{
	"id": "db090050-c252-41b6-b51a-331355aba624",
	"created_at": "2026-04-06T00:07:48.401933Z",
	"updated_at": "2026-04-10T03:22:04.004315Z",
	"deleted_at": null,
	"sha1_hash": "7ca8796ecb4feab979db681dd465ccea173cfdc1",
	"title": "malware-analysis-writeups/FormBook/FormBook.md at main · itaymigdal/malware-analysis-writeups",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 821115,
	"plain_text": "malware-analysis-writeups/FormBook/FormBook.md at main ·\r\nitaymigdal/malware-analysis-writeups\r\nBy itaymigdal\r\nArchived: 2026-04-05 20:11:16 UTC\r\nUnpacking FormBook\r\nMalware\r\nName\r\nFile\r\nType\r\nSHA256\r\nFormBook\r\nx32\r\nexe\r\n9B11FA3CFA0ACDD01BE3595FBA22F7B38C333E7EC8DA88228C971735913BB6F7\r\nAnalysis process\r\nThe initial file is a 32 bit Nullsoft installer (NSIS). Right-clicking and unzipping will successfully extract the\r\ninstaller files.\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 1 of 17\n\nI have read in some blog posts before that usually NSIS installers contain also an installer script, that was missing\r\nin that case. Since the other two files apart from the DLL have unknown format and extension, I started to analyze\r\nthe DLL.\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 2 of 17\n\nThis is a quite simple 32 bit DLL file that contains 2 exports. the first one was empty, I then decompiled the\r\nsecond one and performed some renaming and cleaning:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 3 of 17\n\nThis function locates one of the other extracted files hicclc.io (that supposes to be dropped to %TEMP% by the\r\nNSIS installer by now), allocates some memory, copy the file content inside, and doing a simple xor loop with a\r\nhardcoded key to decode the next stage. then it simply calls that, which means that this is a shellcode.\r\nI wrote a little python script to decode this stage:\r\ni = 0\r\nkey = \"584058684148\"\r\ndecoded = b\"\"\r\nwith open(\"hicclc.io\", \"rb\") as f:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 4 of 17\n\nencoded = f.read()\r\nwhile i \u003c 0x15e6:\r\n decoded_byte = encoded[i] ^ ord(key[i % 0xc])\r\n decoded += bytes([decoded_byte])\r\n i += 1\r\n \r\nwith open(\"shellcode.bin\", \"wb\") as f:\r\n f.write(decoded)\r\nHere I used BlobRunner to debug the shellcode:\r\nThe shellcode mission is to load the 3'rd extracted file which is the 3'rd unpacking stage:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 5 of 17\n\nFollowing this flow carefully in the debugger:\r\nCapturing VirtualAlloc return address to keep tracking of the decoded stage:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 6 of 17\n\nThen we can see how ReadFile is filling this memory with the file content:\r\nVwalla!\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 7 of 17\n\nThe following graph snippet contains a loop in the left block for decoding this stage. I located a BP on the\r\ncompletion of the loop in the right block and let it run:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 8 of 17\n\nAnd now we love what we see!\r\nLet's dump this PE to disk:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 9 of 17\n\nWhen keeping debug the shellcode we observe that it spawns another instance of itself:\r\nThen it maps a fresh copy of NTDLL to evade EDR hooks in the original NTDLL:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 10 of 17\n\nThen it performs process hollowing by replacing the child process image with the PE we dumped before, some\r\nincriminating process hollowing calls are:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 11 of 17\n\nObserving the final PE payload, reveals that it's highly obfuscated and difficult to analyze. It's written in pure\r\nassembly using MASM:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 12 of 17\n\nIt contains only .text section, and Cutter really struggled to create the navigation bar above due to obfuscation\r\nand non-conventional code:\r\nThe final payload is really tough, and contains lots of anti-vm and anti-debugging tricks, that I won't cover today\r\n(or any other time 😜)\r\nBy using FLOSS, I managed to extract low-hanging fruits such as interesting stack strings, without delving too\r\nmuch into:\r\nFLOSS extracted 180 stackstrings\r\nDEST\r\nversion.dll\r\no%%Jr..\\$\r\nInternetCloseHandle\r\n[System]\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 13 of 17\n\nNT\\CurrentVersion\r\nencrypted_key\r\nc!!B0\r\nAAIA\r\n:.6$\r\n!H88p\r\nPOST\r\n.exe\r\nwindir\r\n.exe\r\nProgram Files\r\nB\u003e\u003e|\r\n[Enter]\r\nimage/jpeg\r\n\\DB1\r\nInternet Explorer\\IntelliForms\\Storage2\r\nHost:\r\nURL:\r\nHttpOpenRequestA\r\ncl.ini\r\nPassword\r\nri.ini\r\nPATH\r\nClipboard\r\npass\r\nhttpRealm\r\nPATH\r\nProductName\r\nUser :\r\n__Vault\r\nXhHp\r\nFBIMG\r\n\\INetCookies\r\nwindir\r\nbrowser\r\nOpera\r\nAut:\r\n[v)C\r\n\" /V\r\n\\explorer.exe\r\nG==z\r\n11#?*0\r\ncB@\"\r\n\\Main\r\nf\"\"D~**T\r\n[\u003c-Del]\r\nPass:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 14 of 17\n\nlogin\r\nP00`\r\nWA t\r\nWindows Explorer\r\nimage/png\r\nx86\r\n7CbI\r\n7A@@(\r\nQSeA~\r\nl$$H\r\nim.jpeg\r\nguid\r\nId:\r\nY77n\r\nurlmon.dll\r\n,4$8_@\r\nrv.ini\r\nU33f\r\nInternetReadFile\r\n[Esc]\r\nInternetConnectA\r\nauth\r\n_2016\\\r\nAA\u0026\r\nProgramFiles\r\n2N H\r\nFBNG:\r\ni''N\r\nhostname\r\nprofiles.ini\r\n+Q0$\r\nI\u003c(A\r\n=j\u0026\u0026LZ66lA??~\r\nwww.\r\ng0+]C\r\n)w--Z\r\nWindows Explorer\r\n_jbF~T\r\nrg.ini\r\nChrome\r\nim.jpeg\r\n2008\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\r\nrc.ini\r\n.dll\r\n}++V\r\n!tX)i\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 15 of 17\n\n}{))R\u003e\r\n2012\r\nProgramFiles\r\nx((Pz\r\nx64\r\nACAA\r\nUSERNAME\r\nt,,X.\r\n` @\r\ngK99r\r\nPass:\r\n='9-6d\r\n_55j\r\nAaAA\r\nMS-WAPI-CurrentVersion\r\nt\\lHBW\r\nAPI-Local State\r\n2016\r\nIexplor\r\n.sqlite\r\nServer:\r\nUnknown\r\nD\u003c\u003cx\r\nwininet.dll\r\naAAWindows Explorer\r\nName:\r\nOutlook Recovery\r\nV22dN::t\r\n00.ini\r\nThunderbird\\\r\n\\explorer.exe\r\nAaAAt\r\n\\Cookies\r\nSniff from:\r\nHttpSendRequestA\r\n.zip\r\ne##F^\r\n\\44h\r\nM;;va\r\nS11b?\r\n\\Opera Software\\Opera Stable\\Login Data\r\nlpHP\r\naiKwZ\r\nlog.ini\r\nuser\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 16 of 17\n\n\\Microsoft\\Windows\r\nchrome_child.dll\r\nopen\r\n\\Low\r\n200 OK\r\nAaAA\r\nFirefox\\\r\n.exe\r\nUser:\r\nInternetOpenA\r\nFirefox\r\nInstall Directory\r\nRecovery\r\n\\Current Session\r\nProgramFiles\r\nURL:\r\nUser-Agent:\r\nUrl:\r\nhc 82\r\nAEFA\r\n@J7\u003c\r\n;fD4~\r\n[Tab]\r\n\\Firefox\r\nPort:\r\nHost:\r\nUnknown\r\n.dll\r\nUser-Agent:\r\nq//^\r\nFirefox\\\r\n\" /V\r\nUnknown\r\nNrZl\r\nThe final payload is waiting for reversers better than me :)\r\nSource: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md\r\nPage 17 of 17\n\n  https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md    \nI have read in some blog posts before that usually NSIS installers contain also an installer script, that was missing\nin that case. Since the other two files apart from the DLL have unknown format and extension, I started to analyze\nthe DLL.      \n   Page 2 of 17   \n\n https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md    \nWhen keeping debug the shellcode we observe that it spawns another instance of itself:\nThen it maps a fresh copy of NTDLL to evade EDR hooks in the original NTDLL:\n   Page 10 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md"
	],
	"report_names": [
		"FormBook.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434068,
	"ts_updated_at": 1775791324,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7ca8796ecb4feab979db681dd465ccea173cfdc1.pdf",
		"text": "https://archive.orkl.eu/7ca8796ecb4feab979db681dd465ccea173cfdc1.txt",
		"img": "https://archive.orkl.eu/7ca8796ecb4feab979db681dd465ccea173cfdc1.jpg"
	}
}