Threat Research

Malware Analysis — Formbook

admin

This analysis breaks down a Formbook infection that begins as a Base64-obfuscated .bat which decodes into a .NET executable and further embedded PE files. The researcher extracted and analyzed the payloads, revealing keylogging, data exfiltration (including SMTP credentials and public IP queries), and published IOCs. #Formbook #agagroup

Keypoints

  • Initial delivery observed as a .bat file containing large Base64-encoded data which decodes to a binary payload.
  • Decoding and extraction performed with CyberChef produced an initial .NET executable (output.exe).
  • Further analysis with DIE/dnSpy revealed embedded arrays beginning with ‘4D5A’ (PE header), indicating two additional binaries (an EXE and a DLL) were created in-memory and dumped to disk.
  • PEStudio confirmed the dumped files were .NET-based malware and a companion DLL used by the loader.
  • Runtime debugging showed extensive input-capture (keylogging), system-info collection, and exfiltration routines including public IP lookup via api.ipify.org and SMTP configuration for email exfiltration.
  • Malware configuration containing SMTP sender/recipient and password was extracted, providing operational details and C2-related artifacts.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – Initial stage delivered as a .bat likely from a phishing attachment (‘Formbook is distributed through a .bat file that is likely delivered via a phishing email attachment.’)
  • [T1027] Obfuscated Files or Information – Payload within the .bat is Base64-encoded to hide the executable content (‘The malware uses Base64 encoding to obfuscate its payload within the .bat file.’)
  • [T1140] Deobfuscate/Decode Files or Information – Decoding Base64 with CyberChef to recover the embedded executable (‘Formbook decodes the obfuscated Base64 content to extract the executable payload.’)
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The initial loader is a Windows batch script executing the embedded payload (‘The initial .bat file is a Windows batch script used to execute the malware.’)
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Malware may achieve persistence via registry run keys or startup folder modifications (‘Formbook may use registry run keys or the startup folder to achieve persistence on the infected system.’)
  • [T1056.001] Input Capture: Keylogging – Runtime shows extensive keystroke capture to harvest credentials (‘Formbook captures keystrokes to steal sensitive information such as credentials.’)
  • [T1113] Screen Capture – Malware may capture screenshots to gather additional victim information (‘The malware may capture screenshots to gather additional information from the victim’s system.’)
  • [T1071.001] Application Layer Protocol: Web Protocols – Uses HTTP(s) to communicate and send stolen data, e.g., queries to api.ipify.org (‘Formbook uses HTTP to communicate with its command and control server and to send stolen data.’)
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – Exfiltrated data may be protected with symmetric encryption (‘The malware may use symmetric encryption to protect the data it exfiltrates.’)
  • [T1082] System Information Discovery – Collects system information for attacker reconnaissance (‘Formbook collects system information to send to the attacker.’)
  • [T1590] Gather Victim Network Information – Retrieves public IP address as part of victim profiling (‘Formbook gathers the public IP address of the infected system.’)
  • [T1567.002] Exfiltration Over Web Service – Possible exfiltration to cloud/web services under attacker control (‘The malware may exfiltrate stolen data to a cloud storage service controlled by the attacker.’)

Indicators of Compromise

  • [File Hashes] Sample binaries and script hashes – 463b92101e5f2912781dd6eb61374b97f14fb27b6fe05c0ef3fb734d8ef4d4ec (bat), 56e3f56dda234344fb2799c10727e642 (output.exe), and 2 more hashes.
  • [Filenames] Identified payloads – 463b9… .bat, output.exe, array2.exe, array.dll (dumped from in-memory arrays).
  • [Domains / Email] SMTP and contact artifacts – mail[.]agagroup[.]lv, info@agagroup[.]lv, remis et@remisat[.]com[.]uy
  • [URLs] Public IP lookup endpoint – hxxps://api[.]ipify[.]org (used to retrieve victim public IP)

The technical analysis began with a .bat file embedding a large Base64 string; decoding that string (using CyberChef) revealed a .NET executable. That executable, inspected with DIE and dnSpy, created in-memory byte arrays starting with the PE magic header 4D5A; two such arrays were dumped to produce a secondary EXE and a DLL for further analysis.

Static and dynamic inspection (PEStudio, dnSpy debugging) confirmed both dumped files were .NET assemblies. Runtime tracing showed decompression and reversal routines for payload extraction, keylogging hooks for input capture, system-information enumeration, and network calls to services such as api.ipify.org. The malware also contained SMTP configuration strings used to send stolen data.

Extraction of the embedded configuration yielded SMTP sender/recipient credentials and operational endpoints (including mail.agagroup.lv). The analysis workflow—Base64 decode, binary carving, .NET decompilation/debugging, PE dumping, and configuration extraction—provides a reproducible path to uncover Formbook’s staged loader, components, and exfiltration mechanisms.

Read more: https://medium.com/@b.magnezi/malware-analysis-formbook-d88de50f5977

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint