{
	"id": "4ab02336-a142-492a-98b6-044819a28758",
	"created_at": "2026-04-06T00:06:45.127804Z",
	"updated_at": "2026-04-10T03:21:09.608118Z",
	"deleted_at": null,
	"sha1_hash": "35073ae5c46d0b7a3c2b76edb3e52da0a9929f89",
	"title": "Interesting FormBook Crypter - unconventional way to store encrypted data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 967741,
	"plain_text": "Interesting FormBook Crypter - unconventional way to store\r\nencrypted data\r\nPublished: 2020-11-05 · Archived: 2026-04-02 11:20:56 UTC\r\nThis FORMBOOK CRYPTER loader contain a lot of interesting feature to bypassed sandbox, obfuscate its code\r\nand many more. It also show a unique way to store and parse its encrypted data to execute. \r\nso let's start :).\r\nFORMBOOK CRYPTER LOADER (ANTI-VM):\r\nAfter decrypting some shellcode in the memory it will use several technique to check if its code is running in a\r\nvirtual machine or not. The screenshot below show 3 techniques it use.\r\nANTI-VM I : it use the cpuid with EAX=0x40000000 as input to determined the hypervisor brandname to\r\ncheck if it is running in a virtualize environment\r\nANTI-VM II:  use cpuid with EAX=1 as an input to check the 31st bit of its return value in ECX if set or\r\nnot. if it is set then it is in VM.\r\nANTI-VM III: check the existence of some known driver component of the virtual machine. for this\r\nexample it checks the existence of the vmmouse driver in the machine.\r\nhttps://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html\r\nPage 1 of 11\n\nfigure 1: Different ANTI-VM technique checks\r\nFORMBOOK CRYPTER LOADER (ANTI-SANDBOX):\r\n It also has some feature to check if its code is running in a sandbox by using the 2 technique shown below.\r\nANTI-SANDBOX 1 : check the file path of its running code using GetModuleFileName API if it contains\r\n\"sample\", \"sandox\" or \"malware\". if yes exit the process\r\nANTI-SANDBOX 2: checks the existence of the sbiedll.dll that are component of known sandbox.\r\nhttps://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html\r\nPage 2 of 11\n\nfigure 2: Anti-Sandbox technique\r\nFORMBOOK CRYPTER LOADER (PROCESS CHECK):\r\nIt also enumerate all the process running to the machine and try to check the existence of known debugging tools\r\nprocess if it is exist, if yes exit the process. For AV related process and services, it tries to create a counter how\r\nmany AV product it saw in the machine max of 2 (it seems like it checks for a testing machine that contain several\r\nAV product on it).\r\nbelow is the list of the process it checks related to malware analysis tools and AV product:\r\nhttps://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html\r\nPage 3 of 11\n\nfigure 3: Process checking to evade malware lab environment\r\nDECRYPTING THE FORMBOOK IN RSRC:\r\nThe next thing it will do is to decrypt the encrypted Formbook malware in its resource section. It is done by\r\nlooking to 2 entry in rsrc section. The first entry is with rsrc ID \"14d\" with rsrc type of 17 \"RT_DLGINCLUDE\"\r\nthat contain the 16 bytes rc4 key to decryp the rc4 key to decrypt the FORMBOOK.\r\nhttps://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html\r\nPage 4 of 11\n\nfigure 4: decrypting the rc4 key for FORMBOOK\r\nOnce the Rc4 key was parse, it will decrypt the encrypted formbook malware, it will load another resource entry\r\nwith rsrc id \"3e8\" type \"2\". Then it will remove 3 dummy bytes to the data blob before decrypting it using rc4\r\nalgorithm.\r\nhttps://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html\r\nPage 5 of 11\n\nfigure 5: decrypting FORMBOOK\r\n FORMBOOK MZ HEADER:\r\n \r\nfigure 6: MZ header shellcode\r\nINTERESTING STORING AND PARSING ENCRYPTED DATA:\r\nThe Formbook obfuscate its code. One interesting feature of this is how it store and parse its needed bytes to\r\ndecrypt or to hash to perform its task. Malware commonly used \"stack string technique\" to initialized its string or\r\ndata in stack or in an allocated memory space like the screenshot we saw in anti-vm and anti-sandbox headings of\r\nthis post. \r\nBut for this variant it used another technique where it save its needed bytes in a code like structure, then it will\r\nparse each instruction to check its opcode if it will passed its requirements, if yes it will parse the operand or\r\nopcode that is part of its needed bytes to decrypt or to hash.\r\nrequirement:\r\n  I. if opcode is 0x40-0x5f just grab the opcode itself.\r\n II. if opcode is 0x70-0x7f which is mostly a conditional jump mnemonics then skip that instruction.\r\nIII. (if opcode - 0x40 \u003e 0x1f) and (opcode - 0x70 \u003e 0x0f) then it will check what opcode is that (opcode range\r\nfrom 0x00 to 0xFF) to know what other opcode or how big is the operand it will parsed.\r\nhttps://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html\r\nPage 6 of 11\n\nfigure 7.A: initial opcode it tries to grab and opcode it skip\r\nhttps://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html\r\nPage 7 of 11\n\nfigure 7.B: FormBook opcode condition for parsing its data\r\nhttps://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html\r\nPage 8 of 11\n\nfigure 8: the parse stored data that either to be decrypt or hash it.\r\nAnd also not all stored data that it will parse to its code will be decrypted, some of those stored data is designed to\r\ncompute sha1 hash that will serve as the decryption key (rc4 algortihm) to decrypt another blob of code.\r\n _BYTE *__cdecl Func_DecryptBytesGrabbed(int DestBuff)\r\n{\r\n int VA_41C3A6; // eax\r\n int VA_41C50B; // eax\r\n int VA_41BEF1; // eax\r\n char dest_buff; // [esp+Ch] [ebp-140h] BYREF\r\n char v6[215]; // [esp+Dh] [ebp-13Fh] BYREF\r\n _DWORD sha1_ctx[26]; // [esp+E4h] [ebp-68h] BYREF\r\n dest_buff = 0;\r\n Func_MemSet(v6, 0, 0xD4u);\r\n VA_41C3A6 = sub_41C3A1();\r\n Func_GrabEncryptedData(\u0026dest_buff, VA_41C3A6 + 2, 0xD3u);\r\n VA_41C50B = sub_41C506();\r\n Func_GrabEncryptedData(DestBuff + 0x444, VA_41C50B + 2, 0x2F0u);\r\nhttps://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html\r\nPage 9 of 11\n\nVA_41BEF1 = sub_41BEEC();\r\n Func_GrabEncryptedData(DestBuff + 0x7B8, VA_41BEF1 + 2, 0x14u);\r\n Func_SHA1_Init(sha1_ctx);\r\n Func_Sha1_Update(sha1_ctx, \u0026dest_buff, 0xD3);\r\n Func_Sha1_Final(sha1_ctx);\r\n Func_GrabNeededOpcode(DestBuff + 0x7A4, sha1_ctx, 20);\r\n Func_DecryptWithRc4((DestBuff + 0x444), 0x2F0u, DestBuff + 0x7A4);\r\n Func_SHA1_Init(sha1_ctx);\r\n Func_Sha1_Update(sha1_ctx, (DestBuff + 0x7B8), 0x14);\r\n Func_Sha1_Final(sha1_ctx);\r\n Func_DecryptWithRc4((DestBuff + 0x444), 0x2F0u, sha1_ctx);\r\n Func_SHA1_Init(sha1_ctx);\r\n Func_Sha1_Update(sha1_ctx, (DestBuff + 0x444), 752);\r\n Func_Sha1_Final(sha1_ctx);\r\n return Func_DecryptWithRc4((DestBuff + 0x7B8), 0x14u, sha1_ctx);\r\n} tag\r\nSAMPLES:\r\nfilename: Formbook_loader.bin\r\nmd5: 65880d23eb6051a1604707371ebb6d2c\r\nsha1: 3f5d0833adbd39715f1d45f1a3c8982c52519bc1\r\nsha256: ac2e9615b368e00fb4bf4d5180bbfc0d6fb7bbce3fa1af603d346d7a8f2450e5\r\nfilename: formbook.bin\r\nmd5: df93eecd1799f9c9c674b8cdb2f1dad1\r\nsha1: e66c893f39c7553f59a5381d23a5c65e5c2e84f7\r\nsha256: 5d7eba73b4d29ee17529511bb8b0745e658bf2adfcae57bdfa8d0870f4732a18\r\nYARA RULES:\r\n import \"pe\"\r\nrule formbook_loader_crypter {\r\n meta:\r\n author = \"tcontre\"\r\n description = \"detecting formbook-loader-crypter malware\"\r\n date = \"2020-11-05\"\r\n sha256 = \"ac2e9615b368e00fb4bf4d5180bbfc0d6fb7bbce3fa1af603d346d7a8f2450e5\"\r\n strings:\r\n $mz = { 4d 5a }\r\nhttps://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html\r\nPage 10 of 11\n\n$dec = { 03 CE 8A 03 88 45 F9 8B C6 51 B9 03 00 00 00 33 D2 F7 F1 59 85 D2 75 14 8A 45 F9 32 45 FA 88 01\r\n $rc4_key = {12 2D 13 EF 23 E2 7F 4B 70 19 C7 F0 4B 68 75 50}\r\n \r\n condition:\r\n ($mz at 0) and ($dec ) or ($rc4_key)\r\n \r\n }\r\n \r\nrule formbook_crypter {\r\n meta:\r\n author = \"tcontre\"\r\n description = \"detecting formbook-crypter malware\"\r\n date = \"2020-11-05\"\r\n sha256 = \"5d7eba73b4d29ee17529511bb8b0745e658bf2adfcae57bdfa8d0870f4732a18\"\r\n strings:\r\n $mz = { 4d 5a }\r\n \r\n $shell = { 4D 5A 45 52 E8 00 00 00 00 58 83 E8 09 8B C8 83 C0 3C 8B 00 03 C1 83 C0 28 03 08 FF E1 90 00\r\n $opcode_check = {8B 4D FC 8A 04 39 03 CF 88 45 F4 8D 50 C0 80 FA 1F 77 18 6A 01 51 8D 04 1E 50 E\r\n \r\n condition:\r\n ($mz at 0) and ($shell at 0) or ($opcode_check)\r\n \r\n } tag\r\nSource: https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html\r\nhttps://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html"
	],
	"report_names": [
		"interesting-formbook-crypter.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434005,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/35073ae5c46d0b7a3c2b76edb3e52da0a9929f89.pdf",
		"text": "https://archive.orkl.eu/35073ae5c46d0b7a3c2b76edb3e52da0a9929f89.txt",
		"img": "https://archive.orkl.eu/35073ae5c46d0b7a3c2b76edb3e52da0a9929f89.jpg"
	}
}