A Form-grabber spyware will grab anything from browser form data with no dependencies.
It work with lastest version of Firefox, Chrome, Internet Explorer and Opera.


Copy the file/Execute the copy:

Registry persistence:

Drop a dll from resource:



Looking for browser process:


Firefox injected:
(Congratulation, your browser is owned)



An interesting part of strings found inside the dll:

Doing an attempt to sign in on the service:
(Here, the injected dll compare if it’s a POST request)


Malware call home procedure:

Before calling the gate it verify if the host is already decrypted, if no it decrypt the host.
(The coder of MP-Formgrabber have added a method to avoid leaks with hexed bins but look’s like he have never heard of code-cave)

Retake an hardcoded strings from resource:

Host decyphered:

Encode grabbed data and call the gate:

“gate.php” server side

The malware panel, login:


Rules settings to parse logs:

Grabbed infos parsed:

This form-grabber was fun to reverse, anyway dont take this as a game, malware can always ruin your life in two clicks.

Download MP-FormGrabber

unlock this! to see the download links

Author Rating
Software Name
MP-Form Grabber
Operating System
Opera | Firefox | Google Chrome | Safari