{
	"id": "dd36139f-0399-4fc9-aec8-abdcea3f8ed6",
	"created_at": "2026-04-06T00:21:43.284493Z",
	"updated_at": "2026-04-10T13:12:23.13946Z",
	"deleted_at": null,
	"sha1_hash": "1f378fd99b12c7e5a888147993c2cc3c5b73314b",
	"title": "Malware Analysis - FormBook",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1250055,
	"plain_text": "Malware Analysis - FormBook\r\nBy Bar Magnezi\r\nPublished: 2024-06-13 · Archived: 2026-04-05 19:52:31 UTC\r\nSample:\r\n1dcce19e1a6306424d073487af821ff0\r\nBackgroundPermalink\r\nFormBook is an infostealer malware that was first discovered in 2016. It steals various types of data from infected\r\nsystems, including credentials cached in web browsers, screenshots, and keystrokes. It also has the ability to act as\r\na downloader, enabling it to download and execute additional malicious files.\r\nStatic Analysis - Stage 1Permalink\r\nFigure 1: Malware Bazaar Entry\r\nit’s crucial to understand that LNK files often serve as shortcuts to executable programs, making them susceptible\r\nto exploitation for malicious code execution. Consequently, I immediately employed LECMD to extract the\r\ncommand-line arguments that would be executed if the program were run, providing essential insights into\r\npotential malicious activities.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/FormBook/\r\nPage 1 of 12\n\nFigure 2: LECMD Output reveals URL\r\nThis output revealed a 2nd stage that is being downloaded from a URL. Here is a CMD command to download the\r\nfile without executing it safely.\r\ncurl http://armanayegh.com/wee/wow123.hta \u003e wow123.hta\r\nStatic Analysis - Stage 2Permalink\r\nObserving the .hta file revealed that there is a Visual Basic script inside, as shown in Figure 3.\r\nFigure 3: Showing The Content of the .hta file\r\nIt was observed that a main function is called on an array, likely for deobfuscation purposes. A new VBS file was\r\ncreated with the copy of the function and the array to observe the output of the new array as shown in Figure 4.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/FormBook/\r\nPage 2 of 12\n\nFigure 4: Trying to Deobfuscate The Array\r\nFigure 5: Output Of The Array Using CScript\r\nThe output is a Powershell script that is being executed. After some cleaing of the code it looks like this:\r\nFigure 6: PS Script After Cleaning\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/FormBook/\r\nPage 3 of 12\n\nThe attacker once again employed the same technique to obfuscate the code, utilizing a main function called on\r\narrays. A new modified PS code was written to deobfuscate as shown in Figure 7.\r\nFigure 7: PS Script To Output\r\nFigure 8: Output Of The Arrays\r\nAs depicted in Figure 8, the deobfuscation process was successful, revealing a new stage.\r\nFigure 9: Downloading The Actuall Malware\r\nStatic Analysis - Stage 3Permalink\r\nThis is the final stage of the malware, where it runs and executes.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/FormBook/\r\nPage 4 of 12\n\nFigure 10: CAPA on The EXE\r\nRunning CAPA revealed that there is probably encrypted communication using RC4 Encryption.\r\nDynamic Analysis - Stage 3Permalink\r\nThe program was executed, and packet capture using Wireshark revealed encrypted data transmission, as depicted\r\nin Figure 11.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/FormBook/\r\nPage 5 of 12\n\nFigure 11: Using Wireshark To Capture The Data\r\nEvery small fraction of seconds, the data was being sent to a different domain, as shown in Figure 12.\r\nFigure 12: Capturing in Wireshark DNS Requests\r\nEvery domain was flagged as malicious by VirusTotal, as illustrated in Figures 13 and 14.\r\nFigure 13: Malicious Domain\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/FormBook/\r\nPage 6 of 12\n\nFigure 14: Malicious Domain\r\nIn addition, for persistence and evasion mechanisms, after execution, the original file deletes itself, moves to a\r\ndifferent location, and adds itself to an autorun path, ensuring it is executed every time the computer starts up.\r\nFigure 15: Autoruns Output\r\nFurther Analysis On The Threat ActorPermalink\r\nAfter analyzing the attacker’s patterns and techniques, it was decided to conduct a deeper investigation of their\r\nweb server. Reverting to the parent directory revealed numerous variants of the malware ready for deployment.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/FormBook/\r\nPage 7 of 12\n\nFigure 16: More Variants Of The Mawlare\r\nHere is a Python script To download every file in that directory:\r\nimport requests\r\nfrom bs4 import BeautifulSoup\r\nimport urllib.request\r\nimport os\r\ndef download_files_from_url(url):\r\n response = requests.get(url)\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/FormBook/\r\nPage 8 of 12\n\nif response.status_code == 200:\r\n soup = BeautifulSoup(response.content, 'html.parser')\r\n links = soup.find_all('a')\r\n if not os.path.exists('downloaded_files'):\r\n os.makedirs('downloaded_files')\r\n for link in links:\r\n href = link.get('href')\r\n if not href.endswith('/'):\r\n if not href.startswith('?'):\r\n file_url = url + href\r\n file_name = href.split('/')[-1]\r\n file_path = os.path.join('downloaded_files', file_name)\r\n print(\"Downloading\", file_url)\r\n urllib.request.urlretrieve(file_url, file_path)\r\n else:\r\n print(\"Failed to fetch URL:\", url)\r\ndownload_files_from_url('http://198.23.201.89/warm/')\r\nFigure 17: Downloading Every File\r\nAfter a brief analysis and examination of each file, it was concluded that they all contain the same malware with\r\nslight modifications. Each variant employs similar techniques and mechanisms to steal various types of data from\r\ninfected systems, including credentials cached in web browsers, screenshots, and keystrokes.\r\nIOCsPermalink\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/FormBook/\r\nPage 9 of 12\n\nHash:\r\n351650a422e427140d74d8c68185fa24\r\n016b33de3a455595d25143d2a4f0e994\r\n2eebcdd0e833ba968a9cac360aed72de\r\n5500b14a5124b3775bf49d67ed8bd7f0\r\n132e9cb76def326daa4088f99587b759\r\nb601fc607a492f38f141109d21db8b12\r\nb94b6c27e410388cd4e7dfeb352b75ce\r\n9a2d6857759f61ab3f65df7c8194521d\r\n24be5183dd56c3d08bae8625fba83aaa\r\n092cd26903ed79eb7da016adbb7c928d\r\n4e38516298dd0a2f5b47bc1fe079f2a6\r\n5b3383df0b033c0401892c1d6109f704\r\ncd5915bac2ea167ddb7bcc2ae9ceab78\r\n09ab6049a1abaac4ce2aef0dc60b6b6d\r\n11619700f17b122175c52b8703180504\r\n1dcce19e1a6306424d073487af821ff0\r\n48cd56cea8a4055c9d3a4e14fd07695a\r\nURL:\r\nhxxp://armanayegh[.]com\r\nwww[.]northerncraftman[.]com\r\nwww[.]billigaskorid[.]club\r\nwww[.]usekalendaergpt83[.]com\r\nwww[.]joyesi[.]xyz\r\nwww[.]handsome-sex[.]com\r\nwww[.]prepcare[.]org\r\nwww[.]techchains[.]info\r\nwww[.]financialposter[.]com\r\nwww[.]shenzhoucui[.]com\r\nwww[.]dop2[.]top\r\nwww[.]bamconstruction[.]store\r\nwww[.]goldenjade-travel[.]com\r\nwww[.]belatofo[.]com\r\nwww[.]thecoloringbitch[.]com\r\nwww[.]economic-basics[.]net\r\nwww[.]ponymph[.]site\r\nwww[.]empowermedeco[.]com\r\nwww[.]rssnewscast[.]com\r\nwww[.]magmadokum[.]com\r\nwww[.]ditec-zeitarbeit[.]com\r\nwww[.]xionghuqian[.]top\r\nwww[.]kasegitai[.]tokyo\r\nwww[.]manekineko106[.]xyz\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/FormBook/\r\nPage 10 of 12\n\nwww[.]faajayapariwisata[.]com\r\nwww[.]660danm[.]top\r\nwww[.]liangyuen528[.]com\r\nwww[.]elettrosistemista[.]zip\r\nwww[.]117absasdad[.]store\r\nwww[.]makeinai[.]online\r\nwww[.]dorama-feelings[.]com\r\nwww[.]wmabed[.]shop[.]\r\nwww[.]k9vyp11no3[.]cfd\r\nwww[.]kateandrae[.]com\r\nwww[.]hroost[.]dev\r\nwww[.]m7q374[.]cfd\r\nwww[.]lloydsgroupco[.]com\r\nwww[.]enigmaticuii[.]com\r\nwww[.]1ijym8[.]cfd\r\nwww[.]azlimitlesshvac[.]net\r\nwww[.]b301[.]space\r\nwww[.]aaliyahsbabysitting[.]com\r\nwww[.]zenturasolutions[.]com\r\nwww[.]8gdh[.]com\r\nwww[.]jdfoxlight[.]info\r\nwww[.]donnavariedades[.]com\r\nwww[.]cebede24[.]com\r\nwww[.]66nong[.]com\r\nwww[.]xelynx[.]com\r\nwww[.]poria[.]link\r\nwww[.]3xfootball[.]com\r\nwww[.]freespirit-jules[.]com\r\nwww[.]olahbet[.]live\r\nwww[.]freshrakgroup[.]com\r\nwww[.]pivotalworks[.]tech\r\nwww[.]xiongqia[.]top\r\nwww[.]antonio-vivaldi[.]mobi\r\nIP:\r\nYara RulePermalink\r\nrule FormBook {\r\n meta:\r\n description = \"Searches for Formbook variants\"\r\n author = \"0xMrMagnezi\"\r\n date = \"2024-06-13\"\r\n \r\n strings:\r\n $hex_sequence = { 33 DB 53 FF 75 FC FF 75 F8 57 E8 84 FD FF FF }\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/FormBook/\r\nPage 11 of 12\n\n$hex_sequence2 = { FF 50 FF B5 3C FD FF FF 8D 85 68 FE FF FF 50 E8 4C 0F }\r\n \r\n condition:\r\n $hex_sequence or $hex_sequence2\r\n}\r\nSource: https://0xmrmagnezi.github.io/malware%20analysis/FormBook/\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/FormBook/\r\nPage 12 of 12\n\ndate = \"2024-06-13\" strings:     \n$hex_sequence = { 33 DB 53 FF 75 FC FF 75 F8 57 E8 84 FD FF FF }\n   Page 11 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://0xmrmagnezi.github.io/malware%20analysis/FormBook/"
	],
	"report_names": [
		"FormBook"
	],
	"threat_actors": [],
	"ts_created_at": 1775434903,
	"ts_updated_at": 1775826743,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1f378fd99b12c7e5a888147993c2cc3c5b73314b.pdf",
		"text": "https://archive.orkl.eu/1f378fd99b12c7e5a888147993c2cc3c5b73314b.txt",
		"img": "https://archive.orkl.eu/1f378fd99b12c7e5a888147993c2cc3c5b73314b.jpg"
	}
}