

Threats

PID
Process
Class
Message
1296
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
1296
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1296
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1296
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1296
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
1296
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1296
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1296
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1296
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
1296
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
523e3a307421539d0d7288098359a3e1