SYMBOLCOMMON_NAMEaka. SYNONYMS
win.formbook (Back to overview)

Formbook

aka: win.xloader

Actor(s): SWEED, Cobalt

URLhaus        

FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.

References
2023-07-06kienmanowar BlogTran Trung Kien, m4n0w4r
@online{kien:20230706:quicknote:20dc1f1, author = {Tran Trung Kien and m4n0w4r}, title = {{[QuickNote] Examining Formbook Campaign via Phishing Emails}}, date = {2023-07-06}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/}, language = {English}, urldate = {2023-07-13} } [QuickNote] Examining Formbook Campaign via Phishing Emails
Formbook
2023-06-30Github (itaymigdal)Itay Migdal
@online{migdal:20230630:formbook:9f7bd1b, author = {Itay Migdal}, title = {{Formbook unpacking}}, date = {2023-06-30}, organization = {Github (itaymigdal)}, url = {https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md}, language = {English}, urldate = {2023-07-05} } Formbook unpacking
Formbook
2023-06-05Malware Traffic AnalysisBrad Duncan
@online{duncan:20230605:30:f0b7756, author = {Brad Duncan}, title = {{30 DAYS OF FORMBOOK: DAY 1, MONDAY 2023-06-05}}, date = {2023-06-05}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2023/06/05/index.html}, language = {English}, urldate = {2023-06-06} } 30 DAYS OF FORMBOOK: DAY 1, MONDAY 2023-06-05
Formbook
2023-04-10Check PointCheck Point
@online{point:20230410:march:144c1ad, author = {Check Point}, title = {{March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files}}, date = {2023-04-10}, organization = {Check Point}, url = {https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/}, language = {English}, urldate = {2023-04-12} } March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files
Agent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee
2023-03-30loginsoftSaharsh Agrawal
@online{agrawal:20230330:from:7b46ae0, author = {Saharsh Agrawal}, title = {{From Innocence to Malice: The OneNote Malware Campaign Uncovered}}, date = {2023-03-30}, organization = {loginsoft}, url = {https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/}, language = {English}, urldate = {2023-04-14} } From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm
2023-03-30ZscalerJavier Vicente, Brett Stone-Gross, Nikolaos Pantazopoulos
@online{vicente:20230330:technical:99c71e1, author = {Javier Vicente and Brett Stone-Gross and Nikolaos Pantazopoulos}, title = {{Technical Analysis of Xloader’s Code Obfuscation in Version 4.3}}, date = {2023-03-30}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/technical-analysis-xloaders-code-obfuscation-version-43}, language = {English}, urldate = {2023-09-07} } Technical Analysis of Xloader’s Code Obfuscation in Version 4.3
Formbook
2023-03-16Trend MicroCedric Pernet, Jaromír Hořejší, Loseway Lu
@online{pernet:20230316:ipfs:6f479ce, author = {Cedric Pernet and Jaromír Hořejší and Loseway Lu}, title = {{IPFS: A New Data Frontier or a New Cybercriminal Hideout?}}, date = {2023-03-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout}, language = {English}, urldate = {2023-03-20} } IPFS: A New Data Frontier or a New Cybercriminal Hideout?
Agent Tesla Formbook RedLine Stealer Remcos
2023-02-28ANY.RUNANY.RUN
@online{anyrun:20230228:xloaderformbook:bdcb64a, author = {ANY.RUN}, title = {{XLoader/FormBook: Encryption Analysis and Malware Decryption}}, date = {2023-02-28}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/}, language = {English}, urldate = {2023-09-07} } XLoader/FormBook: Encryption Analysis and Malware Decryption
Formbook
2023-01-30CheckpointArie Olshtein
@online{olshtein:20230130:following:e442fcc, author = {Arie Olshtein}, title = {{Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware}}, date = {2023-01-30}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/}, language = {English}, urldate = {2023-01-31} } Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2023-01-24TrellixDaksh Kapur, Tomer Shloman, Robert Venal, John Fokker
@online{kapur:20230124:cyberattacks:0a05372, author = {Daksh Kapur and Tomer Shloman and Robert Venal and John Fokker}, title = {{Cyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity}}, date = {2023-01-24}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html}, language = {English}, urldate = {2023-01-25} } Cyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity
Andromeda Formbook Houdini Remcos
2022-12-08TrustwaveRodel Mendrez, Phil Hay, Diana Lopera
@online{mendrez:20221208:trojanized:bd135b7, author = {Rodel Mendrez and Phil Hay and Diana Lopera}, title = {{Trojanized OneNote Document Leads to Formbook Malware}}, date = {2022-12-08}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/}, language = {English}, urldate = {2022-12-19} } Trojanized OneNote Document Leads to Formbook Malware
Formbook
2022-11-21MalwarebytesMalwarebytes
@techreport{malwarebytes:20221121:20221121:f4c6d35, author = {Malwarebytes}, title = {{2022-11-21 Threat Intel Report}}, date = {2022-11-21}, institution = {Malwarebytes}, url = {https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf}, language = {English}, urldate = {2022-11-25} } 2022-11-21 Threat Intel Report
404 Keylogger Agent Tesla Formbook Hive Remcos
2022-10-05FortinetXiaopeng Zhang
@online{zhang:20221005:excel:ac2668c, author = {Xiaopeng Zhang}, title = {{Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 – Part II}}, date = {2022-10-05}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two}, language = {English}, urldate = {2022-11-15} } Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 – Part II
Formbook RedLine Stealer
2022-09-19FortinetXiaopeng Zhang
@online{zhang:20220919:excel:0e222e2, author = {Xiaopeng Zhang}, title = {{Excel Document Delivers Multiple Malware By Exploiting CVE-2017-11882 – Part I}}, date = {2022-09-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882}, language = {English}, urldate = {2022-11-15} } Excel Document Delivers Multiple Malware By Exploiting CVE-2017-11882 – Part I
Formbook RedLine Stealer
2022-08-29360 netlabwanghao
@online{wanghao:20220829:purecrypter:4d81329, author = {wanghao}, title = {{PureCrypter Loader continues to be active and has spread to more than 10 other families}}, date = {2022-08-29}, organization = {360 netlab}, url = {https://blog.netlab.360.com/purecrypter}, language = {Chinese}, urldate = {2022-09-06} } PureCrypter Loader continues to be active and has spread to more than 10 other families
404 Keylogger Agent Tesla AsyncRAT Formbook RedLine Stealer
2022-08-04ConnectWiseStu Gonzalez
@online{gonzalez:20220804:formbook:f3addb8, author = {Stu Gonzalez}, title = {{Formbook and Remcos Backdoor RAT by ConnectWise CRU}}, date = {2022-08-04}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/formbook-remcos-rat}, language = {English}, urldate = {2022-08-08} } Formbook and Remcos Backdoor RAT by ConnectWise CRU
Formbook Remcos
2022-07-25Cert-UACert-UA
@online{certua:20220725:mass:92104f0, author = {Cert-UA}, title = {{Mass distribution of desktops (Formbook, Snake Keylogger) and use of Malware RelicRace/RelicSource as a means of delivery (CERT-UA#5056)}}, date = {2022-07-25}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/955924}, language = {Ukrainian}, urldate = {2022-07-28} } Mass distribution of desktops (Formbook, Snake Keylogger) and use of Malware RelicRace/RelicSource as a means of delivery (CERT-UA#5056)
404 Keylogger Formbook RelicRace
2022-07-12CyrenKervin Alintanahin
@online{alintanahin:20220712:example:ae62e81, author = {Kervin Alintanahin}, title = {{Example Analysis of Multi-Component Malware}}, date = {2022-07-12}, organization = {Cyren}, url = {https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware}, language = {English}, urldate = {2022-07-18} } Example Analysis of Multi-Component Malware
Emotet Formbook
2022-07-01cybleCyble
@online{cyble:20220701:xloader:dd3b118, author = {Cyble}, title = {{Xloader Returns With New Infection Technique}}, date = {2022-07-01}, organization = {cyble}, url = {https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/}, language = {English}, urldate = {2022-07-01} } Xloader Returns With New Infection Technique
Formbook
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220519:net:ecf311c, author = {The BlackBerry Research & Intelligence Team}, title = {{.NET Stubs: Sowing the Seeds of Discord (PureCrypter)}}, date = {2022-05-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord}, language = {English}, urldate = {2022-06-09} } .NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-03-11NetskopeGustavo Palazolo
@online{palazolo:20220311:new:68467fb, author = {Gustavo Palazolo}, title = {{New Formbook Campaign Delivered Through Phishing Emails}}, date = {2022-03-11}, organization = {Netskope}, url = {https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails}, language = {English}, urldate = {2022-03-14} } New Formbook Campaign Delivered Through Phishing Emails
Formbook
2022-03-07LAC WATCHCyber ​​Emergency Center
@online{center:20220307:i:aadcf34, author = {Cyber ​​Emergency Center}, title = {{I CAN'T HEAR YOU NOW! INTERNAL BEHAVIOR OF INFORMATION-STEALING MALWARE AND JSOC DETECTION TRENDS}}, date = {2022-03-07}, organization = {LAC WATCH}, url = {https://www.lac.co.jp/lacwatch/report/20220307_002893.html}, language = {Japanese}, urldate = {2022-04-05} } I CAN'T HEAR YOU NOW! INTERNAL BEHAVIOR OF INFORMATION-STEALING MALWARE AND JSOC DETECTION TRENDS
Xloader Agent Tesla Formbook Loki Password Stealer (PWS)
2022-02-28AhnLabASEC Analysis Team
@online{team:20220228:change:c9b5e5c, author = {ASEC Analysis Team}, title = {{Change in Distribution Method of Malware Disguised as Estimate (VBS Script)}}, date = {2022-02-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/32149/}, language = {English}, urldate = {2022-03-02} } Change in Distribution Method of Malware Disguised as Estimate (VBS Script)
Formbook
2022-02-11forensicitguyTony Lambert
@online{lambert:20220211:xloaderformbook:1f69d72, author = {Tony Lambert}, title = {{XLoader/Formbook Distributed by Encrypted VelvetSweatshop Spreadsheets}}, date = {2022-02-11}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/}, language = {English}, urldate = {2022-02-14} } XLoader/Formbook Distributed by Encrypted VelvetSweatshop Spreadsheets
Formbook
2022-01-21ZscalerJavier Vicente, Brett Stone-Gross
@online{vicente:20220121:analysis:419182f, author = {Javier Vicente and Brett Stone-Gross}, title = {{Analysis of Xloader’s C2 Network Encryption}}, date = {2022-01-21}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption}, language = {English}, urldate = {2022-01-25} } Analysis of Xloader’s C2 Network Encryption
Xloader Formbook
2022-01-18ElasticDerek Ditch, Daniel Stepanic, Andrew Pease, Seth Goodwin
@online{ditch:20220118:formbook:3f03c56, author = {Derek Ditch and Daniel Stepanic and Andrew Pease and Seth Goodwin}, title = {{FORMBOOK Adopts CAB-less Approach}}, date = {2022-01-18}, organization = {Elastic}, url = {https://elastic.github.io/security-research/intelligence/2022/01/01.formbook-adopts-cabless-approach/article/}, language = {English}, urldate = {2022-01-25} } FORMBOOK Adopts CAB-less Approach
Formbook
2021-11-23HPPatrick Schläpfer
@online{schlpfer:20211123:ratdispenser:4677686, author = {Patrick Schläpfer}, title = {{RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild}}, date = {2021-11-23}, organization = {HP}, url = {https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/}, language = {English}, urldate = {2021-11-29} } RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild
AdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos
2021-11-16YoroiLuigi Martire, Carmelo Ragusa, Luca Mella
@online{martire:20211116:office:2dba65a, author = {Luigi Martire and Carmelo Ragusa and Luca Mella}, title = {{Office Documents: May the XLL technique change the threat Landscape in 2022?}}, date = {2021-11-16}, organization = {Yoroi}, url = {https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/}, language = {English}, urldate = {2021-11-17} } Office Documents: May the XLL technique change the threat Landscape in 2022?
Agent Tesla Dridex Formbook
2021-09-30BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20210930:threat:d31cc55, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: xLoader Infostealer}}, date = {2021-09-30}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer}, language = {English}, urldate = {2021-10-11} } Threat Thursday: xLoader Infostealer
Xloader Formbook
2021-09-29Trend MicroAliakbar Zahravi, William Gamazo Sanchez, Kamlapati Choubey, Peter Girnus
@online{zahravi:20210929:formbook:54b9f08, author = {Aliakbar Zahravi and William Gamazo Sanchez and Kamlapati Choubey and Peter Girnus}, title = {{FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal}}, date = {2021-09-29}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html}, language = {English}, urldate = {2021-10-05} } FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal
Formbook
2021-07-21Quick HealRumana Siddiqui
@online{siddiqui:20210721:formbook:e6e3f64, author = {Rumana Siddiqui}, title = {{FormBook Malware Returns: New Variant Uses Steganography and In-Memory Loading of multiple stages to steal data}}, date = {2021-07-21}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/}, language = {English}, urldate = {2021-07-26} } FormBook Malware Returns: New Variant Uses Steganography and In-Memory Loading of multiple stages to steal data
Formbook
2021-07-12IBMMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:1f66418, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {IBM}, url = {https://securityintelligence.com/posts/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12Cipher Tech SolutionsMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:a3c66bf, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {Cipher Tech Solutions}, url = {https://www.ciphertechsolutions.com/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-04-22FortinetXiaopeng Zhang
@online{zhang:20210422:deep:44cd560, author = {Xiaopeng Zhang}, title = {{Deep Analysis: FormBook New Variant Delivered in Phishing Campaign – Part II}}, date = {2021-04-22}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii}, language = {English}, urldate = {2021-04-28} } Deep Analysis: FormBook New Variant Delivered in Phishing Campaign – Part II
Formbook
2021-04-12FortinetXiaopeng Zhang
@online{zhang:20210412:deep:dc35f85, author = {Xiaopeng Zhang}, title = {{Deep Analysis: New FormBook Variant Delivered in Phishing Campaign – Part I}}, date = {2021-04-12}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I}, language = {English}, urldate = {2021-04-14} } Deep Analysis: New FormBook Variant Delivered in Phishing Campaign – Part I
Formbook
2021-03-17HPHP Bromium
@techreport{bromium:20210317:threat:3aed551, author = {HP Bromium}, title = {{Threat Insights Report Q4-2020}}, date = {2021-03-17}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf}, language = {English}, urldate = {2021-03-19} } Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-03-11YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)Jiří Vinopal
@online{vinopal:20210311:formbook:31931b9, author = {Jiří Vinopal}, title = {{Formbook Reversing - Part1 [Formbook .NET loader/injector analyzing, decrypting, unpacking, patching]}}, date = {2021-03-11}, organization = {YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)}, url = {https://youtu.be/aQwnHIlGSBM}, language = {English}, urldate = {2021-03-12} } Formbook Reversing - Part1 [Formbook .NET loader/injector analyzing, decrypting, unpacking, patching]
Formbook
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2020-11-19SANS ISC InfoSec ForumsXavier Mertens
@online{mertens:20201119:powershell:72b44bf, author = {Xavier Mertens}, title = {{PowerShell Dropper Delivering Formbook}}, date = {2020-11-19}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/diary/26806}, language = {English}, urldate = {2020-11-19} } PowerShell Dropper Delivering Formbook
Formbook
2020-11-05tccontre Blogtcontre
@online{tcontre:20201105:interesting:17c82b2, author = {tcontre}, title = {{Interesting FormBook Crypter - unconventional way to store encrypted data}}, date = {2020-11-05}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html}, language = {English}, urldate = {2020-11-06} } Interesting FormBook Crypter - unconventional way to store encrypted data
Formbook
2020-10-16HornetsecurityHornetsecurity Security Lab
@online{lab:20201016:vba:577dd47, author = {Hornetsecurity Security Lab}, title = {{VBA Purging Malspam Campaigns}}, date = {2020-10-16}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/}, language = {English}, urldate = {2020-12-08} } VBA Purging Malspam Campaigns
Agent Tesla Formbook
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-22S2W LAB Inc.S2W LAB INTELLIGENCE TEAM
@online{team:20200722:formbook:6297801, author = {S2W LAB INTELLIGENCE TEAM}, title = {{'FormBook Tracker' unveiled on the Dark Web}}, date = {2020-07-22}, organization = {S2W LAB Inc.}, url = {https://drive.google.com/file/d/1oxINyIJfMtv_upJqRK9vLSchIBaU8wiU/view}, language = {English}, urldate = {2020-08-14} } 'FormBook Tracker' unveiled on the Dark Web
Formbook
2020-05-31Malwarebyteshasherezade
@online{hasherezade:20200531:revisiting:cb8df95, author = {hasherezade}, title = {{Revisiting the NSIS-based crypter}}, date = {2020-05-31}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/}, language = {English}, urldate = {2021-06-09} } Revisiting the NSIS-based crypter
Formbook
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2020-04-01CiscoShyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-24AviraAvira Protection Labs
@online{labs:20200324:new:88d7b1d, author = {Avira Protection Labs}, title = {{A new technique to analyze FormBook malware infections}}, date = {2020-03-24}, organization = {Avira}, url = {https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/}, language = {English}, urldate = {2020-04-01} } A new technique to analyze FormBook malware infections
Formbook
2020-01-19360kate
@online{kate:20200119:bayworld:2cc2212, author = {kate}, title = {{BayWorld event, Cyber Attack Against Foreign Trade Industry}}, date = {2020-01-19}, organization = {360}, url = {https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/}, language = {English}, urldate = {2020-02-03} } BayWorld event, Cyber Attack Against Foreign Trade Industry
Azorult Formbook Nanocore RAT Revenge RAT
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
@online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-07-15Cisco TalosEdmund Brumaghin
@online{brumaghin:20190715:sweed:9725699, author = {Edmund Brumaghin}, title = {{SWEED: Exposing years of Agent Tesla campaigns}}, date = {2019-07-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html}, language = {English}, urldate = {2020-01-08} } SWEED: Exposing years of Agent Tesla campaigns
Agent Tesla Formbook Loki Password Stealer (PWS) SWEED
2019-06-12CyberbitHod Gavriel
@online{gavriel:20190612:formbook:8dc2df9, author = {Hod Gavriel}, title = {{Formbook Research Hints Large Data Theft Attack Brewing}}, date = {2019-06-12}, organization = {Cyberbit}, url = {https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/}, language = {English}, urldate = {2020-08-21} } Formbook Research Hints Large Data Theft Attack Brewing
Formbook
2019-05-02Usual Suspect REJohann Aydinbas
@online{aydinbas:20190502:formbook:d1ef715, author = {Johann Aydinbas}, title = {{FormBook - Hiding in plain sight}}, date = {2019-05-02}, organization = {Usual Suspect RE}, url = {https://usualsuspect.re/article/formbook-hiding-in-plain-sight}, language = {English}, urldate = {2020-01-13} } FormBook - Hiding in plain sight
Formbook
2019-01Virus BulletinGabriela Nicolao
@online{nicolao:201901:inside:a4c68f3, author = {Gabriela Nicolao}, title = {{Inside Formbook infostealer}}, date = {2019-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/}, language = {English}, urldate = {2019-12-18} } Inside Formbook infostealer
Formbook
2018-12-05BotconfRémi Jullian
@techreport{jullian:20181205:formbook:40cf2ad, author = {Rémi Jullian}, title = {{FORMBOOK In-depth malware analysis}}, date = {2018-12-05}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf}, language = {English}, urldate = {2019-12-17} } FORMBOOK In-depth malware analysis
Formbook
2018-11-01PeerlystSudhendu
@online{sudhendu:20181101:how:582221a, author = {Sudhendu}, title = {{How to Analyse FormBook - A New Malware-as-a-Service}}, date = {2018-11-01}, organization = {Peerlyst}, url = {https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent}, language = {English}, urldate = {2019-12-17} } How to Analyse FormBook - A New Malware-as-a-Service
Formbook
2018-10-16PeerlystSudhendu
@online{sudhendu:20181016:how:8aa1eed, author = {Sudhendu}, title = {{How to understand FormBook - A New Malware-as-a-Service}}, date = {2018-10-16}, organization = {Peerlyst}, url = {https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?}, language = {English}, urldate = {2020-01-09} } How to understand FormBook - A New Malware-as-a-Service
Formbook
2018-06-22InQuestAswanda
@online{aswanda:20180622:formbook:ce3c98b, author = {Aswanda}, title = {{FormBook stealer: Data theft made easy}}, date = {2018-06-22}, organization = {InQuest}, url = {http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/}, language = {English}, urldate = {2020-01-09} } FormBook stealer: Data theft made easy
Formbook
2018-06-20Cisco TalosWarren Mercer, Paul Rascagnères
@online{mercer:20180620:my:9c08115, author = {Warren Mercer and Paul Rascagnères}, title = {{My Little FormBook}}, date = {2018-06-20}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/06/my-little-formbook.html}, language = {English}, urldate = {2020-01-06} } My Little FormBook
Formbook
2018-03-29StormshieldRémi Jullian
@online{jullian:20180329:indepth:badef63, author = {Rémi Jullian}, title = {{In-depth Formbook malware analysis – Obfuscation and process injection}}, date = {2018-03-29}, organization = {Stormshield}, url = {https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/}, language = {English}, urldate = {2020-01-10} } In-depth Formbook malware analysis – Obfuscation and process injection
Formbook
2018-01-29Vitali Kremez BlogVitali Kremez
@online{kremez:20180129:lets:450880d, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting FormBook Infostealer Malware: Crypter & "RunLib.dll"}}, date = {2018-01-29}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html}, language = {English}, urldate = {2020-01-10} } Let's Learn: Dissecting FormBook Infostealer Malware: Crypter & "RunLib.dll"
Formbook
2017-10-05FireEyeNart Villeneuve, Randi Eitzman, Sandor Nemes, Tyler Dean
@online{villeneuve:20171005:significant:0b91e49, author = {Nart Villeneuve and Randi Eitzman and Sandor Nemes and Tyler Dean}, title = {{Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea}}, date = {2017-10-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html}, language = {English}, urldate = {2019-12-20} } Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea
Formbook
2017-09-20NetScoutDennis Schwarz
@online{schwarz:20170920:formidable:654d8e3, author = {Dennis Schwarz}, title = {{The Formidable FormBook Form Grabber}}, date = {2017-09-20}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/}, language = {English}, urldate = {2019-07-09} } The Formidable FormBook Form Grabber
Formbook
2016-06Safety First BlogSL4ID3R
@online{sl4id3r:201606:form:53a7823, author = {SL4ID3R}, title = {{Form Grabber 2016 [Crome,FF,Opera,Thunderbird, Outlook IE Safari] Hack the world}}, date = {2016-06}, organization = {Safety First Blog}, url = {http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html}, language = {English}, urldate = {2019-11-26} } Form Grabber 2016 [Crome,FF,Opera,Thunderbird, Outlook IE Safari] Hack the world
Formbook
Yara Rules
[TLP:WHITE] win_formbook_auto (20230715 | Detects win.formbook.)
rule win_formbook_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.formbook."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5e 8be5 5d c3 3c69 7544 8b7d18 }
            // n = 7, score = 2200
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   3c69                 | cmp                 al, 0x69
            //   7544                 | jne                 0x46
            //   8b7d18               | mov                 edi, dword ptr [ebp + 0x18]

        $sequence_1 = { 52 50 bb01000000 e8???????? 83c40c 8b8ef4020000 51 }
            // n = 7, score = 2200
            //   52                   | push                edx
            //   50                   | push                eax
            //   bb01000000           | mov                 ebx, 1
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b8ef4020000         | mov                 ecx, dword ptr [esi + 0x2f4]
            //   51                   | push                ecx

        $sequence_2 = { b801000000 5d c3 55 8bec 81ec08020000 56 }
            // n = 7, score = 2200
            //   b801000000           | mov                 eax, 1
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec08020000         | sub                 esp, 0x208
            //   56                   | push                esi

        $sequence_3 = { 8b550c 8b420c eb0b 83f864 750f 8b550c 8b421c }
            // n = 7, score = 2200
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8b420c               | mov                 eax, dword ptr [edx + 0xc]
            //   eb0b                 | jmp                 0xd
            //   83f864               | cmp                 eax, 0x64
            //   750f                 | jne                 0x11
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8b421c               | mov                 eax, dword ptr [edx + 0x1c]

        $sequence_4 = { 52 50 e8???????? ff07 83c40c 830602 5f }
            // n = 7, score = 2200
            //   52                   | push                edx
            //   50                   | push                eax
            //   e8????????           |                     
            //   ff07                 | inc                 dword ptr [edi]
            //   83c40c               | add                 esp, 0xc
            //   830602               | add                 dword ptr [esi], 2
            //   5f                   | pop                 edi

        $sequence_5 = { 56 e8???????? 83c438 85c0 7506 5e 5b }
            // n = 7, score = 2200
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c438               | add                 esp, 0x38
            //   85c0                 | test                eax, eax
            //   7506                 | jne                 8
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_6 = { 8a0439 03cf 8845f4 8d50c0 80fa1f 7718 6a01 }
            // n = 7, score = 2200
            //   8a0439               | mov                 al, byte ptr [ecx + edi]
            //   03cf                 | add                 ecx, edi
            //   8845f4               | mov                 byte ptr [ebp - 0xc], al
            //   8d50c0               | lea                 edx, [eax - 0x40]
            //   80fa1f               | cmp                 dl, 0x1f
            //   7718                 | ja                  0x1a
            //   6a01                 | push                1

        $sequence_7 = { 50 e8???????? 6a14 8d4d98 51 56 33db }
            // n = 7, score = 2200
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a14                 | push                0x14
            //   8d4d98               | lea                 ecx, [ebp - 0x68]
            //   51                   | push                ecx
            //   56                   | push                esi
            //   33db                 | xor                 ebx, ebx

        $sequence_8 = { e8???????? 83c408 33f6 8945f0 85ff }
            // n = 5, score = 2200
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   33f6                 | xor                 esi, esi
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   85ff                 | test                edi, edi

        $sequence_9 = { 55 8bec 8b5508 668b4510 8b4d0c 66894202 33c0 }
            // n = 7, score = 2200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   668b4510             | mov                 ax, word ptr [ebp + 0x10]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   66894202             | mov                 word ptr [edx + 2], ax
            //   33c0                 | xor                 eax, eax

    condition:
        7 of them and filesize < 371712
}
[TLP:WHITE] win_formbook_w0   (20230118 | No description)
rule win_formbook_w0 {
    meta:
        author = "@malgamy12"
        date = "2022-11-8"
	    license = "DRL 1.1"
        sample1 = "9fc57307d1cce6f6d8946a7dae41447b"
        sample2 = "0f4a7fa6e654b48c0334b8b88410eaed"
        sample3 = "0a25d588340300461738a677d0b53cd2"
        sample4 = "57d7bd215e4c4d03d73addec72936334"
        sample5 = "c943e31f7927683dc1b628f0972e801b"
        sample6 = "db87f238bb4e972ef8c0b94779798fa9"
        sample7 = "8ba1449ee35200556ecd88f23a35863a"
        sample8 = "8ca20642318337816d5db9666e004172"
        sample9 = "280f7c87c98346102980c514d2dd25c8"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a1 = { 8B 45 ?? BA ?? [3] 8B CF D3 E2 84 14 03 74 ?? 8B 4D ?? 31 0E 8B 55 ?? 31 56 ?? 8B 4D ?? 8B 55 ?? 31 4E ?? 31 56 ?? }
			
        $a2 = { 0F B6 3A 8B C8 C1 E9 ?? 33 CF 81 E1 [4] C1 E0 ?? 33 84 8D [4] 42 4E }
        
        $a3 = { 1A D2 80 E2 ?? 80 C2 ?? EB ?? 80 FA ?? 75 ?? 8A D0 80 E2 ?? }

        $a4 = { 80 E2 ?? F6 DA 1A D2 80 E2 ?? 80 C2 ?? }

    condition:
         3 of them
}
Download all Yara Rules