Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
14
Global rank
33 infographic chevron month
Month rank
32 infographic chevron week
Week rank
0
IOCs

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Spyware
Type
Unknown
Origin
1 January, 2016
First seen
2 October, 2025
Last seen
Also known as
Xloader

How to analyze Formbook with ANY.RUN

Type
Unknown
Origin
1 January, 2016
First seen
2 October, 2025
Last seen

IOCs

IP addresses
82.180.175.114
172.67.177.75
154.23.147.231
149.100.155.162
212.24.127.107
38.40.172.217
154.23.134.144
206.188.193.90
172.67.215.254
54.150.239.82
152.199.21.175
45.196.105.38
45.122.135.248
65.109.117.196
46.242.157.30
192.175.100.228
103.14.122.66
172.67.160.165
178.20.227.11
104.21.63.101
Hashes
37cae6260416b9cc62ed02d45835826d14fbb02a87ce19fe959af594d23efe9b
f2d03f12e91b79cade68857eba61bc17eeaebc156c0c6c6515b6fd6f338aca93
71e33ab4047596129fe18f2d2304254b1ff0128096e3a8b07f75f779afd130b7
4deafbf0237418a18f8b5384558ab4f6d7fc412de2605340ff5630970298029e
d47ffa12778a36d3282598931fbd4614b0215ba1643a59dfdb7e80d8fffa5ead
3da539aca93c0094ace3e87b29f9c6beb463c11ae37742e087f7eb6dfe0afae3
9270a381a5fc9e49c941546bc88d6c1683e15b2b1ffde51f60b23e8972a6b34d
6e3da175f5206be5727c700d9e583cc08d7edf2d975b993cf0d74f4e920acf50
cc241fc34501296b9d528cc1a58bee76407a68a811f26705d868c76f496981d3
8ac567bfb4be359b1136e1236bbdbac3e160077a89952f967467a345a23c0047
c7e26eae6ac6849e747630649eb42b1c65390a548dd1b84b359187db49a5e1a6
1b990c7256969865617929a408a88709db6de3f9fb1c435b6d255940e54e1f00
52bbb87af8510bd3b008c070c27f022f14315f4d54f3b046b88fe2689e88c941
ca010661d72f414fbe29b4d1582e7981d83c9d5139b5756578ec6c7e5f94201e
686802626b55d584dba9bb97f1a9c6b61cdb1f56ab9362cb57b333109ed3a486
769e05f430ee5a977ec62f06c812bee67395fc94a4fad688539a1bc33863b626
4ec1ead75385f684740372f0ba6b5ca891cd89fb17b92904b9b3592f34939ae0
48006427b80726e2434323dd1b06e988912741080e00c29b2913a3749e50755c
51b1ea5740bc66a8e008f46ee5583c422e7a5302cb1d7737654e84666883ce11
70c0ef97db97e10004d5b57cb0a26f02aad81cf0bbef8e06f8557acabca625ea
Domains
56cha.top
380x.vip
dawsswsh.shop
94mbw.top
documentssagov.com
8lj-demandacivel.net
awangmburibiru.sbs
dkhb.xyz
hkfasfsafg.click
7130ce.vip
aosequ.top
bercaja-es.shop
arcostecnologi.net
868com619.app
attaclothing.top
elegwpxs.motorcycles
elay-express.net
cwlkj.top
bzxc.xyz
gooder.bar
URLs
http://www.surerxpharmacy.com/n6i5/
http://www.thietketrantam.art/nqs9/
http://www.u4ik28o.cfd/m0e8/
http://www.freshlyhair.com/d2g7/
http://www.loj-kits.xyz/h8rq/
http://www.globesourcers.com/fhuh/
http://www.bradleyflooring.net/bs11/
http://www.kompanko.com/d1n3/
http://www.bravobug.net/m3ci/
http://www.mallpay168.com/eoww/
http://www.espnnflfantasy.com/inws/
http://www.homesbyvw.com/ssac/
http://www.petdlvr.com/b6zn/
http://www.rasa.services/sj8q/
http://www.rematedeldia.com/euv4/
http://www.swachharepolymix.com/qatv/
http://www.purelyhawaii.com/g2a1/
http://www.hantoub.net/gd08/
http://www.thecredit.school/sh30/
http://www.malagainvestments.com/mwfc/
Last Seen at
Last Seen at

Recent blog posts

post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 99
comments 0
post image
FunkSec’s FunkLocker: How AI Is Powering the...
watchers 1721
comments 0
post image
ANY.RUN & MS Defender: Enrich Alerts Faster,...
watchers 1535
comments 0

What is FormBook malware?

FormBook stealer is an infostealer‍ trojan available as a malware-as-service. This malware is often used by attackers with low technical literacy and little programming knowledge. FormBook can be used to steal various information from infected machines.

Despite how easy it is to set up and use, the malware has advanced stealing and evasion functions including the ability to pull stored and recorded user input. In addition, the FormBook stealer is capable of searching for, viewing, and interacting with files, and taking screenshots. Even though the stealing capability of this virus can be considered somewhat average, its ease of operation, the injection schema, and a set of effective measures that the malware takes to avoid detection by antivirus software made FormBook a popular virus in the hacker community and, unfortunately, its popularity is only continuing to rise in 2019.

General description of the FormBook stealer

Written in C and x86 assembly language, FormBook is sold as a PHP control panel and can be purchased on highly accessible online forums for merely 30 dollars.

Uniquely, unlike the majority of existing viruses that exploit the latest vulnerabilities or zero-days, FormBook can inject into processes and set up function hooks utilizing already known issues. Hence the claim made by the makers, that the virus will work flawlessly regardless of the Windows version.

Together with its stealer functionality and evasion techniques, the virus knows how to execute instructions from a control server that includes starting new processes, their injection, and rebooting the victim’s PC. What’s more, the virus is able to record Windows’ ntdll.dll module into memory and call it directly, which makes API monitoring and user-mode hooking almost insufficient.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

FormBook malware analysis

A video simulation recorded on the ANY.RUN interactive malware analysis service allows us to take an in-depth look at the behavior of this clever virus and other malware such as Dridex and Lokibot with their elaborate anti-evasion techniques.

formbook execution process graph

Figure 1: Processes created by FormBook during execution as shown by ANY.RUN simulation

  • As shown by the ANY.RUN simulation, firstly the virus established connection to the CnC server;
  • After this, a malicious executable file, in this analysis's case pretending to be a .png is being dropped or overwritten and executed;
  • Then, FormBook proceeds to steal the personal data and change the autorun value in the registry. Also, the virus loads DLL from Mozilla Firefox creates files in the user directory, and starts CMD.EXE to set up persistence and later begin process injection;
  • Finally, injected Firefox.exe is executed for logging keystrokes, stealing clipboard data, and extracting authentication information from browser HTTP sessions.

Distribution of the FormBook stealer

According to FormBook analysis, malware is usually distributed via email campaigns that utilized a wide array of infecting mechanisms and can contain a number of various file attachments. Among the most commonly observed attachments are either PDFs, DOC or EXE, or ZIP, RAR, ACE, and ISO files.

Campaigns in which the virus is distributed through files with PDF extensions are known to utilize shipping-related themes and usually include a download link that points at the malicious code instead of the actual virus. DOC and EXE campaigns utilize macros to install and run the virus. Often, the virus is retrieved as a .PDF file in such a case. Finally, archive campaigns are considered to be the most common attack vector for this virus and usually revolve around a business-related theme, such as a payment order. In the case of this attack vector, attachments either contain a link to the FormBook stealer EXE file or install and run the virus on victims' PCs directly.

In 2020 Formbook has become quite popular as it used Covid-themed emails for decoys with subject headings such as “Government Response to Coronavirus Covid-19”.

FormBook execution process

Sandbox simulation performed on the ANY.RUN interactive malware hunting service allows us to detect and investigate the behavior of FormBook in a lot of detail.

text report of the formbook malware analysis

Figure 2: A text report generated by ANY.RUN

After downloading the malicious file the only thing needed to start the contamination is for the file to be opened. In a case when Microsoft Office file (doc, xls, rtf) is used as an infection source, after it is opened the malware exploits the CVE-2017-11882 vulnerability, thus Microsoft Office Equation Editor proceeds to download a malicious executable file and run it.

After infecting the victim's PC, the virus copies and renames itself into a directory that differs based on the privileges of the user. If an admin account is used, the virus installs itself in either %ProgramFiles% or %CommonProgramFiles%. On the other hand, if the privileges are not elevated, then the virus will copy itself into %TEMP% or %APPDATA.

Also, Formbook trojan changes the autorun value in the registry depending on is it was running with normal or elevated privileges. Next, the malware copies itself into a directory it proceeds to check if it’s being run on a virtual machine or analyzed, evaluating the best anti-evasion option that can be utilized in a particular situation. Meanwhile, the virus will try to evaluate the USERNAME environment variable to find out if it’s launched in simulation, while also checking for the presence of debuggers. It should be noted that the malware uses particularly clever techniques while performing an analysis, for example, all shared strings such as command server names are decoded only briefly if they are absolutely required, which makes FormBook highly elusive. In the next step, the virus uses the same injection method to an active explorer.exe process which is only employed as a non-permanent staging ground.

The virus occasionally performs injections into web browser processes and explorer.exe. After injecting into the process, the virus chooses a random application from a static list. Then, the virus proceeds to run the chosen application in suspended mode and copy itself in the address space of the suspended process, thus mimicking a genuine Microsoft process. Next, the virus exits the original process which leaves FormBook's dead code in explorer.exe as a result. From this stage, new FormBook processes can inject targeted applications like web browser processes, which in the case of this particular ANY.RUN simulation is Firefox.

Depending on the objective process, the virus can establish various function hooks. Being run from inside the context of an already generated process, the virus starts to go through every currently active process, trying to identify targeted programs. As soon as a target is found, FormBook will inject itself into it and install a particular set of API hooks, that are based on the target program. The data is then saved in files in the %APPDATA% directory until it is sent to the C&C server. Pay attention to this function to detect malware.

How to avoid infection by FormBook?

The best counteraction technique is to exhibit caution when receiving emails with attachments from unknown senders. Attackers usually use social engineering to trick victims into downloading and opening infected files.

Deleting any suspicious emails from the inbox is a good way to stay safe. If the infection is already detected, a good practice is to carry out an analysis of all devices connected to the network for established CnC or potentially malicious URL connections. Once a suspicious email is received, perimeter settings can be adjusted to block all related emails in the future. Finally, if an infected file is already downloaded, the host should be quarantined until the threat is completely mitigated.

How to detect Formbook using ANY.RUN?

Formbook trojan usually injects into explorer.exe and another processes from the list, such as firefox.exe and msiexec.exe. Knowing this malware's function you can take a look at the process tree after a while during execution and easily determine either the sample is Formbook or not.

formbook execution process tree Figure 3: A tree of processes created by Formbook during its execution

Conclusion

Thanks to extreme ease of use and low cost, FormBook is gaining traction in the criminal community. Not only is the virus's functionality freely accessible for download on open hacker forums and easy to set up without any programming knowledge, but it also comes equipped with some highly advanced anti-evasion techniques, that make detecting it with anti-virus software ultra-difficult. ANY.RUN interactive malware hunting service enables to study FormBook in detail from a secure environment and implement cybersecurity measures accordingly.

HAVE A LOOK AT

DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
BTMOB RAT screenshot
BTMOB RAT
btmob
BTMOB RAT is a remote access Trojan (RAT) designed to give attackers full control over infected devices. It targets Windows and Android endpoints. Its modular structure allows operators to tailor capabilities, making it suitable for espionage, credential theft, financial fraud, and establishing long-term footholds in corporate networks.
Read More
zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
MassLogger screenshot
MassLogger
masslogger
MassLogger is a credential stealer and keylogger first identified in April 2020. It has been actively used in cyber campaigns to exfiltrate sensitive information from compromised systems. It is designed for easy use by less tech-savvy actors and is prominent for the capability of spreading via USB drives. It targets both individuals and organizations in various industries, mostly in Europe and the USA.
Read More