SYMBOLCOMMON_NAMEaka. SYNONYMS
win.formbook (Back to overview)

Formbook

aka: win.xloader

Actor(s): SWEED, Cobalt

VTCollection     URLhaus        

FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.

References
2024-02-28Security IntelligenceGolo Mühr, Ole Villadsen
X-Force data reveals top spam trends, campaigns and senior superlatives in 2023
404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot QakBot Remcos
2023-07-06kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] Examining Formbook Campaign via Phishing Emails
Formbook
2023-06-30Github (itaymigdal)Itay Migdal
Formbook unpacking
Formbook
2023-06-05Malware Traffic AnalysisBrad Duncan
30 DAYS OF FORMBOOK: DAY 1, MONDAY 2023-06-05
Formbook
2023-04-10Check PointCheck Point
March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files
Agent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee
2023-03-30ZscalerBrett Stone-Gross, Javier Vicente, Nikolaos Pantazopoulos
Technical Analysis of Xloader’s Code Obfuscation in Version 4.3
Formbook
2023-03-30loginsoftSaharsh Agrawal
From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm
2023-03-16Trend MicroCedric Pernet, Jaromír Hořejší, Loseway Lu
IPFS: A New Data Frontier or a New Cybercriminal Hideout?
Agent Tesla Formbook RedLine Stealer Remcos
2023-02-28ANY.RUNANY.RUN
XLoader/FormBook: Encryption Analysis and Malware Decryption
Formbook
2023-01-30CheckpointArie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2023-01-24TrellixDaksh Kapur, John Fokker, Robert Venal, Tomer Shloman
Cyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity
Andromeda Formbook Houdini Remcos
2022-12-08TrustwaveDiana Lopera, Phil Hay, Rodel Mendrez
Trojanized OneNote Document Leads to Formbook Malware
Formbook
2022-11-21MalwarebytesMalwarebytes
2022-11-21 Threat Intel Report
404 Keylogger Agent Tesla Formbook Hive Remcos
2022-10-05FortinetXiaopeng Zhang
Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 – Part II
Formbook RedLine Stealer
2022-09-19FortinetXiaopeng Zhang
Excel Document Delivers Multiple Malware By Exploiting CVE-2017-11882 – Part I
Formbook RedLine Stealer
2022-08-29360 netlabwanghao
PureCrypter Loader continues to be active and has spread to more than 10 other families
404 Keylogger Agent Tesla AsyncRAT Formbook RedLine Stealer
2022-08-04ConnectWiseStu Gonzalez
Formbook and Remcos Backdoor RAT by ConnectWise CRU
Formbook Remcos
2022-07-25Cert-UACert-UA
Mass distribution of desktops (Formbook, Snake Keylogger) and use of Malware RelicRace/RelicSource as a means of delivery (CERT-UA#5056)
404 Keylogger Formbook RelicRace
2022-07-12CyrenKervin Alintanahin
Example Analysis of Multi-Component Malware
Emotet Formbook
2022-07-01cybleCyble
Xloader Returns With New Infection Technique
Formbook
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-03-11NetskopeGustavo Palazolo
New Formbook Campaign Delivered Through Phishing Emails
Formbook
2022-03-07LAC WATCHCyber ​​Emergency Center
I CAN'T HEAR YOU NOW! INTERNAL BEHAVIOR OF INFORMATION-STEALING MALWARE AND JSOC DETECTION TRENDS
Xloader Agent Tesla Formbook Loki Password Stealer (PWS)
2022-02-28AhnLabASEC Analysis Team
Change in Distribution Method of Malware Disguised as Estimate (VBS Script)
Formbook
2022-02-11forensicitguyTony Lambert
XLoader/Formbook Distributed by Encrypted VelvetSweatshop Spreadsheets
Formbook
2022-01-21ZscalerBrett Stone-Gross, Javier Vicente
Analysis of Xloader’s C2 Network Encryption
Xloader Formbook
2022-01-18ElasticAndrew Pease, Daniel Stepanic, Derek Ditch, Seth Goodwin
FORMBOOK Adopts CAB-less Approach
Formbook
2021-11-23HPPatrick Schläpfer
RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild
AdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos
2021-11-16YoroiCarmelo Ragusa, Luca Mella, Luigi Martire
Office Documents: May the XLL technique change the threat Landscape in 2022?
Agent Tesla Dridex Formbook
2021-09-30BlackberryThe BlackBerry Research & Intelligence Team
Threat Thursday: xLoader Infostealer
Xloader Formbook
2021-09-29Trend MicroAliakbar Zahravi, Kamlapati Choubey, Peter Girnus, William Gamazo Sanchez
FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal
Formbook
2021-07-21Quick HealRumana Siddiqui
FormBook Malware Returns: New Variant Uses Steganography and In-Memory Loading of multiple stages to steal data
Formbook
2021-07-12Cipher Tech SolutionsClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12IBMClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-04-22FortinetXiaopeng Zhang
Deep Analysis: FormBook New Variant Delivered in Phishing Campaign – Part II
Formbook
2021-04-12FortinetXiaopeng Zhang
Deep Analysis: New FormBook Variant Delivered in Phishing Campaign – Part I
Formbook
2021-03-17HPHP Bromium
Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-03-11YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)Jiří Vinopal
Formbook Reversing - Part1 [Formbook .NET loader/injector analyzing, decrypting, unpacking, patching]
Formbook
2021-01-09Marco Ramilli's BlogMarco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2020-11-19SANS ISC InfoSec ForumsXavier Mertens
PowerShell Dropper Delivering Formbook
Formbook
2020-11-05tccontre Blogtcontre
Interesting FormBook Crypter - unconventional way to store encrypted data
Formbook
2020-10-16HornetsecurityHornetsecurity Security Lab
VBA Purging Malspam Campaigns
Agent Tesla Formbook
2020-07-29ESET Researchwelivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-22S2W LAB Inc.S2W LAB INTELLIGENCE TEAM
'FormBook Tracker' unveiled on the Dark Web
Formbook
2020-05-31Malwarebyteshasherezade
Revisiting the NSIS-based crypter
Formbook
2020-05-14SophosLabsMarkel Picado
RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2020-04-01CiscoAndrea Kaiser, Shyam Sundar Ramaswami
Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-24AviraAvira Protection Labs
A new technique to analyze FormBook malware infections
Formbook
2020-01-19360kate
BayWorld event, Cyber Attack Against Foreign Trade Industry
Azorult Formbook Nanocore RAT Revenge RAT
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-07-15Cisco TalosEdmund Brumaghin
SWEED: Exposing years of Agent Tesla campaigns
Agent Tesla Formbook Loki Password Stealer (PWS) SWEED
2019-06-12CyberbitHod Gavriel
Formbook Research Hints Large Data Theft Attack Brewing
Formbook
2019-05-02Usual Suspect REJohann Aydinbas
FormBook - Hiding in plain sight
Formbook
2019-01-01Virus BulletinGabriela Nicolao
Inside Formbook infostealer
Formbook
2018-12-05BotconfRémi Jullian
FORMBOOK In-depth malware analysis
Formbook
2018-11-01PeerlystSudhendu
How to Analyse FormBook - A New Malware-as-a-Service
Formbook
2018-10-16PeerlystSudhendu
How to understand FormBook - A New Malware-as-a-Service
Formbook
2018-06-22InQuestAswanda
FormBook stealer: Data theft made easy
Formbook
2018-06-20Cisco TalosPaul Rascagnères, Warren Mercer
My Little FormBook
Formbook
2018-03-29StormshieldRémi Jullian
In-depth Formbook malware analysis – Obfuscation and process injection
Formbook
2018-01-29Vitali Kremez BlogVitali Kremez
Let's Learn: Dissecting FormBook Infostealer Malware: Crypter & "RunLib.dll"
Formbook
2017-10-05FireEyeNart Villeneuve, Randi Eitzman, Sandor Nemes, Tyler Dean
Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea
Formbook
2017-09-20NetScoutDennis Schwarz
The Formidable FormBook Form Grabber
Formbook
2016-06-01Safety First BlogSL4ID3R
Form Grabber 2016 [Crome,FF,Opera,Thunderbird, Outlook IE Safari] Hack the world
Formbook
Yara Rules
[TLP:WHITE] win_formbook_auto (20230808 | Detects win.formbook.)
rule win_formbook_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.formbook."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5b 5f 5e 8be5 5d c3 8d0476 }
            // n = 7, score = 2200
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8d0476               | lea                 eax, [esi + esi*2]

        $sequence_1 = { 6a0d 8d8500fcffff 50 56 e8???????? 8d8d00fcffff 51 }
            // n = 7, score = 2200
            //   6a0d                 | push                0xd
            //   8d8500fcffff         | lea                 eax, [ebp - 0x400]
            //   50                   | push                eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   8d8d00fcffff         | lea                 ecx, [ebp - 0x400]
            //   51                   | push                ecx

        $sequence_2 = { 56 e8???????? 8d4df4 51 56 e8???????? 8d55e4 }
            // n = 7, score = 2200
            //   56                   | push                esi
            //   e8????????           |                     
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8d55e4               | lea                 edx, [ebp - 0x1c]

        $sequence_3 = { c3 3c04 752b 8b7518 8b0e 8b5510 8b7d14 }
            // n = 7, score = 2200
            //   c3                   | ret                 
            //   3c04                 | cmp                 al, 4
            //   752b                 | jne                 0x2d
            //   8b7518               | mov                 esi, dword ptr [ebp + 0x18]
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8b7d14               | mov                 edi, dword ptr [ebp + 0x14]

        $sequence_4 = { 56 e8???????? 83c418 395df8 0f85a0000000 8b7d18 395f10 }
            // n = 7, score = 2200
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   395df8               | cmp                 dword ptr [ebp - 8], ebx
            //   0f85a0000000         | jne                 0xa6
            //   8b7d18               | mov                 edi, dword ptr [ebp + 0x18]
            //   395f10               | cmp                 dword ptr [edi + 0x10], ebx

        $sequence_5 = { c745fc01000000 e8???????? 6a14 8d4dec 51 50 }
            // n = 6, score = 2200
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1
            //   e8????????           |                     
            //   6a14                 | push                0x14
            //   8d4dec               | lea                 ecx, [ebp - 0x14]
            //   51                   | push                ecx
            //   50                   | push                eax

        $sequence_6 = { e8???????? 83c428 8906 85c0 75a8 5f 33c0 }
            // n = 7, score = 2200
            //   e8????????           |                     
            //   83c428               | add                 esp, 0x28
            //   8906                 | mov                 dword ptr [esi], eax
            //   85c0                 | test                eax, eax
            //   75a8                 | jne                 0xffffffaa
            //   5f                   | pop                 edi
            //   33c0                 | xor                 eax, eax

        $sequence_7 = { 56 e8???????? 6a03 ba5c000000 57 56 66891446 }
            // n = 7, score = 2200
            //   56                   | push                esi
            //   e8????????           |                     
            //   6a03                 | push                3
            //   ba5c000000           | mov                 edx, 0x5c
            //   57                   | push                edi
            //   56                   | push                esi
            //   66891446             | mov                 word ptr [esi + eax*2], dx

        $sequence_8 = { 3b75d0 72c0 8d55f8 52 e8???????? }
            // n = 5, score = 2200
            //   3b75d0               | cmp                 esi, dword ptr [ebp - 0x30]
            //   72c0                 | jb                  0xffffffc2
            //   8d55f8               | lea                 edx, [ebp - 8]
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_9 = { 8d8df6f7ffff 51 c745fc00000000 668985f4f7ffff e8???????? 8b7508 }
            // n = 6, score = 2200
            //   8d8df6f7ffff         | lea                 ecx, [ebp - 0x80a]
            //   51                   | push                ecx
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   668985f4f7ffff       | mov                 word ptr [ebp - 0x80c], ax
            //   e8????????           |                     
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]

    condition:
        7 of them and filesize < 371712
}
[TLP:WHITE] win_formbook_w0   (20230118 | No description)
rule win_formbook_w0 {
    meta:
        author = "@malgamy12"
        date = "2022-11-8"
	    license = "DRL 1.1"
        sample1 = "9fc57307d1cce6f6d8946a7dae41447b"
        sample2 = "0f4a7fa6e654b48c0334b8b88410eaed"
        sample3 = "0a25d588340300461738a677d0b53cd2"
        sample4 = "57d7bd215e4c4d03d73addec72936334"
        sample5 = "c943e31f7927683dc1b628f0972e801b"
        sample6 = "db87f238bb4e972ef8c0b94779798fa9"
        sample7 = "8ba1449ee35200556ecd88f23a35863a"
        sample8 = "8ca20642318337816d5db9666e004172"
        sample9 = "280f7c87c98346102980c514d2dd25c8"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a1 = { 8B 45 ?? BA ?? [3] 8B CF D3 E2 84 14 03 74 ?? 8B 4D ?? 31 0E 8B 55 ?? 31 56 ?? 8B 4D ?? 8B 55 ?? 31 4E ?? 31 56 ?? }
			
        $a2 = { 0F B6 3A 8B C8 C1 E9 ?? 33 CF 81 E1 [4] C1 E0 ?? 33 84 8D [4] 42 4E }
        
        $a3 = { 1A D2 80 E2 ?? 80 C2 ?? EB ?? 80 FA ?? 75 ?? 8A D0 80 E2 ?? }

        $a4 = { 80 E2 ?? F6 DA 1A D2 80 E2 ?? 80 C2 ?? }

    condition:
         3 of them
}
Download all Yara Rules