Formbook - How to Remove

Last updated: 2026-04-01

Incident Response Guide: Formbook Infostealer

Incident Triage Steps

Within the first 30 minutes, your priority is to determine the scope of the infection and assess potential data loss. Formbook is a modular infostealer that typically arrives via phishing emails with malicious attachments or links. It focuses on harvesting credentials, browser data, and system information.

Immediate Actions:

  1. Identify Patient Zero: Query your email security gateway or SIEM platform for emails with common Formbook lure subjects (e.g., “Invoice,” “Shipping Details,” “Order Confirmation”) containing .doc, .xls, .pdf, or archive file attachments. Look for associated macro execution or child process creation events.
  2. Scope the Infection: Use your EDR solution to search for Formbook’s hallmark behaviors:
    • Process Injection: Look for processes (like explorer.exe, svchost.exe) spawning unusual child processes or making suspicious memory allocations.
    • Persistence Mechanisms: Search for scheduled tasks or registry run keys created in the last 48 hours, particularly under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
    • File System Artifacts: Search for recently created files in %AppData%, %LocalAppData%, or %Temp% with random alphanumeric names (e.g., o83jfw.exe).
  3. Check for Data Exfiltration: Formbook exfiltrates data via HTTP POST requests to its command-and-control (C2) server.
    • Review proxy, firewall, and DNS logs for connections to suspicious domains, often using a low reputation score or newly registered domains (NRDs).
    • Look for large, outbound HTTP POST requests from user workstations (not typical servers) to external IP addresses on ports 80 or 443. The absence of these logs does not rule out exfiltration, as Formbook may use encrypted channels.

Evidence Collection

Before any containment or removal, preserve the following evidence for forensic analysis and potential legal requirements.

Volatile Data (Collect Immediately):

  • Memory Dump: Acquire a full memory image from at least one infected host using a trusted memory forensic tool. Formbook’s core logic often resides only in memory.
  • Process Listing: Capture a detailed process list with command-line arguments, loaded DLLs, and network connections. Pay special attention to processes with mismatched parent/child relationships or those injecting into legitimate Windows processes.
  • Network Connections: Document all active and recent network connections from the suspect host, noting remote IP addresses and ports.

Persistent Artifacts:

  • File System: Collect the Formbook payload, typically found in %AppData%\Microsoft\<random> or %LocalAppData%\Temp\<random>.exe. Also, collect any downloaded second-stage payloads and the original malicious document or installer.
  • Registry: Export registry hives, focusing on:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • Logs: Preserve Windows Event Logs (especially Security, System, and PowerShell logs), firewall logs, and any relevant EDR or AV console logs from the infection timeframe.
  • Disk Image: For critical systems, consider creating a forensic disk image before remediation.

Containment Procedures

The goal is to isolate the threat while preserving evidence for eradication.

  1. Network Segmentation:

    • Immediately quarantine affected hosts at the network level using network access control (NAC) or firewall rules. Place them in an isolated VLAN with no internet or internal network access.
    • If segmentation is delayed, block all outbound traffic from the identified host to the suspected C2 IPs/domains at the perimeter firewall.

  2. Credential Reset Scope:

    • Formbook steals credentials from browsers, email clients, FTP clients, and system vaults.
    • Mandatory Reset: Force password resets for all accounts active on the infected machine(s), including local admin, domain, and all web/application credentials entered on that system.
    • Broad Consideration: Given the stealing capability, consider a broader reset for high-value domain accounts if the infection spread is unknown. Enforce multi-factor authentication (MFA) where possible.

  3. C2 Communication Blocking:

    • Update your threat intelligence feeds and block the identified C2 domains and IP addresses at all network egress points (firewalls, proxies, DNS filtering).
    • Submit indicators (hashes, domains, IPs) to your SIEM and EDR platforms to block execution and network communication enterprise-wide.

Eradication and Recovery

Eradication must be thorough, as Formbook employs multiple persistence mechanisms.

  1. Complete Removal: Follow the detailed, step-by-step procedures in the dedicated Removal Guide. This guide provides per-system instructions for:

    • Terminating malicious processes.
    • Removing all persistence points (Registry, Scheduled Tasks, Startup folders).
    • Deleting all associated files and artifacts from the filesystem.

  2. Restoration and Validation:

    • Restore from Backups: For severely compromised systems or where critical data was altered, rebuild from known-clean, pre-infection backups. Do not restore from backups taken during the active infection window.
    • Verify Clean State: After removal/rebuild, perform a validation scan:
      • Re-examine the registry and file system locations for any re-created artifacts.
      • Use your EDR tool to verify no abnormal process injection or network calls persist.
      • Run a full antivirus scan with updated signatures.
    • Monitor Closely: Keep the system under enhanced monitoring for at least one week, watching for any recurrence of the same IOCs.

Lessons Learned Checklist

After containment and eradication, conduct a formal review to improve defenses.

  • Initial Infection Vector:

    • Was the entry point a phishing email? If so, what email security controls (filtering, attachment sandboxing) failed to detect it?
    • Was a malicious website involved? Were web filtering or network proxy controls bypassed?
    • Did the user need to enable macros or execute a file? Are macro execution policies and application allow-listing sufficiently restrictive?

  • Detection Gaps:

    • Did endpoint detection tools alert on the process injection, persistence creation, or outbound C2 call? If not, are logging levels and detection rules adequate?
    • Were network-based alerts generated for the C2 communication? Are DNS and proxy logs being analyzed for beaconing to low-reputation domains?
    • Review the Detection Guide to ensure your SIEM and EDR rules align with the latest Formbook TTPs.

  • Control Improvements:

    • Technical: Can application allow-listing be implemented to prevent execution from %AppData% and %Temp%? Can enhanced macro security be enforced?
    • Process: Does the incident response plan need updating based on lessons from this event? Was evidence collection swift and effective?
    • Training: Should user awareness training be updated to focus on the specific lures and techniques used in this attack?

For more background on this threat, refer to the Formbook Overview.

Related

← Formbook Overview Removal Guide How to Detect Protection Guide IOCs Samples All Families