BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
7
Global rank
12 infographic chevron month
Month rank
20 infographic chevron week
Week rank
27546
IOCs

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Stealer
Type
Unknown
Origin
1 January, 2016
First seen
16 April, 2024
Last seen
Also known as
Xloader

How to analyze Formbook with ANY.RUN

Type
Unknown
Origin
1 January, 2016
First seen
16 April, 2024
Last seen

IOCs

IP addresses
82.180.175.114
172.67.177.75
149.100.155.162
154.23.147.231
38.40.172.217
212.24.127.107
154.23.134.144
206.188.193.90
54.150.239.82
172.67.215.254
152.199.21.175
45.196.105.38
192.175.100.228
45.122.135.248
65.109.117.196
46.242.157.30
103.14.122.66
172.67.160.165
154.80.192.235
178.20.227.11
Hashes
1b990c7256969865617929a408a88709db6de3f9fb1c435b6d255940e54e1f00
ca010661d72f414fbe29b4d1582e7981d83c9d5139b5756578ec6c7e5f94201e
7953ff7825dbd216728348d35c247f1b4d8361d786444d07fda762bbbeb24829
c7101e1f8f5d21e5371bcbbec68c24be274b206ac727ddaf721155c28cf1c93b
666213c84efa0a5cf5fee750c2daf1804310879a285f338f0cbe5b37097b4778
29aa06ee77256a3e9db64601a07888a4de5b75537dbd558ead61fdc6ad1f85be
539e48b91ce31c5fa27b4466e9f9d9a4933e9bf17a4afd06c1dc826d0ba749c4
afb058fdd8aa200fe754289c9b48d8876f4bbd7cbcefc964742d76c32a990340
1de829752377ff0b2d03cc8ff463ca58c8d629619d96fcec4def6e2126f64b1c
0c35a956414da32dd99aeb2d7435348c4ae602c1b3f9e33cc688e1a94ad88030
84793a0abafb1359181904ef25ecc2aa98520bd224113dae140d9e631bd6b77e
6432e0423f49d1324d2b698cc8bcf463e56bbb243bba809951e2f01b8e0a6d60
12a7cd1058647b4bf7e712fe8e35c252df238d9620700f1757c65d1c734767ea
dd98beb384a4408b8e8349493180772b54215241fe1d7bf7c791ab9f3995cd9a
15ffd2a82eb0ab30377a49dd2898af3a28f9787f6f39257a63b1fe93ecf36ff4
4f08cfdc5d7e3d002a4803ad731780cf114f1a91a56962d249be780076aa41a0
d25e64b6ee02c4d14af2c7a8cb00da85809c8f6d31d77d6c8f0da04e09ae2c18
951d0816298eb61e2765bef6fc419744ef483765cf235cbb14544d90c2648486
8a04693281d2231699704a5a57956f67804ee886ce4d474606335ba426a535ea
584b47be6df25778858494f5dda04c5b53cd07332a2fa58db24ed7a15f694ac3
Domains
mail.adityagroup.co
mail.zoomfilms-cz.com
warbakup5577ebn.duckdns.org
mail.boyyem.com.tr
mail.exportersglobe.com
doctors4change.net
nogodbeforeme.net
ninoxins.com
private-clicks.com
mymelada.com
tubesing.com
catrionatowriss.com
gangqinqu123.net
mcluxuryrentals.com
shanaesbeauty.com
37collingwoodst.com
echafa.com
airpopgrip.com
dubaiexoticdogs.com
nordic-aesthetics.com
URLs
http://www.lolabeautystudios.com/gs12/
http://www.silkskyncare.com/uu09/
http://www.fight4yourhappiness.com/dd20/
http://www.tinmapco.com/0sc0/
http://www.budget-harmony.com/ij84/
http://www.posycbd.com/tdet/
http://www.purifyelements.com/fs83/
http://www.lunazone.us/m07a/
http://www.venusbackend.live/dz25/
http://www.echoesdesing.com/fs44/
http://www.gltip2le.shop/kh11/
http://www.patlod.com/31o/
http://www.pacomarquez.space/rsgu/
http://www.kudochhattisgarh.org/pdac/
http://www.a2zglobalimports.com/kmge/
http://www.13201f.com/bqiu/
http://www.grupooceanique.com/ns03/
http://www.ellentscm.info/ob/
http://www.georgiemakeup.com/dz11/
http://www.dpxj888.com/tt15/
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q1, 2024
watchers 156
comments 0
post image
Understand Encryption in Malware: From Basics...
watchers 547
comments 0
post image
ANY.RUN for Enterprises: Learn About Our Most...
watchers 298
comments 0

What is FormBook malware?

FormBook stealer is an infostealer‍ trojan available as a malware-as-service. This malware is often used by attackers with low technical literacy and little programming knowledge. FormBook can be used to steal various information from infected machines.

Despite how easy it is to set up and use, the malware has advanced stealing and evasion functions including the ability to pull stored and recorded user input. In addition, the FormBook stealer is capable of searching for, viewing, and interacting with files, and taking screenshots. Even though the stealing capability of this virus can be considered somewhat average, its ease of operation, the injection schema, and a set of effective measures that the malware takes to avoid detection by antivirus software made FormBook a popular virus in the hacker community and, unfortunately, its popularity is only continuing to rise in 2019.

General description of the FormBook stealer

Written in C and x86 assembly language, FormBook is sold as a PHP control panel and can be purchased on highly accessible online forums for merely 30 dollars.

Uniquely, unlike the majority of existing viruses that exploit the latest vulnerabilities or zero-days, FormBook can inject into processes and set up function hooks utilizing already known issues. Hence the claim made by the makers, that the virus will work flawlessly regardless of the Windows version.

Together with its stealer functionality and evasion techniques, the virus knows how to execute instructions from a control server that includes starting new processes, their injection, and rebooting the victim’s PC. What’s more, the virus is able to record Windows’ ntdll.dll module into memory and call it directly, which makes API monitoring and user-mode hooking almost insufficient.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

FormBook malware analysis

A video simulation recorded on the ANY.RUN interactive malware analysis service allows us to take an in-depth look at the behavior of this clever virus and other malware such as Dridex and Lokibot with their elaborate anti-evasion techniques.

formbook execution process graph

Figure 1: Processes created by FormBook during execution as shown by ANY.RUN simulation

  • As shown by the ANY.RUN simulation, firstly the virus established connection to the CnC server;
  • After this, a malicious executable file, in this analysis's case pretending to be a .png is being dropped or overwritten and executed;
  • Then, FormBook proceeds to steal the personal data and change the autorun value in the registry. Also, the virus loads DLL from Mozilla Firefox creates files in the user directory, and starts CMD.EXE to set up persistence and later begin process injection;
  • Finally, injected Firefox.exe is executed for logging keystrokes, stealing clipboard data, and extracting authentication information from browser HTTP sessions.

Distribution of the FormBook stealer

According to FormBook analysis, malware is usually distributed via email campaigns that utilized a wide array of infecting mechanisms and can contain a number of various file attachments. Among the most commonly observed attachments are either PDFs, DOC or EXE, or ZIP, RAR, ACE, and ISO files.

Campaigns in which the virus is distributed through files with PDF extensions are known to utilize shipping-related themes and usually include a download link that points at the malicious code instead of the actual virus. DOC and EXE campaigns utilize macros to install and run the virus. Often, the virus is retrieved as a .PDF file in such a case. Finally, archive campaigns are considered to be the most common attack vector for this virus and usually revolve around a business-related theme, such as a payment order. In the case of this attack vector, attachments either contain a link to the FormBook stealer EXE file or install and run the virus on victims' PCs directly.

In 2020 Formbook has become quite popular as it used Covid-themed emails for decoys with subject headings such as “Government Response to Coronavirus Covid-19”.

FormBook execution process

Sandbox simulation performed on the ANY.RUN interactive malware hunting service allows us to detect and investigate the behavior of FormBook in a lot of detail.

text report of the formbook malware analysis

Figure 2: A text report generated by ANY.RUN

After downloading the malicious file the only thing needed to start the contamination is for the file to be opened. In a case when Microsoft Office file (doc, xls, rtf) is used as an infection source, after it is opened the malware exploits the CVE-2017-11882 vulnerability, thus Microsoft Office Equation Editor proceeds to download a malicious executable file and run it.

After infecting the victim's PC, the virus copies and renames itself into a directory that differs based on the privileges of the user. If an admin account is used, the virus installs itself in either %ProgramFiles% or %CommonProgramFiles%. On the other hand, if the privileges are not elevated, then the virus will copy itself into %TEMP% or %APPDATA.

Also, Formbook trojan changes the autorun value in the registry depending on is it was running with normal or elevated privileges. Next, the malware copies itself into a directory it proceeds to check if it’s being run on a virtual machine or analyzed, evaluating the best anti-evasion option that can be utilized in a particular situation. Meanwhile, the virus will try to evaluate the USERNAME environment variable to find out if it’s launched in simulation, while also checking for the presence of debuggers. It should be noted that the malware uses particularly clever techniques while performing an analysis, for example, all shared strings such as command server names are decoded only briefly if they are absolutely required, which makes FormBook highly elusive. In the next step, the virus uses the same injection method to an active explorer.exe process which is only employed as a non-permanent staging ground.

The virus occasionally performs injections into web browser processes and explorer.exe. After injecting into the process, the virus chooses a random application from a static list. Then, the virus proceeds to run the chosen application in suspended mode and copy itself in the address space of the suspended process, thus mimicking a genuine Microsoft process. Next, the virus exits the original process which leaves FormBook's dead code in explorer.exe as a result. From this stage, new FormBook processes can inject targeted applications like web browser processes, which in the case of this particular ANY.RUN simulation is Firefox.

Depending on the objective process, the virus can establish various function hooks. Being run from inside the context of an already generated process, the virus starts to go through every currently active process, trying to identify targeted programs. As soon as a target is found, FormBook will inject itself into it and install a particular set of API hooks, that are based on the target program. The data is then saved in files in the %APPDATA% directory until it is sent to the C&C server. Pay attention to this function to detect malware.

How to avoid infection by FormBook?

The best counteraction technique is to exhibit caution when receiving emails with attachments from unknown senders. Attackers usually use social engineering to trick victims into downloading and opening infected files.

Deleting any suspicious emails from the inbox is a good way to stay safe. If the infection is already detected, a good practice is to carry out an analysis of all devices connected to the network for established CnC or potentially malicious URL connections. Once a suspicious email is received, perimeter settings can be adjusted to block all related emails in the future. Finally, if an infected file is already downloaded, the host should be quarantined until the threat is completely mitigated.

How to detect Formbook using ANY.RUN?

Formbook trojan usually injects into explorer.exe and another processes from the list, such as firefox.exe and msiexec.exe. Knowing this malware's function you can take a look at the process tree after a while during execution and easily determine either the sample is Formbook or not.

formbook execution process tree Figure 3: A tree of processes created by Formbook during its execution

Conclusion

Thanks to extreme ease of use and low cost, FormBook is gaining traction in the criminal community. Not only is the virus's functionality freely accessible for download on open hacker forums and easy to set up without any programming knowledge, but it also comes equipped with some highly advanced anti-evasion techniques, that make detecting it with anti-virus software ultra-difficult. ANY.RUN interactive malware hunting service enables to study FormBook in detail from a secure environment and implement cybersecurity measures accordingly.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy