A Form-grabber spyware will grab anything from browser form data with no dependencies.
It work with lastest version of Firefox, Chrome, Internet Explorer and Opera.
Copy the file/Execute the copy:
Drop a dll from resource:
Looking for browser process:
(Congratulation, your browser is owned)
An interesting part of strings found inside the dll:
Doing an attempt to sign in on the VirusTotal.com service:
(Here, the injected dll compare if it’s a POST request)
Malware call home procedure:
Before calling the gate it verify if the host is already decrypted, if no it decrypt the host.
(The coder of MP-Formgrabber have added a method to avoid leaks with hexed bins but look’s like he have never heard of code-cave)
Retake an hardcoded strings from resource:
Encode grabbed data and call the gate:
“gate.php” server side
The malware panel, login:
Rules settings to parse logs:
Grabbed infos parsed:
This form-grabber was fun to reverse, anyway dont take this as a game, malware can always ruin your life in two clicks.
unlock this! to see the download links