Formbook - Removal Guide

Last updated: 2026-04-01

Formbook Malware Removal Guide

Signs of Infection

Formbook infection typically manifests through several observable indicators. On the file system, look for executable files with random alphanumeric names (e.g., f7s83n2.exe, jhg12.exe) in user profile directories (%APPDATA%, %LOCALAPPDATA%, %TEMP%). Recent variants may also drop files in C:\ProgramData or C:\Windows\Tasks. Check for suspicious DLLs in C:\Windows\System32 or C:\Windows\SysWOW64 with names mimicking legitimate system files but with slight misspellings or extra characters.

Process behavior includes unexpected child processes spawned from legitimate applications like web browsers, email clients, or Office programs. In process monitoring tools, look for processes with high entropy (random-looking names), memory injection into trusted processes (e.g., explorer.exe, svchost.exe), and attempts to disable security software via command-line arguments.

Network indicators include outbound connections to suspicious IP addresses or domains (often dynamic DNS providers) over HTTPS or custom ports (commonly 443, 8080, 8443). Traffic patterns may involve periodic beaconing (every few minutes to hours) with small data exfiltration packets. Formbook frequently uses compromised websites for command-and-control (C2), so connections to newly registered domains or domains with high reputation risk scores are red flags. Check for unusual DNS queries for domains containing random strings or common words with numbers.

Registry persistence is achieved through Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\Software\Microsoft\Windows\CurrentVersion\Run), scheduled tasks (via schtasks), or services. Look for entries with random names pointing to the dropped executables.

Immediate Containment Steps

Within the first 15 minutes of detection, take these steps to limit damage:

  1. Network Isolation: Immediately disconnect the infected host from the network-disable wired and wireless adapters via administrative tools or physically unplug the cable. If network-level blocking is available, quarantine the host’s IP at the firewall to prevent C2 communication and lateral movement.

  2. Process Termination: Use a trusted process management tool to terminate suspicious processes identified earlier. Focus on processes with random names, high memory usage in benign applications, or those injecting code. Avoid terminating critical system processes; if unsure, note the PID for later analysis.

  3. Credential Rotation Priorities: Formbook steals credentials from browsers, email clients, and FTP software. First, reset passwords for domain administrator accounts, email accounts (especially those used for password resets), and critical business applications (e.g., CRM, banking). Enable multi-factor authentication (MFA) where possible. Rotate any API keys or tokens stored on the host.

  4. Preserve Evidence: Before removal, capture memory dumps of suspicious processes and take forensic images of key files (e.g., dropped executables, registry hives) for later analysis. Do not delete files yet.

Manual Removal Process

Follow this step-by-step process to remove Formbook manually. Use a trusted security tool or offline system if possible to avoid interference.

  1. Terminate Malicious Processes:

    • Open a command prompt as administrator.
    • Run tasklist | findstr /i "randomstring" to locate Formbook-related processes (replace “randomstring” with observed patterns).
    • Terminate each malicious process with taskkill /PID <PID> /F.

  2. Delete Persistence Mechanisms:

    • Remove Run keys:
      • Open Registry Editor (regedit).
      • Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
      • Delete any entries pointing to suspicious paths (e.g., %APPDATA%\random.exe).
    • Clean scheduled tasks:
      • Open Task Scheduler.
      • Look for tasks with random names or triggers set to run at user logon or system startup. Delete them.
      • Alternatively, use schtasks /delete /TN "TaskName" /F in command line.
    • Remove malicious services (if present):
      • Run sc query to list services, then sc stop <service name> and sc delete <service name> for any suspicious services.

  3. Remove Dropped Files:

    • Navigate to these directories and delete Formbook-related files:
      • %APPDATA%, %LOCALAPPDATA%, %TEMP%
      • C:\ProgramData, C:\Windows\Tasks
      • Check C:\Windows\System32 and C:\Windows\SysWOW64 for suspicious DLLs.
    • Use del /F /Q <file path> in command line for stubborn files.

  4. Clean Registry Entries:

    • Search for and delete other malicious entries:
      • Check HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon for shell or userinit modifications.
      • Look in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run for hidden startup items.
    • Always back up the registry before making changes.

Verifying Removal

After removal, confirm Formbook is fully eradicated:

  1. System Scans: Run a full system scan with an updated endpoint detection and response (EDR) solution. Use a dedicated anti-malware tool with signatures for Formbook. Perform memory scans to check for residual code injection.

  2. Log Analysis: Review Windows Event Logs (Security, System, Application) for recent anomalies-look for event IDs related to process creation (4688), service installation (7045), or scheduled task registration (4698). Check PowerShell logs (if enabled) for encoded command execution.

  3. Network Traffic Monitoring: Reconnect the host to a monitored network segment. Use a network detection tool to watch for outbound connections to known Formbook C2 IPs/domains (refer to IOCs). Monitor for beaconing patterns or data exfiltration over HTTPS.

  4. Persistence Checks: Re-inspect registry Run keys, scheduled tasks, and services to ensure no remnants remain. Use autoruns analysis tools to verify all startup points are clean.

Post-Removal Security Hardening

Prevent reinfection by addressing Formbook’s common attack vectors:

  1. Configuration Changes:

    • Enable application whitelisting via AppLocker or similar to block execution from %APPDATA%, %TEMP%, and other user writable paths.
    • Disable Office macros from untrusted sources, as Formbook often spreads via malicious documents.
    • Configure email gateways to block attachments with double extensions (e.g., .pdf.exe) and archive files containing executables.

  2. Monitoring Rules:

    • Deploy SIEM rules to alert on process creation from unusual parent-child relationships (e.g., winword.exe spawning cmd.exe).
    • Set up network IDS rules to flag connections to dynamic DNS domains or IPs with low reputation scores.
    • Monitor registry changes to Run keys and scheduled task creation in real time.

  3. Policy Updates:

    • Implement least-privilege access: ensure users do not have administrative rights on endpoints.
    • Enforce mandatory MFA for all remote access and critical accounts.
    • Establish a patch management policy to keep software (especially browsers, Office suites, and Java) updated, as Formbook exploits known vulnerabilities.
    • Conduct regular security awareness training to educate users on phishing emails-a primary infection vector for Formbook.

For ongoing protection, integrate the indicators from the Current Formbook IOCs into your security tools. Track the Detection Rate for updates on evasion techniques. Learn more about this threat in the Formbook Overview.

Related

← Formbook Overview How to Detect Incident Response Protection Guide IOCs Samples All Families