Formbook

Description

(FireEye) FormBook is a data stealer, but not a full-fledged banker (banking malware). It does not currently have any extensions or plug-ins. Its capabilities include:

• Key logging • Clipboard monitoring • Grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests • Grabbing passwords from browsers and email clients • Screenshots

FormBook can receive the following remote commands from the C2 server:

• Update bot on host system • Download and execute file • Remove bot from host system • Launch a command via ShellExecute • Clear browser cookies • Reboot system • Shutdown system • Collect passwords and create a screenshot • Download and unpack ZIP archive

Names

Name
Formbook
win.xloader

Category

Malware

Type

• Backdoor
• Keylogger
• Info stealer
• Credential stealer

Information

• https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html
• http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/
• https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu
• http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html
• https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/
• https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/
• http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html
• https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/
• https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf
• https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent
• https://blog.talosintelligence.com/2018/06/my-little-formbook.html
• https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I
• https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii
• https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-in-phishing-campaign-part-iii
• https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/
• https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html
• https://www.cyfirma.com/outofband/formbook-malware-technical-analysis/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:FormBook

Other Information

Uuid

31818036-6fd3-4bb1-8ce9-99105a83c6e5

Last Card Change

2023-04-26