MP-FormGrabber

A Form-grabber spyware will grab anything from browser form data with no dependencies.
It work with lastest version of Firefox, Chrome, Internet Explorer and Opera.

Advert:

Copy the file/Execute the copy:

Registry persistence:

Drop a dll from resource:

 

 

Looking for browser process:

Inject:

Firefox injected:
(Congratulation, your browser is owned)

 

 

An interesting part of strings found inside the dll:

Doing an attempt to sign in on the VirusTotal.com service:
(Here, the injected dll compare if it’s a POST request)

 

Malware call home procedure:

Before calling the gate it verify if the host is already decrypted, if no it decrypt the host.
(The coder of MP-Formgrabber have added a method to avoid leaks with hexed bins but look’s like he have never heard of code-cave)

Retake an hardcoded strings from resource:

Host decyphered:

Encode grabbed data and call the gate:

“gate.php” server side

The malware panel, login:

Logs:

Rules settings to parse logs:

Grabbed infos parsed:

This form-grabber was fun to reverse, anyway dont take this as a game, malware can always ruin your life in two clicks.

Download MP-FormGrabber

unlock this! to see the download links

Summary
Author Rating
5
Software Name
MP-Form Grabber
Operating System
Opera | Firefox | Google Chrome | Safari