{
	"id": "f97d1d14-2810-42df-a6de-9cb725226997",
	"created_at": "2026-04-06T00:21:17.212815Z",
	"updated_at": "2026-04-10T13:11:41.508828Z",
	"deleted_at": null,
	"sha1_hash": "bcd3bba0cb018ea99934f11860006244d5d8c243",
	"title": "FormBook Malware Returns: New Variant Uses Steganography and In-Memory Loading of multiple stages to steal data - Home",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1110763,
	"plain_text": "FormBook Malware Returns: New Variant Uses Steganography\r\nand In-Memory Loading of multiple stages to steal data - Home\r\nBy Rumana Siddiqui\r\nPublished: 2021-07-21 · Archived: 2026-04-05 15:35:55 UTC\r\nQuick Heal Security Lab has seen a sudden increase in dotnet samples which are using steganography. Initially, in\r\nthe static analysis, not much information is available. It resembles some simple application going by the method\r\nname. On the dynamic side, some show the activity but another check for sandboxing environment. Apart from\r\nthis, even on execution, it loads multiple memory stages that contain numerous long periods of sleep.  One such\r\nfile received in our lab was of Formbook malware. Formbook stealer has been sold on hacking forms since 2016\r\nas-a-service.\r\nIn this blog, we will go through those multiple stages and analysis of the final payload. The final payload is also\r\ncomplicated due to various threads creation and sleeps in between.\r\nTechnical Analysis\r\nSSO.exe\r\nIn the resource of sso.exe, there is an image that indicates the use of Steganography. However, this resource is not\r\nused at this level. There is one more resource present which initially is difficult to find. While going through the\r\ncode of decryption, this 2nd resource was identified as stage 1.\r\nhttps://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/\r\nPage 1 of 15\n\nFigure 1 GregorianCalendar in Resource, contains stage 2 file\r\nFigure 2 Another Resource naming Tree, just below the blue line there are some red dots visible,\r\ncontains stage 1 file\r\nAt the entry point, there is a single line code to execute the form.\r\nhttps://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/\r\nPage 2 of 15\n\nFigure 3 Main function, calls the constructor of Form1 which decrypts stage 1 file\r\nIf we go to the Form1 code, there isn’t much information present. But when we check the Form1 class, we can see\r\nin its constructor a call to method ISectionEntry.\r\nFigure 4 Constructor Code, call to decryption routine of stage 1 file\r\nISectionEntry contains the code to get Pixels(Fig 5), convert to integer and save it in an array(Fig 6) and then call\r\nto MessageSurrogateFilter(array) with the buffer passed as a parameter.\r\nFigure 5 Decryption Routine from Image, decrypting stage 1 PE file\r\nFigure 6 Buffer Containing stage 1 PE file\r\nMessageSurrogateFilter() method then loads the decrypted assembly (SimpleUI.dll) into the memory and invokes\r\nits SeclectorX() method with some arguments, which will be explained later in Stage 1.\r\nhttps://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/\r\nPage 3 of 15\n\nFigure 7 Assembling Loading of stage 1 in Memory and invoking its member SelectorX with\r\nresource name, decryption key and assembly name\r\nFigure 8 SimpleUI.dll loaded in memory\r\nStage 1:\r\nFigure 9 SimpleUI.dll\r\nhttps://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/\r\nPage 4 of 15\n\nSince there are not many methods present in this file, we directly go through the code of the SelectorX\r\nmethod. As we can see in Figure 7, there are three values passed to this function which are:\r\nRestrictedError = 477265676F7269616E43616C656E646172 = GregorianCalendar (Name of resource in\r\nMain file, resource shown in Fig 1)\r\nValueEnumerator = 72584C4F594D6D556D = rXLOYMmUm (Key for decryption)\r\nProject Name= Agent.Common (Main File)\r\ncba() method contains the code to get the Pixels from the image and convert to Integer and save it in an\r\narray, and XeH contains code to convert the hex value into a string.\r\nFigure 10 SelectorX method accesses the GregorianCalendar resource from main assembly and\r\ndecrypts it using the key passed under fgh() method\r\nFigure 11 Size of Buffer to be initialized for stage 2\r\nfgh() method’s decryption routine is a simple XOR with 2 values in which the “bytes” array contains a Unicode\r\nversion of the Key (mentioned as ValueEnumerator above).\r\nhttps://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/\r\nPage 5 of 15\n\nFigure 12 fgh() method code for decryption, normal xoring\r\nAfter decryption, the assembly is again loaded in Memory.\r\nFigure 13 Stage 2 assembly loaded in memory\r\nStage 2:\r\nhttps://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/\r\nPage 6 of 15\n\nFigure 14 Stage 2 Assembly\r\nIt becomes difficult to analyze with these unicoded function name.\r\nFigure 15 Stage2 Unicode method names\r\nhttps://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/\r\nPage 7 of 15\n\nIn this stage 2 assembly, a method named Fedree() is called, whose constructor contains the code to decrypt and\r\ninject the final payload.\r\nIn the decryption routine first, the name of the resource is decrypted to s2pCN (resource in stage 2), Loads the\r\nresource and passes it to the XOR_DEC along with a KEY. Decrypted buffer is then passed to Unscramble\r\nfunction where it brings another dotnet file.\r\nFigure 16 Decryption routine in Stage 2 which brings final payload\r\nXOR_DEC contain simple xor with obfuscated code.\r\nFigure 17 Xor_Dec method decrypts the final payload\r\nUnscramble function forms the final payload.\r\nFigure18 Unscramble Method code brings final payload PE file\r\nAfter decryption, it does process hollowing by creating sso.exe’s process in suspended mode.\r\nhttps://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/\r\nPage 8 of 15\n\nFigure 19 Process Hollowing Code to inject the final payload\r\nFigure 20 Flag to CreateProcess in Suspended Mode\r\nFinal Payload:\r\nThe injected file is the final Payload of Formbook, which has around 1500 methods with random names.\r\nThis contains 2 different Base64 encoded strings.\r\nFigure 21 Encoded String 1 contains CnC information and configuration\r\n2\r\nnd\r\n base64 string contains 5 modules which are later loaded in memory and executed.\r\nFigure 22 Encoded String 2\r\nThe strings are converted from base64, then reversed and replaced by specified characters and again base64\r\ndecoded.\r\nFigure 23 Decryption Routine to decrypt CnC details in string 1 and different modules present in\r\nstring 2\r\nThe resultant data for 1st decoded string is CnC servers, mutex name and some configurations.\r\nFigure 24 Decoded string 1 data\r\nhttps://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/\r\nPage 9 of 15\n\nIt also creates a bat file to check for network connection and again start the process and delete the bat file.\r\nFigure 25 Content of Bat file\r\nAfter decrypting the data it checks for the mutex if already present it exits. In configuration the value of “AUR”\r\ntag is true, it takes 2 running process’s names, from 1 it takes the name of the process, from the other it takes any\r\nfolder name from the parent directory and copies itself to this location with first’s process name. Along with this,\r\nit keeps a file with a name as a hash of process name and some randomly generated garbage data.\r\nFigure 26 Copies itself to various locations obtained from running processes path and also obtains\r\nthe name from the same\r\nIt also schedules tasks for these copied files.\r\nFigure 27  Creates Schedule task for the copied files\r\nNext, it loads different modules which it has decoded initially and loads them into memory and invokes different\r\nmethods.\r\nhttps://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/\r\nPage 10 of 15\n\nFigure 28 code to Load different modules and call to different methods based on their availability\r\nThen it tries to steal browser information like cookies, passwords, forms, history, autofill, credit card information\r\nalso takes screenshots, clipboard data, discord tokens, FileZilla, telegram data, discord tokens, steam data.\r\nThere was also a module that will compile the code for DCRat at runtime on receiving commands from CnC.\r\nFigure 29 Code to compile DCRat code at runtime\r\nOther different modules present are:\r\n1. AntiAnalysis Module\r\nIt has kept all strings in encrypted form under a list of various techniques.\r\nhttps://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/\r\nPage 11 of 15\n\nFigure 30 Encoded Values for Strings used in anti-analysis module\r\nContains various techniques to identify if it’s running under VM or Sandboxing environment if there are any\r\nmonitoring processes running. Also, a way to identify VM/Sandboxing is by checking physical Memory.\r\nFigure 31 Anti Analysis Module\r\n2. USBSpreadDCLIB Module\r\nContains code to spread to USB drives by creating an autorun.\r\nhttps://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/\r\nPage 12 of 15\n\nFigure 32 USBSPreadDCLIB module\r\n3. MiscellaneousInfoGraber module\r\nContains code to collect a List of installed software’s, running processes, time zone information, active TCP\r\nconnections, local network connections available, list of connected USB drives.\r\nFigure 33 Collects registry for uninstalling entries\r\nFigure 34 List of Running processes\r\nhttps://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/\r\nPage 13 of 15\n\nFigure 35 TimeZone information\r\n4. FileGrabber module\r\nCollects all the files\r\nFigure 36 File Grabber Modules collects files\r\n5. BSODProtection Module\r\nAt this point, this module is not in a complete state. This shows that it is still under development.\r\nConclusion:\r\nThis seems to be malware that is still being developed. We haven’t received Initial Vector yet, but it appears to be\r\ndownloaded by a malicious doc/Xls file, which is spread through emails. Users should avoid opening emails,\r\ndocuments sent by unknown senders and keep the AV updated. We detect all the modules and stages with Trojan.\r\nFormbook and Trojan.YakbeexMSIL.ZZ4\r\nMITRE ATT\u0026CK TTPs:\r\nVirtualization/Sandbox Evasion: System Checks T1497.001\r\nScheduled Task/Job T1053\r\nProcess Injection: Process Hollowing T1055.012\r\nhttps://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/\r\nPage 14 of 15\n\nMasquerading T1036\r\nCredentials from Password Stores T1555\r\nClipboard Data  T1115\r\nData from Configuration Repository T1602\r\nIOC:\r\n1D13A84AA671B75F66F4C7FCE8339619291D4A43 exe\r\n6C73DC53F1AF57E1B2B404F2E20A9AECBAA80051 dll\r\nDC7CF9544AA5B4928697B4C49C94A60211F025A1 dll\r\n9577B2B5C4FBA6B2AFA65C5161FCE75F48E75D5D dll\r\n7E314AE69FC9A613A4A5356556F73E027B540141 dll\r\n32D97D1729D9A5919CBE1AE76F46BCDB9620153C dll\r\nSource: https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to\r\n-steal-data/\r\nhttps://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/\r\nPage 15 of 15\n\nhttps://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/   \nFigure 14 Stage 2 Assembly  \nIt becomes difficult to analyze with these unicoded function name.\nFigure 15 Stage2 Unicode method names \n   Page 7 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/"
	],
	"report_names": [
		"formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data"
	],
	"threat_actors": [],
	"ts_created_at": 1775434877,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bcd3bba0cb018ea99934f11860006244d5d8c243.pdf",
		"text": "https://archive.orkl.eu/bcd3bba0cb018ea99934f11860006244d5d8c243.txt",
		"img": "https://archive.orkl.eu/bcd3bba0cb018ea99934f11860006244d5d8c243.jpg"
	}
}