Formbook

Malware updated a month ago (2024-11-29T14:40:04.562Z)
Download STIX
Preview STIX
Formbook is a type of malware, malicious software designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Formbook has been linked with other forms of malware such as Remcos and GuLoader. Evidence suggests that the individual behind the Remcos and GuLoader sales also personally uses malware like Amadey and Formbook, and uses GuLoader as protection against antivirus detection. Throughout June 2023, there was significant activity related to Formbook. The malware was featured in an analysis series titled "30 days of Formbook," with notable events on Day 3 (June 7th) and Day 15 (June 19th). By September 2024, further developments were noted with a data dump involving both Remcos RAT and XLoader, another form of malware associated with Formbook. Experts also warned about JinxLoader, a loader used to spread Formbook and XLoader. In May 2024, Formbook was involved in phishing campaigns carried out in Romania and Poland. These campaigns utilized a Formbook executable file to infect systems. Furthermore, Formbook was found in conjunction with other malware families as a final payload, including Agent Tesla and Rescoms. This highlights the versatility and persistent threat posed by Formbook, which continues to evolve and adapt to spread its harmful effects.
Description last updated: 2024-09-12T00:17:07.965Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
GuLoader is a possible alias for Formbook. GuLoader is a potent malware that has been causing significant cybersecurity concerns. It operates by infecting systems through suspicious downloads, emails, or websites and then proceeds to exploit the system, often stealing personal information, disrupting operations, or holding data hostage for r
4
Jinxloader is a possible alias for Formbook. JinxLoader is a malicious software (malware) that has been identified by cybersecurity experts as a potent threat to computer systems and devices. As a loader malware, its primary function is to infiltrate systems and subsequently download and install additional harmful software. In this case, JinxL
2
Amadey is a possible alias for Formbook. Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, includ
2
Malvirt is a possible alias for Formbook. MalVirt is a malicious software (malware) that has been observed to be distributed through malvertising attacks, using virtualized .NET malware loaders. The malware infects systems via suspicious downloads, emails, or websites, and once inside, it can disrupt operations, steal personal information,
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Phishing
Loader
Remcos
Infostealer
Infostealer ...
Payload
Windows
Trojan
Downloader
Antivirus
Credentials
Malware Loader
Rat
Malvertising
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lokibot Malware is associated with Formbook. LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal informationUnspecified
6
The Agent Tesla Malware is associated with Formbook. Agent Tesla is a well-known malware that primarily targets systems through phishing attacks, exploiting an outdated Microsoft Office vulnerability (CVE-2017-11882). This malicious software is designed to infiltrate computer systems, often without the user's knowledge, and can steal personal informatUnspecified
5
The Agenttesla Malware is associated with Formbook. AgentTesla is a well-known Remote Access Trojan (RAT) and infostealer malware that has been used in numerous cyber-attacks. It is often delivered through malicious emails or downloads, and once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransUnspecified
3
The Emotet Malware is associated with Formbook. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, Unspecified
3
The Qbot Malware is associated with Formbook. Qbot, also known as Qakbot or Pinkslipbot, is a sophisticated malware that initially emerged in 2007 as a banking trojan. It has since evolved into an advanced strain used by various cybercriminal groups to infiltrate networks and prepare them for ransomware attacks. The first known use of an ITG23 Unspecified
3
The REvil Malware is associated with Formbook. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. ThUnspecified
2
The Raccoon Malware is associated with Formbook. Raccoon is a malicious software (malware) developed by Russian-speaking coders, first spotted in April 2019. It was designed to steal sensitive data such as credit card information, email credentials, cryptocurrency wallets, and more from its victims. The malware is offered as a service (MaaS) for $Unspecified
2
The Azorult Malware is associated with Formbook. Azorult is a type of malware, or malicious software, that infiltrates systems to exploit and damage them, often without the user's knowledge. It has historically been one of the favored infostealers sold on the marketplace 2easy, alongside RedLine, Raccoon, Vidar, and Taurus. However, as of late FebUnspecified
2
The NETWIRE Malware is associated with Formbook. NetWire is a type of malware, specifically a remote access trojan (RAT), that has been utilized for various malicious activities since at least 2014. Initially promoted as a legitimate tool for managing Windows computers remotely, NetWire was quickly adopted by cybercriminals and used in phishing atUnspecified
2
The Redline Malware is associated with Formbook. RedLine is a type of malware, or malicious software, designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data hostage forUnspecified
2
The Rescoms Malware is associated with Formbook. Rescoms, also known as Remcos, is a remote access trojan (RAT) malware designed to exploit and damage computer systems by stealing sensitive information. It was primarily used in significant phishing campaigns across Central and Eastern Europe during the second half of 2023. These campaigns utilizedUnspecified
2
The Dotrunpex Malware is associated with Formbook. DotRunpeX is a rapidly evolving and highly stealthy .NET injector malware that has gained significant attention from both security analysts and threat actors. It employs the "Process Hollowing" method to distribute a wide variety of other malware strains, including AgentTesla, ArrowRAT, AsyncRat, AvUnspecified
2
The malware Avemaria/warzonerat is associated with Formbook. Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2017-11882 Vulnerability is associated with Formbook. CVE-2017-11882 is a significant software vulnerability, specifically a flaw in the design or implementation of Microsoft's Equation Editor. This vulnerability has been exploited by various threat actors to create malicious RTF files, most notably by Chinese state-sponsored groups using the "Royal RoUnspecified
4
Source Document References
Information about the Formbook Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
2 years ago
Malware-traffic-analysis.net
3 months ago
Malware-traffic-analysis.net
3 months ago
Malware-traffic-analysis.net
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
ESET
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Checkpoint
7 months ago
SANS ISC
7 months ago
Securityaffairs
7 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago