Win32/Formbook [Threat Name]

Detection created2018-04-19
World activity peak 2021-04-13 (1.47 %)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


The trojan is generally spread through spam emails that include malicious code in the attachment.

By opening/executing the attachment the malware is executed too.

Information stealing

Win32/Formbook is a trojan that steals sensitive information.

The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • data from the clipboard

The trojan is able to log keystrokes.

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of URLs. The HTTP protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • log keystrokes
  • capture screenshots
  • send gathered information
  • remove itself from the infected computer
  • delete cookies
  • shut down/restart the computer

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

The trojan may create and run a new thread with its own program code within any running process.

The trojan can detect presence of debuggers and other analytical tools.

The trojan quits immediately if it is run within a debugger.

The trojan may hook selected Windows APIs.

Threat Variants with Description

Threat Variant Name Date Added Threat Type
Win32/Formbook.AA 2018-04-19 trojan

Please enable Javascript to ensure correct displaying of this content and refresh this page.