Trojan

Trojan:Win32/FormBook.RR!MTB removal guide

Malware Removal

The Trojan:Win32/FormBook.RR!MTB is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware - Review 2020

GridinSoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend to use GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the TRIAL period.
6-day free trial available.

What Trojan:Win32/FormBook.RR!MTB virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Guard pages use detected – possible anti-debugging.
  • Attempts to connect to a dead IP:Port (255 unique times)
  • Dynamic (imported) function loading detected
  • Enumerates running processes
  • The binary contains an unknown PE section name indicative of packing
  • Authenticode signature is invalid

How to determine Trojan:Win32/FormBook.RR!MTB?


File Info:

name: FD5335CB2048105926A3.mlw
path: /opt/CAPEv2/storage/binaries/ad49b2d15d6f583f1b166ce4082e71f0cb005ca2644670938ab947c3e7d08248
crc32: C95BAC32
md5: fd5335cb2048105926a37ef5b18507ac
sha1: b84872e64e1a0b056cb3e8be620560adf4d4f785
sha256: ad49b2d15d6f583f1b166ce4082e71f0cb005ca2644670938ab947c3e7d08248
sha512: f3c74dde40f04a985f0f9234e1f2a3bd25e551c97cfeff3e03277fe722a0be361a3ff8f0dd16b0607b4df468b8c893edea3c9dfd5c93d67661ce729741ba83f1
ssdeep: 6144:N1N/Dax/aVcaP4KeX7N2wD4QTqI7AGER6ifSHzqVDAUBlWLbOeubt2gX:N1BDaxiVcaP4cy1Td7g6ifSHPubt2k
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T12425D811B95012B9F889417709FF3788839868924FE991D7208F2DFEDC2BBD4E6B51C6
sha3_384: 4e3b386d585e5a73c585f37a2e9cfdf3500140fd7cd519e0d9ea87e9c1ab790f1f515115b0bfb57988cf6c64dbc0d3f0
ep_bytes: e9390d0800e92c820100e987cb0400e9
timestamp: 2022-06-05 15:04:38

Version Info:

0: [No Data]

Trojan:Win32/FormBook.RR!MTB also known as:

BkavW32.AIDetect.malware2
LionicTrojan.Win32.Agentb.4!c
Elasticmalicious (moderate confidence)
MicroWorld-eScanGen:Variant.Midie.109207
FireEyeGen:Variant.Midie.109207
ALYacGen:Variant.Midie.109207
CylanceUnsafe
SangforTrojan.Win32.Agentb.gen
K7AntiVirusTrojan ( 0058f1b01 )
AlibabaTrojan:Win32/FormBook.0657fea6
K7GWTrojan ( 0058f1b01 )
Cybereasonmalicious.b20481
BitDefenderThetaGen:NN.ZexaF.34742.9KW@aywtmDgi
ESET-NOD32a variant of Win32/Filecoder.OKE
APEXMalicious
Paloaltogeneric.ml
KasperskyHEUR:Trojan.Win32.Agentb.gen.56126999.Silent
BitDefenderGen:Variant.Midie.109207
Ad-AwareGen:Variant.Midie.109207
TrendMicroRansom.Win32.CONTI.SMYXCCUA
McAfee-GW-EditionBehavesLike.Win32.Generic.dm
MicrosoftTrojan:Win32/FormBook.RR!MTB
GDataGen:Variant.Midie.109207
CynetMalicious (score: 100)
McAfeeArtemis!FD5335CB2048
MAXmalware (ai score=85)
VBA32BScope.TrojanRansom.Cryptor
MalwarebytesMalware.AI.1740871635
TencentWin32.Trojan.Filecoder.Efap
MaxSecureTrojan.Malware.300983.susgen
FortinetW32/Filecoder.OKE!tr.ransom
PandaTrj/GdSda.A
CrowdStrikewin/malicious_confidence_60% (W)

How to remove Trojan:Win32/FormBook.RR!MTB?

Trojan:Win32/FormBook.RR!MTB removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment