SYMBOLCOMMON_NAMEaka. SYNONYMS
win.formbook (Back to overview)

Formbook

Actor(s): SWEED, Cobalt

URLhaus        

FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.

References
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2020-03-24AviraAvira Protection Labs
@online{labs:20200324:new:88d7b1d, author = {Avira Protection Labs}, title = {{A new technique to analyze FormBook malware infections}}, date = {2020-03-24}, organization = {Avira}, url = {https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/}, language = {English}, urldate = {2020-04-01} } A new technique to analyze FormBook malware infections
Formbook
2020-01-19360kate
@online{kate:20200119:bayworld:2cc2212, author = {kate}, title = {{BayWorld event, Cyber Attack Against Foreign Trade Industry}}, date = {2020-01-19}, organization = {360}, url = {https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/}, language = {English}, urldate = {2020-02-03} } BayWorld event, Cyber Attack Against Foreign Trade Industry
Azorult Formbook Nanocore RAT Revenge RAT
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
@online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-07-15Cisco TalosEdmund Brumaghin
@online{brumaghin:20190715:sweed:9725699, author = {Edmund Brumaghin}, title = {{SWEED: Exposing years of Agent Tesla campaigns}}, date = {2019-07-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html}, language = {English}, urldate = {2020-01-08} } SWEED: Exposing years of Agent Tesla campaigns
Agent Tesla Formbook Loki Password Stealer (PWS) SWEED
2019-06-12CyberbitHod Gavriel
@online{gavriel:20190612:formbook:8dc2df9, author = {Hod Gavriel}, title = {{Formbook Research Hints Large Data Theft Attack Brewing}}, date = {2019-06-12}, organization = {Cyberbit}, url = {https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/}, language = {English}, urldate = {2019-12-04} } Formbook Research Hints Large Data Theft Attack Brewing
Formbook
2019-05-02Usual Suspect REJohann Aydinbas
@online{aydinbas:20190502:formbook:d1ef715, author = {Johann Aydinbas}, title = {{FormBook - Hiding in plain sight}}, date = {2019-05-02}, organization = {Usual Suspect RE}, url = {https://usualsuspect.re/article/formbook-hiding-in-plain-sight}, language = {English}, urldate = {2020-01-13} } FormBook - Hiding in plain sight
Formbook
2019-01Virus BulletinGabriela Nicolao
@online{nicolao:201901:inside:a4c68f3, author = {Gabriela Nicolao}, title = {{Inside Formbook infostealer}}, date = {2019-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/}, language = {English}, urldate = {2019-12-18} } Inside Formbook infostealer
Formbook
2018-12-05BotconfRémi Jullian
@techreport{jullian:20181205:formbook:40cf2ad, author = {Rémi Jullian}, title = {{FORMBOOK In-depth malware analysis}}, date = {2018-12-05}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf}, language = {English}, urldate = {2019-12-17} } FORMBOOK In-depth malware analysis
Formbook
2018-11-01PeerlystSudhendu
@online{sudhendu:20181101:how:582221a, author = {Sudhendu}, title = {{How to Analyse FormBook - A New Malware-as-a-Service}}, date = {2018-11-01}, organization = {Peerlyst}, url = {https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent}, language = {English}, urldate = {2019-12-17} } How to Analyse FormBook - A New Malware-as-a-Service
Formbook
2018-10-16PeerlystSudhendu
@online{sudhendu:20181016:how:8aa1eed, author = {Sudhendu}, title = {{How to understand FormBook - A New Malware-as-a-Service}}, date = {2018-10-16}, organization = {Peerlyst}, url = {https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?}, language = {English}, urldate = {2020-01-09} } How to understand FormBook - A New Malware-as-a-Service
Formbook
2018-06-22InQuestAswanda
@online{aswanda:20180622:formbook:ce3c98b, author = {Aswanda}, title = {{FormBook stealer: Data theft made easy}}, date = {2018-06-22}, organization = {InQuest}, url = {http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/}, language = {English}, urldate = {2020-01-09} } FormBook stealer: Data theft made easy
Formbook
2018-06-20Cisco TalosWarren Mercer, Paul Rascagnères
@online{mercer:20180620:my:9c08115, author = {Warren Mercer and Paul Rascagnères}, title = {{My Little FormBook}}, date = {2018-06-20}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/06/my-little-formbook.html}, language = {English}, urldate = {2020-01-06} } My Little FormBook
Formbook
2018-03-29StormshieldRémi Jullian
@online{jullian:20180329:indepth:badef63, author = {Rémi Jullian}, title = {{In-depth Formbook malware analysis – Obfuscation and process injection}}, date = {2018-03-29}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/}, language = {English}, urldate = {2020-01-10} } In-depth Formbook malware analysis – Obfuscation and process injection
Formbook
2018-01-29Vitali Kremez BlogVitali Kremez
@online{kremez:20180129:lets:450880d, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting FormBook Infostealer Malware: Crypter & "RunLib.dll"}}, date = {2018-01-29}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html}, language = {English}, urldate = {2020-01-10} } Let's Learn: Dissecting FormBook Infostealer Malware: Crypter & "RunLib.dll"
Formbook
2017-10-05FireEyeNart Villeneuve, Randi Eitzman, Sandor Nemes, Tyler Dean
@online{villeneuve:20171005:significant:0b91e49, author = {Nart Villeneuve and Randi Eitzman and Sandor Nemes and Tyler Dean}, title = {{Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea}}, date = {2017-10-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html}, language = {English}, urldate = {2019-12-20} } Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea
Formbook
2017-09-20NetScoutDennis Schwarz
@online{schwarz:20170920:formidable:654d8e3, author = {Dennis Schwarz}, title = {{The Formidable FormBook Form Grabber}}, date = {2017-09-20}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/}, language = {English}, urldate = {2019-07-09} } The Formidable FormBook Form Grabber
Formbook
2016-06Safety First BlogSL4ID3R
@online{sl4id3r:201606:form:53a7823, author = {SL4ID3R}, title = {{Form Grabber 2016 [Crome,FF,Opera,Thunderbird, Outlook IE Safari] Hack the world}}, date = {2016-06}, organization = {Safety First Blog}, url = {http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html}, language = {English}, urldate = {2019-11-26} } Form Grabber 2016 [Crome,FF,Opera,Thunderbird, Outlook IE Safari] Hack the world
Formbook
Yara Rules
[TLP:WHITE] win_formbook_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_formbook_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4508 85c0 7422 8b480c 8b09 }
            // n = 5, score = 1500
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   85c0                 | test                eax, eax
            //   7422                 | je                  0x24
            //   8b480c               | mov                 ecx, dword ptr [eax + 0xc]
            //   8b09                 | mov                 ecx, dword ptr [ecx]

        $sequence_1 = { 39480c 750e 394810 7509 394814 0f8441010000 }
            // n = 6, score = 1500
            //   39480c               | cmp                 dword ptr [eax + 0xc], ecx
            //   750e                 | jne                 0x10
            //   394810               | cmp                 dword ptr [eax + 0x10], ecx
            //   7509                 | jne                 0xb
            //   394814               | cmp                 dword ptr [eax + 0x14], ecx
            //   0f8441010000         | je                  0x147

        $sequence_2 = { 55 8bec 8b4508 8b4810 56 6a30 }
            // n = 6, score = 1500
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]
            //   56                   | push                esi
            //   6a30                 | push                0x30

        $sequence_3 = { 8bec 8b4d08 85c9 7463 }
            // n = 4, score = 1500
            //   8bec                 | mov                 ebp, esp
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   85c9                 | test                ecx, ecx
            //   7463                 | je                  0x65

        $sequence_4 = { 50 8d4e0c 51 52 53 e8???????? 83c418 }
            // n = 7, score = 1500
            //   50                   | push                eax
            //   8d4e0c               | lea                 ecx, [esi + 0xc]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_5 = { 7573 53 8b5d08 56 33f6 83c703 }
            // n = 6, score = 1500
            //   7573                 | jne                 0x75
            //   53                   | push                ebx
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi
            //   83c703               | add                 edi, 3

        $sequence_6 = { e8???????? 83c418 85c0 78e2 }
            // n = 4, score = 1500
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   85c0                 | test                eax, eax
            //   78e2                 | js                  0xffffffe4

        $sequence_7 = { 75ee 8902 41 83c204 4f 75d5 5f }
            // n = 7, score = 1500
            //   75ee                 | jne                 0xfffffff0
            //   8902                 | mov                 dword ptr [edx], eax
            //   41                   | inc                 ecx
            //   83c204               | add                 edx, 4
            //   4f                   | dec                 edi
            //   75d5                 | jne                 0xffffffd7
            //   5f                   | pop                 edi

        $sequence_8 = { 3c74 75f4 8d45e4 6a14 }
            // n = 4, score = 1500
            //   3c74                 | cmp                 al, 0x74
            //   75f4                 | jne                 0xfffffff6
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   6a14                 | push                0x14

        $sequence_9 = { 750c 894df8 c745fc00000080 eb11 }
            // n = 4, score = 1500
            //   750c                 | jne                 0xe
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   c745fc00000080       | mov                 dword ptr [ebp - 4], 0x80000000
            //   eb11                 | jmp                 0x13

    condition:
        7 of them and filesize < 532480
}
Download all Yara Rules