malware-analysis-writeups/FormBook/FormBook.md at main ยท itaymigdal/malware-analysis-writeups By itaymigdal Archived: 2026-04-05 20:11:16 UTC Unpacking FormBook Malware Name File Type SHA256 FormBook x32 exe 9B11FA3CFA0ACDD01BE3595FBA22F7B38C333E7EC8DA88228C971735913BB6F7 Analysis process The initial file is a 32 bit Nullsoft installer (NSIS). Right-clicking and unzipping will successfully extract the installer files. https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md Page 1 of 17 I have read in some blog posts before that usually NSIS installers contain also an installer script, that was missing in that case. Since the other two files apart from the DLL have unknown format and extension, I started to analyze the DLL. https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md Page 2 of 17 This is a quite simple 32 bit DLL file that contains 2 exports. the first one was empty, I then decompiled the second one and performed some renaming and cleaning: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md Page 3 of 17 This function locates one of the other extracted files hicclc.io (that supposes to be dropped to %TEMP% by the NSIS installer by now), allocates some memory, copy the file content inside, and doing a simple xor loop with a hardcoded key to decode the next stage. then it simply calls that, which means that this is a shellcode. I wrote a little python script to decode this stage: i = 0 key = "584058684148" decoded = b"" with open("hicclc.io", "rb") as f: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md Page 4 of 17 encoded = f.read() while i < 0x15e6: decoded_byte = encoded[i] ^ ord(key[i % 0xc]) decoded += bytes([decoded_byte]) i += 1 with open("shellcode.bin", "wb") as f: f.write(decoded) Here I used BlobRunner to debug the shellcode: The shellcode mission is to load the 3'rd extracted file which is the 3'rd unpacking stage: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md Page 5 of 17 Following this flow carefully in the debugger: Capturing VirtualAlloc return address to keep tracking of the decoded stage: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md Page 6 of 17 Then we can see how ReadFile is filling this memory with the file content: Vwalla! https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md Page 7 of 17 The following graph snippet contains a loop in the left block for decoding this stage. I located a BP on the completion of the loop in the right block and let it run: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md Page 8 of 17 And now we love what we see! Let's dump this PE to disk: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md Page 9 of 17 When keeping debug the shellcode we observe that it spawns another instance of itself: Then it maps a fresh copy of NTDLL to evade EDR hooks in the original NTDLL: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md Page 10 of 17 Then it performs process hollowing by replacing the child process image with the PE we dumped before, some incriminating process hollowing calls are: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md Page 11 of 17 Observing the final PE payload, reveals that it's highly obfuscated and difficult to analyze. It's written in pure assembly using MASM: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md Page 12 of 17 It contains only .text section, and Cutter really struggled to create the navigation bar above due to obfuscation and non-conventional code: The final payload is really tough, and contains lots of anti-vm and anti-debugging tricks, that I won't cover today (or any other time ๐Ÿ˜œ) By using FLOSS, I managed to extract low-hanging fruits such as interesting stack strings, without delving too much into: FLOSS extracted 180 stackstrings DEST version.dll o%%Jr..\$ InternetCloseHandle [System] https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md Page 13 of 17 NT\CurrentVersion encrypted_key c!!B0 AAIA :.6$ !H88p POST .exe windir .exe Program Files B>>| [Enter] image/jpeg \DB1 Internet Explorer\IntelliForms\Storage2 Host: URL: HttpOpenRequestA cl.ini Password ri.ini PATH Clipboard pass httpRealm PATH ProductName User : __Vault XhHp FBIMG \INetCookies windir browser Opera Aut: [v)C " /V \explorer.exe G==z 11#?*0 cB@" \Main f""D~**T [<-Del] Pass: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md Page 14 of 17 login P00` WA t Windows Explorer image/png x86 7CbI 7A@@( QSeA~ l$$H im.jpeg guid Id: Y77n urlmon.dll ,4$8_@ rv.ini U33f InternetReadFile [Esc] InternetConnectA auth _2016\ AA& ProgramFiles 2N H FBNG: i''N hostname profiles.ini +Q0$ I<(A =j&&LZ66lA??~ www. g0+]C )w--Z Windows Explorer _jbF~T rg.ini Chrome im.jpeg 2008 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ rc.ini .dll }++V !tX)i https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md Page 15 of 17 }{))R> 2012 ProgramFiles x((Pz x64 ACAA USERNAME t,,X. ` @ gK99r Pass: ='9-6d _55j AaAA MS-WAPI-CurrentVersion t\lHBW API-Local State 2016 Iexplor .sqlite Server: Unknown D<