FormBook Malware Being Distributed as .NET

AhnLab’s ani-malware software, V3, detects and responds to malware with a variety of detection features including the App Isolate Scan feature. The App Isolate Scan detects and quarantines suspicious processes. This allows quarantining malware such as Infostealer and downloader in a virtual environment for detection. Therefore, V3 can protect users from security threats by quarantining unknown malware that have not been collected by Ahnlab infrastructure or malware with unidentified static and dynamic behavior patterns in advance.

The FormBook malware mentioned below had been downloaded to the system and executed while the user was using a web browser. Thankfully, this malware was detected and blocked by AhnLab V3’s App Isolate Scan. This post introduces the detected FormBook malware.

FormBook is an Infostealer that aims to steal the user’s web browser login information, keyboard input, clipboard, and screenshots. It targets random individuals, and is usually distributed through spam mails or uploaded to infiltrated websites. FormBook operates by injecting into a running process memory, and the targets of injection are explorer.exe and arbitrary normal files in the %WinDir%\System32 folder. In order to reach FormBook, which is responsible for the actual information-leaking behaviors, preceding processes may be performed, including packing, obfuscation, and execution by a downloader.

The first file was distributed as a .NET. The malware connects to an external pastebin web service address where raw binary data can be uploaded to read the data and recreate them in PE binary, before loading it to the memory. The loaded PE is a .NET DLL obfuscated with multiple condition branches. Through this DLL, the file duplicates itself and runs recursion. Afterwards, it executes AddinProcess32.exe as a child process into which it injects the PE. The injected PE is FormBook.

Loading data by connecting to an external web address
Executing PE binary in the memory
Obfuscated .NET DLL

FormBook manually loads ntdll.dll onto the memory and calls this to bypass API monitoring. After performing the analysis bypassing technique as well as anti-debugging, it injects a code for C&C communication into a running explorer.exe process for C&C communication and executes it as a thread. An arbitrary normal file in the %WinDir%\System32 folder is executed as a subprocess of explorer.exe and the information to be leaked is collected. Please refer to the ASEC report and ATIP report for further details on the technique.[1][2]

Manually loading ntdll.dll onto the memory
Process list upon executing FormBook

[File Detection]
– Downloader/Win.Agent.R528975 (2022.10.14.00)

[Behavior Detection]
– Injection/MDP.Hollowing.M4180
– Malware/MDP.Injection.M3509

– 45ab0352a69644eb2305982585fa53f8
– hxxp://
– hxxp://

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating

Inline Feedbacks
View all comments