SYMBOLCOMMON_NAMEaka. SYNONYMS
win.formbook (Back to overview)

Formbook

Actor(s): SWEED, Cobalt

URLhaus        

FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.

References
2020-01-19360kate
@online{kate:20200119:bayworld:2cc2212, author = {kate}, title = {{BayWorld event, Cyber Attack Against Foreign Trade Industry}}, date = {2020-01-19}, organization = {360}, url = {https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/}, language = {English}, urldate = {2020-02-03} } BayWorld event, Cyber Attack Against Foreign Trade Industry
Azorult Formbook Nanocore RAT Revenge RAT
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
@online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-07-15Cisco TalosEdmund Brumaghin
@online{brumaghin:20190715:sweed:9725699, author = {Edmund Brumaghin}, title = {{SWEED: Exposing years of Agent Tesla campaigns}}, date = {2019-07-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html}, language = {English}, urldate = {2020-01-08} } SWEED: Exposing years of Agent Tesla campaigns
Agent Tesla Formbook Loki Password Stealer (PWS) SWEED
2019-06-12CyberbitHod Gavriel
@online{gavriel:20190612:formbook:8dc2df9, author = {Hod Gavriel}, title = {{Formbook Research Hints Large Data Theft Attack Brewing}}, date = {2019-06-12}, organization = {Cyberbit}, url = {https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/}, language = {English}, urldate = {2019-12-04} } Formbook Research Hints Large Data Theft Attack Brewing
Formbook
2019-05-02Usual Suspect REJohann Aydinbas
@online{aydinbas:20190502:formbook:d1ef715, author = {Johann Aydinbas}, title = {{FormBook - Hiding in plain sight}}, date = {2019-05-02}, organization = {Usual Suspect RE}, url = {https://usualsuspect.re/article/formbook-hiding-in-plain-sight}, language = {English}, urldate = {2020-01-13} } FormBook - Hiding in plain sight
Formbook
2019-01Virus BulletinGabriela Nicolao
@online{nicolao:201901:inside:a4c68f3, author = {Gabriela Nicolao}, title = {{Inside Formbook infostealer}}, date = {2019-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/}, language = {English}, urldate = {2019-12-18} } Inside Formbook infostealer
Formbook
2018-12-05BotconfRémi Jullian
@techreport{jullian:20181205:formbook:40cf2ad, author = {Rémi Jullian}, title = {{FORMBOOK In-depth malware analysis}}, date = {2018-12-05}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf}, language = {English}, urldate = {2019-12-17} } FORMBOOK In-depth malware analysis
Formbook
2018-11-01PeerlystSudhendu
@online{sudhendu:20181101:how:582221a, author = {Sudhendu}, title = {{How to Analyse FormBook - A New Malware-as-a-Service}}, date = {2018-11-01}, organization = {Peerlyst}, url = {https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent}, language = {English}, urldate = {2019-12-17} } How to Analyse FormBook - A New Malware-as-a-Service
Formbook
2018-10-16PeerlystSudhendu
@online{sudhendu:20181016:how:8aa1eed, author = {Sudhendu}, title = {{How to understand FormBook - A New Malware-as-a-Service}}, date = {2018-10-16}, organization = {Peerlyst}, url = {https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?}, language = {English}, urldate = {2020-01-09} } How to understand FormBook - A New Malware-as-a-Service
Formbook
2018-06-22InQuestAswanda
@online{aswanda:20180622:formbook:ce3c98b, author = {Aswanda}, title = {{FormBook stealer: Data theft made easy}}, date = {2018-06-22}, organization = {InQuest}, url = {http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/}, language = {English}, urldate = {2020-01-09} } FormBook stealer: Data theft made easy
Formbook
2018-06-20Cisco TalosWarren Mercer, Paul Rascagnères
@online{mercer:20180620:my:9c08115, author = {Warren Mercer and Paul Rascagnères}, title = {{My Little FormBook}}, date = {2018-06-20}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/06/my-little-formbook.html}, language = {English}, urldate = {2020-01-06} } My Little FormBook
Formbook
2018-03-29StormshieldRémi Jullian
@online{jullian:20180329:indepth:badef63, author = {Rémi Jullian}, title = {{In-depth Formbook malware analysis – Obfuscation and process injection}}, date = {2018-03-29}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/}, language = {English}, urldate = {2020-01-10} } In-depth Formbook malware analysis – Obfuscation and process injection
Formbook
2018-01-29Vitali Kremez BlogVitali Kremez
@online{kremez:20180129:lets:450880d, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting FormBook Infostealer Malware: Crypter & "RunLib.dll"}}, date = {2018-01-29}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html}, language = {English}, urldate = {2020-01-10} } Let's Learn: Dissecting FormBook Infostealer Malware: Crypter & "RunLib.dll"
Formbook
2017-10-05FireEyeNart Villeneuve, Randi Eitzman, Sandor Nemes, Tyler Dean
@online{villeneuve:20171005:significant:0b91e49, author = {Nart Villeneuve and Randi Eitzman and Sandor Nemes and Tyler Dean}, title = {{Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea}}, date = {2017-10-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html}, language = {English}, urldate = {2019-12-20} } Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea
Formbook
2017-09-20NetScoutDennis Schwarz
@online{schwarz:20170920:formidable:654d8e3, author = {Dennis Schwarz}, title = {{The Formidable FormBook Form Grabber}}, date = {2017-09-20}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/}, language = {English}, urldate = {2019-07-09} } The Formidable FormBook Form Grabber
Formbook
2016-06Safety First BlogSL4ID3R
@online{sl4id3r:201606:form:53a7823, author = {SL4ID3R}, title = {{Form Grabber 2016 [Crome,FF,Opera,Thunderbird, Outlook IE Safari] Hack the world}}, date = {2016-06}, organization = {Safety First Blog}, url = {http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html}, language = {English}, urldate = {2019-11-26} } Form Grabber 2016 [Crome,FF,Opera,Thunderbird, Outlook IE Safari] Hack the world
Formbook
Yara Rules
[TLP:WHITE] win_formbook_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_formbook_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { e8???????? 83c410 85c0 7523 8d8de4fdffff 51 6a0a }
            // n = 7, score = 900
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   7523                 | jne                 0x25
            //   8d8de4fdffff         | lea                 ecx, [ebp - 0x21c]
            //   51                   | push                ecx
            //   6a0a                 | push                0xa

        $sequence_1 = { 6a03 57 894604 e8???????? 6a04 57 894608 }
            // n = 7, score = 900
            //   6a03                 | push                3
            //   57                   | push                edi
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   e8????????           |                     
            //   6a04                 | push                4
            //   57                   | push                edi
            //   894608               | mov                 dword ptr [esi + 8], eax

        $sequence_2 = { 55 8bec 8b4508 8b4810 56 6a10 }
            // n = 6, score = 900
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]
            //   56                   | push                esi
            //   6a10                 | push                0x10

        $sequence_3 = { 83c605 83c705 e9???????? 80f9e8 0f849d000000 80f9e9 0f84e9000000 }
            // n = 7, score = 900
            //   83c605               | add                 esi, 5
            //   83c705               | add                 edi, 5
            //   e9????????           |                     
            //   80f9e8               | cmp                 cl, 0xe8
            //   0f849d000000         | je                  0xa3
            //   80f9e9               | cmp                 cl, 0xe9
            //   0f84e9000000         | je                  0xef

        $sequence_4 = { e8???????? 83c40c 83c30a 83c60a 83c70a ebcf 80f983 }
            // n = 7, score = 900
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   83c30a               | add                 ebx, 0xa
            //   83c60a               | add                 esi, 0xa
            //   83c70a               | add                 edi, 0xa
            //   ebcf                 | jmp                 0xffffffd1
            //   80f983               | cmp                 cl, 0x83

        $sequence_5 = { 8d85ecfdffff 6804010000 52 8945fc e8???????? 83c40c 85c0 }
            // n = 7, score = 900
            //   8d85ecfdffff         | lea                 eax, [ebp - 0x214]
            //   6804010000           | push                0x104
            //   52                   | push                edx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax

        $sequence_6 = { 894814 3bf1 751d 394804 7518 394808 7513 }
            // n = 7, score = 900
            //   894814               | mov                 dword ptr [eax + 0x14], ecx
            //   3bf1                 | cmp                 esi, ecx
            //   751d                 | jne                 0x1f
            //   394804               | cmp                 dword ptr [eax + 4], ecx
            //   7518                 | jne                 0x1a
            //   394808               | cmp                 dword ptr [eax + 8], ecx
            //   7513                 | jne                 0x15

        $sequence_7 = { 741b 8d0c79 53 8d642400 668b1c46 668919 40 }
            // n = 7, score = 900
            //   741b                 | je                  0x1d
            //   8d0c79               | lea                 ecx, [ecx + edi*2]
            //   53                   | push                ebx
            //   8d642400             | lea                 esp, [esp]
            //   668b1c46             | mov                 bx, word ptr [esi + eax*2]
            //   668919               | mov                 word ptr [ecx], bx
            //   40                   | inc                 eax

        $sequence_8 = { e8???????? 83c42c 85c0 7923 8b4dfc 8b13 51 }
            // n = 7, score = 900
            //   e8????????           |                     
            //   83c42c               | add                 esp, 0x2c
            //   85c0                 | test                eax, eax
            //   7923                 | jns                 0x25
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b13                 | mov                 edx, dword ptr [ebx]
            //   51                   | push                ecx

        $sequence_9 = { 8d8da2fbffff 33c0 56 51 8975ec 8975e8 668985a0fbffff }
            // n = 7, score = 900
            //   8d8da2fbffff         | lea                 ecx, [ebp - 0x45e]
            //   33c0                 | xor                 eax, eax
            //   56                   | push                esi
            //   51                   | push                ecx
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   8975e8               | mov                 dword ptr [ebp - 0x18], esi
            //   668985a0fbffff       | mov                 word ptr [ebp - 0x460], ax

    condition:
        7 of them
}
Download all Yara Rules