ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool Formbook

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Formbook

NamesFormbook
win.xloader
CategoryMalware
TypeBackdoor, Keylogger, Info stealer, Credential stealer
Description(FireEye) FormBook is a data stealer, but not a full-fledged banker (banking malware). It does not currently have any extensions or plug-ins. Its capabilities include:

• Key logging
• Clipboard monitoring
• Grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests
• Grabbing passwords from browsers and email clients
• Screenshots

FormBook can receive the following remote commands from the C2 server:

• Update bot on host system
• Download and execute file
• Remove bot from host system
• Launch a command via ShellExecute
• Clear browser cookies
• Reboot system
• Shutdown system
• Collect passwords and create a screenshot
• Download and unpack ZIP archive
Information<https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html>
<http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/>
<https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu>
<http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html>
<https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/>
<https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/>
<http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html>
<https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/>
<https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf>
<https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent>
<https://blog.talosintelligence.com/2018/06/my-little-formbook.html>
<https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I>
<https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii>
<https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-in-phishing-campaign-part-iii>
<https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/>
<https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html>
<https://www.cyfirma.com/outofband/formbook-malware-technical-analysis/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:FormBook>

Last change to this tool card: 26 April 2023

Download this tool card in JSON format

All groups using tool Formbook

ChangedNameCountryObserved

APT groups

 Cobalt GroupRussia2016-Oct 2019X
 Operation Epic Manchego[Unknown]2020 
 RATicate[Unknown]2019 
 Sweed[Unknown]2017-2019 

4 groups listed (4 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents
Telephone +66 (0)2-123-1227
E-mail [email protected]