In the present article we are going to analyze a new FormBook infostealer sample, it has been developed in AutoIT.
Here is the Matrix table about it:
Here are the details of the PE sections, it creates and uses threads objects for the malicious tasks, it gathers information about logical processor (used usually to perform anti-VM and anti-sandbox, execution environment information gathering), it gets details about the user, current system locales,. There are references to keylogging features (monitoring keystrokes, keyboard state), mouselogging (mouse clicks, button clicks, mouse positions and coordinates), operations actions (such as volume down and up, launch mail, launch media). The threat performs several filesystem operations, for example file close, file copy, creates file LNK, files gathering; there are a lot of aspects of the actions performed that are associated to C&C, malicious FTP connections to the C&C domain and connections done to steal gathered data and files.
The infostealer threat has access to several special folders, such as Program Files, CommonFiles, Documents, AppData, TempDir, Desktop, startup folders, this is done to perform files and data gathering and to have access for stealing actions and usually the access is done to those folders also for additional threats dropping. The FormBook threat gets information and details about Desktop coordinates to perform screenlogging, the userprofile directory is accessed to get personal data of the victims, but also the logon server and domain (LOGONSERVER and LOGONDOMAIN) to bring the compromise scenario in a wider aspect that can reflects infrastructure compromising and possibly lateral movement via credentials stuffing.
We can see the AutoIT script gets some privileges for higher permissions executions, such as SeAssignPrimaryTokenPrivilege, SeIncreaseQuotaPrivilege, SeBackupPrivilege and SeRestorePrivilege, SeDebugPrivilege.
There are references to registry keys access functions, registry keys deleting, including HKEY_CURRENT_USER and HKEY_CURRENT_CONFIG.
Here we can see a lot of functions associated to the C&C malicious features, for example WNetGetConnectionW, InternetOpenW, InternetSetOptionW, HttpQueryInfoW, HttpSendRequestW, HttpOpenRequestW and, interestingly also FTP related functions for stolen data form victims, so: FtpOpenFileW, FtpGetFileSize. The threat has a requestedExecutionLevel asInvoker. The FormBook seems to be packed based on the entropy general coefficient 7.10526, the .rsrc PE section is compressed and it has an entropy coefficient equals to 7.89049.
The Portable Executable has been compiled on 16th July 2025:
It has ASLR set to true to perform randomization of the memory locations related to the data structures of a program address space.
Other than the network-related functions there are details associated to Windows Management Library (WINMM.dll) and registry-related functions (ADVAPI32.dll library). We can see, in the functions used, also a reference to LoadUserProfileW (to get details about the identified users profiles), QueryPerformanceFrequency (used for environment information gathering, for anti-VM and anti-sandboxes), we can see mouse_event detail associated to its mouselogging capability. It's interesting also that the malware gets a lot of information about clipboard data of the victims (clipboard logging capability, such as the called function GetClipboardData), the function LookupPrivilegeValueW is used to gather information about the IDs associated to the present privilege items (LUIDs).
By performing a debugging and dynamic malware analysis stage we can see at the address 00C51000 within the push ebp instruction the following domains, that are related to credentials stealing and data leaking from the victims (for example CyberGhost VPN, CupidMedia). The threat gathers details and information about the Software Restriction Policy deployed through Group Policy (under the registry key HKLM\System\CurrentControlSet\Control\Srp\GP), we can also see the malware loads through vmsmb the library wininet.dll that can bring the malware to manage FTP and HTTP protocols.
When the socket object and its attributes are set also the C&C domain is defined: financialteach[.]xyz (resolved with the IP addresses 13.248.169[.]48 and 76.223.54[.]146)
Contextually to the collection of the credentials for the targeted data leak domains we can have evidences of calls to the Internet connections functions and HTTP requests management, FTP files opening and attributes gathering.
The C&C domain information seems to be privacy protected by the japanese registrant onamae[.]com. The domain in question has been created on 10th April 2025 (initially resolved with the IP address 150.95.255[.]38)
The IP addresses 76.223.54[.]146 and 13.248.169[.]48 have been registered in Washington by AWS Global Accelerator and the opened ports are 80 and 443.
They are recognized as malicious by OSINT sources:
IOCs:
- 1ac3ac35e5e9edf0989bafdd06f43906591c4e29f0a8d6950fece28110bfaa7e
- f9bae65d1f749084bb02a93317342d6ec56c5be0
- 66abef95ef0b58ab827a59475cd8ced1
- financialteach[.]xyz
- 76.223.54[.]146
- 13.248.169[.]48