A Form-grabber malware who claim to grab anything, and with no dependencies.
It work with lastest version of Firefox, Chrome, Internet Explorer and Opera.
Copy the file/Execute the copy:
Drop a dll from ressource:
Looking for browser process:
(Congratulation, your browser is owned)
An interesting part of strings found inside the dll:
Doing an attempt to sign in on the VirusTotal.com service:
(Here, the injected dll compare if it's a POST request)
Malware call home procedure:
Before calling the gate it verify if the host is already decrypted, if no it decrypt the host.
(The coder of MP-Formgrabber have added a method to avoid leaks with hexed bins but look's like he have never heard of code-cave)
Retake an hardcoded strings from resource:
Encode grabbed datas and call the gate:
"gate.php" server side
The malware panel, login:
Rules settings to parse logs:
Grabbed infos parsed:
This form-grabber was fun to reverse, anyway dont take this as a game, malware can always ruin your life in two clicks.
If you are looking for an exe of MP-FormGrabber and additional access to my panel for research purpose, feel free to contact me.