{
	"id": "9bd895a9-7cdf-4ef3-89f4-ee813392b82a",
	"created_at": "2026-04-06T00:12:54.976186Z",
	"updated_at": "2026-04-10T13:11:59.451438Z",
	"deleted_at": null,
	"sha1_hash": "8f48842576ba0a399be2edd98e4304a967218329",
	"title": "Virus Bulletin :: VB2018 paper: Inside Formbook infostealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 865324,
	"plain_text": "Virus Bulletin :: VB2018 paper: Inside Formbook infostealer\r\nArchived: 2026-04-05 13:05:37 UTC\r\nGabriela Nicolao\r\nDeloitte, Argentina\r\nCopyright © 2018 Virus Bulletin\r\nAbstract\r\nFormbook [1] is an infostealer that has been advertised for sale in public hacking forums since February 2016 by a\r\nuser with the handle 'ng-Coder'. It is more advanced than a keylogger as it can retrieve authorization and login\r\ncredentials from a web data form before the information reaches a secure server, bypassing HTTPS encryption.\r\nFormbook is effective even if the victims use a virtual keyboard, auto-fill, or if they copy and paste information to\r\nfill the form. The author of Formbook affirms that it is 'browser-logger software', a.k.a. form-grabbing software.\r\nFormbook offers a PHP panel, where the buyers can track their victims' information, including screenshots,\r\nkeylogged data, and stolen credentials. Hosting and domain services are provided for low prices with a bin only\r\navailable in the Pro version.\r\nFormbook was used in a spam campaign in late 2017, targeting the aerospace, defence contractor and\r\nmanufacturing sectors in South Korea and the USA. It includes hiding, persistence, anti-analysis, deletion and\r\ntermination mechanisms along with several commands that the C\u0026C (command-and-control) server can receive.\r\nThe 'ng-Coder' user indicated that Formbook should not be used for malicious purposes and blocked sales until\r\nfurther notice after the spam campaigns became known. According to 'ng-Coder', Formbook should only be used\r\nto spy on family members or employees if the user has the explicit right to do so. However, this claim is dubious\r\ngiven the barely legitimate nature of the use of such software.\r\nAbout formgrabbers\r\nFormgrabbers intercept HTTP(S) data and use inline hooking to redirect the function to one within the\r\nformgrabber before transferring the execution flow back to the HTTP function to complete the request. This\r\ntechnique allows formgrabbers to capture a user's information before the user submits it over the Internet to a\r\nsecure server. While keyloggers focus mainly on capturing the user's input, formgrabbers collect pasted\r\ninformation and/or information selected via a drop-down option, which makes them more efficient than\r\nkeyloggers.\r\nA formgrabber injects a DLL (Dynamic Link Library) into a browser and monitors for calls to the\r\nHttpSendRequest API within WININET.DLL in order to intercept the data before encryption and send all requests\r\nto its own code, prior to sending the data onwards. Andromeda (aka Gamarue), Tinba and Weyland‑Yutani BOT\r\nare some malware families that use this technique.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/\r\nPage 1 of 10\n\nFormbook background\r\nPrior to advertising it for sale, a user with the handle 'ng-Coder' offered Formbook for free in public hacking\r\nforums so that other users could review it.\r\nFigure 1: First mention of Formbook in a forum.\r\nSoon after the free version was released, the user 'ng-Coder' advertised Formbook for sale at an initial price of 250\r\nUSD. However, the author reduced the price to 120 USD in early March 2016 after receiving several complaints\r\nabout the price from forum members. The current pricing list and payment methods offered in the forum are\r\ndisplayed in Figure 2.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/\r\nPage 2 of 10\n\nFigure 2: Pricing list and payment methods\r\nfor Formbook.\r\nCharacteristics\r\nAccording to the user 'ng-Coder', Formbook boasts the following features:\r\nCoded in ASM/C (x86_x64)\r\nStartup (hidden)\r\nFull PE-injection (no DLL/no drop/both x86 and x64)\r\nRing3 kit\r\nBin is Balloon Executable (MPIE + MEE)\r\nDoesn't use suspicious Windows APIs\r\nNo blind hook, all hooks are thread safe including the x64, so crash is unlikely\r\nAll communications with the panel are encrypted\r\nInstall manager\r\nFile browsing (FB Connect)\r\nFull Unicode support.\r\nControl panel\r\nFormbook works as a botnet, infecting victims that are shown in a web panel in order to manage the information\r\nthat is retrieved from them. Figure 3 shows the web panel.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/\r\nPage 3 of 10\n\nFigure 3: Formbook web panel.\r\nEach bot can receive the following commands from the C\u0026C server:\r\nDownload and execute\r\nUpdate\r\nUninstall\r\nVisit URL\r\nClear cookies\r\nRestart system\r\nShut down system\r\nForce upload keystroke\r\nTake screenshot\r\nFB Connect (file browsing)\r\nDownload and execute from FB Connect\r\nUpdate bin from FB Connect\r\nCampaigns\r\nFormbook was used in spam campaigns targeting the aerospace, defence contractor and manufacturing sectors\r\nwithin the US and South Korea in 2017 [2]. It was distributed via PDFs with embedded links, DOC and XLS files\r\nwith malicious macros, and compressed files containing the executable.\r\nIt was also observed in 2018, distributed via emails with DOCX files that contained a URL [3]. This URL\r\ndownloaded an RTF file that exploits CVE-2017-8570 and drops an executable. This executable downloads the\r\nFormbook sample.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/\r\nPage 4 of 10\n\nAnalysis\r\nThe analysed sample is a RAR self-extracting archive (SFX) that contains several files, as shown in Figure 4.\r\nFigure 4: SFX file.\r\nThe description to the right of the files shows the following strings:\r\nPath=%LocalAppData%\\temp\\cne\r\nSilent=1\r\nUpdate=UcE1U8\r\nhttps://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/\r\nPage 5 of 10\n\nSetup=axo.exe pwm-axa\r\nFiles with a size below 1K contain a few strings that are probably used during decompression.\r\nAfter executing the SFX file, Formbook extracts the files in %LocalAppData%\\temp\\cne using CreateDirectoryW.\r\nIt then deletes the SFX file. Figure 5 shows the file extraction.\r\nFigure 5: File\r\nextraction.\r\nThe axo.exe file is an AutoIt script that is executed with the pwm-axa file as a parameter. Figure 6 shows the\r\nproperties of the axo.exe file.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/\r\nPage 6 of 10\n\nFigure 6: Properties of the axo.exe\r\nAutoIt executable.\r\nThe script decrypts Formbook and loads it in memory. In order to do this, it creates a file with a random name that\r\ncontains Formbook's functionality and deletes it soon after loading it in memory. This file contains 44 functions\r\nwith obfuscated names. The sni.mp3 file includes interesting strings that were used during the execution, as shown\r\nin Figure 7.\r\nFigure 7: Interesting strings found in the sni.mp3 file.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/\r\nPage 7 of 10\n\nThe script contains the following features:\r\n1. Hiding mechanism\r\nThe script changes the cne folder attributes to hide its content by executing the command\r\nFileSetAttrib($cne_Folder_Path, \"+H\").\r\n2. Persistence mechanism\r\nIn order to remain persistent, it modifies the Run registry key with a new key named WindowsUpdate that\r\ninstructs the execution of axo.exe along with pwm-axa:\r\nIf IsAdmin() Then\r\nRegWrite(\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", $WindowsUpdate, \"REG_SZ\r\nElse\r\nRegWrite(\"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", $WindowsUpdate, \"REG_SZ\"\r\nRegWrite(\"HKCU64\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", $WindowsUpdate, \"REG_SZ\", $cne_Folde\r\nEndIf\r\nSleep(1000)\r\nSleep(1000)\r\nEndFunc\r\nFigure 8: Persistence mechanism.\r\n3. Protection disabling and anti-analysis\r\nThe script tries to modify the following registry keys:\r\nRegWrite(\"HKCU64\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\", \"DisableTaskMgr\",\r\n\"REG_DWORD\", \"1\")\r\nRegDelete(\"HKLM64\\Software\\Microsoft\\Windows NT\\CurrentVersion\\SPP\\Clients\")\r\nRegWrite(\"HKLM64\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\", \"EnableLUA\",\r\n\"REG_DWORD\", \"0\")\r\nAnd it:\r\nDisables Task Manager\r\nTurns off the system protection\r\nDisables UAC (User Account Controls)\r\nFormbook will terminate if it finds VMware or VirtualBox processes running in the victim's system and if the 'D'\r\ndrive has space of less than 1MB:\r\nhttps://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/\r\nPage 8 of 10\n\nVMwaretray.exe\r\nVbox.exe\r\nVMwareUser.exe\r\nVMwareService.exe\r\nVboxService.exe\r\nvpcmap.exe\r\nVBoxTray.exe\r\nIf DriveSpaceFree (\"d:\\\") \u003c1 And ProcessExists ([VMWare or VBox]) then Exit\r\n4. Check default browser\r\nThe script will check the HKCR\\http\\shell\\open\\command registry key to know which Internet browser the\r\nvictim's machine uses by default.\r\n5. Formbook deletion and termination\r\nFormbook will look for the svshost.exe process and terminate if it finds more than two svshost.exe processes\r\nrunning, as shown in Figure 9.\r\nFigure 9: Termination.\r\nConclusion\r\nDespite Formbook infostealer having been around for a couple of years now, it only came to public attention after\r\nit was extensively used in spam campaigns in late 2017. The fact that Formbook wasn't noticed before is probably\r\nbecause its developers didn't release the builder to the public, so it was easy for them to track its activities and turn\r\nit off if they found that it was being used for purposes for which it was not intended or if it was gaining too much\r\nattention from the security community. Despite not being broadly used, Formbook represents a real threat, due to\r\nit being stealthier and more powerful than keyloggers.\r\nSimilar to the Agent Tesla remote access trojan (RAT), the author of Formbook initially offered a beta version of\r\nthe product free of charge in order to receive feedback and make improvements.\r\nThe 'ng-Coder' user indicates that Formbook should not be used for malicious purposes, and after the spam\r\ncampaigns were made public, he blocked Formbook's sales until further notice. According to 'ng-Coder',\r\nFormbook should only be used to spy on family members or employees if the user has the explicit right to do so.\r\nHowever, this claim itself is dubious given the barely legitimate nature of the use of such software.\r\nIOCs\r\nThe SHA256 hash of the SFX file that was analysed is:\r\n2f74f8518bd14a882a870f3794a76dba381b59c1e40247a2483468959b572d82.\r\nReferences\r\nhttps://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/\r\nPage 9 of 10\n\n[1] Schwarz, D. The Formidable FormBook Form Grabber. Arbor Networks, 20 September 2017.\r\nhttps://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/.\r\n[2] Villeneuve, N.; Eitzman, R.; Nemes S.; Dean, T. Significant FormBook Distribution Campaigns Impacting the\r\nU.S. and South Korea. FireEye, 5 October 2017. https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html.\r\n[3] Urgent server alert malspam delivers formbook trojan via CVE-2017-8570 word doc. My Online Security, 16\r\nFebruary 2018. https://myonlinesecurity.co.uk/urgent-server-alert-malspam-delivers-formbook-trojan-via-cve-2017-8570-word-doc.\r\nSource: https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/\r\nhttps://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/"
	],
	"report_names": [
		"vb2018-paper-inside-formbook-infostealer"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434374,
	"ts_updated_at": 1775826719,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8f48842576ba0a399be2edd98e4304a967218329.pdf",
		"text": "https://archive.orkl.eu/8f48842576ba0a399be2edd98e4304a967218329.txt",
		"img": "https://archive.orkl.eu/8f48842576ba0a399be2edd98e4304a967218329.jpg"
	}
}