caption - Attack Flow Diagram

2.1. Initial Access

Initial access was carried out through an Outlook phishing email. The receiver of the email was confirmed to belong to a South Korean energy company, and the email contained an EXE file disguised as an air cargo waybill, compressed in a RAR archive.

caption - Sent phishing email

The sender of the email is noreplychleeportchlee@dhl.com. It appears to be spoofing the domain of a Germany-based logistics company, and the strategy of delivering phishing emails in the form of international shipping invoices has frequently been used by threat actors as an initial intrusion method in the past.

2.2. PureCrypter

When the email attachment is decompressed, a .NET executable file is revealed. This EXE file was identified as the first stage of the commercial .NET loader, PureCrypter.

PureCrypter has been sold since 2021 and has been used for the distribution of numerous malware families. By using PureCrypter, the attacker can customize various attack configurations such as persistence mechanisms, injection methods and targets, and techniques to bypass security algorithms. The data configured by the attacker is serialized through the Newtonsoft.json framework and stored in the resource section, and upon execution, it is deserialized and utilized.

The assembly name is Utdmecvq.exe, and inside it, open‑source related classes are present, along with the RemoteExecuterApp class that performs the actual malicious behavior. Only the RemoteExecuterApp class executes the main logic, and the entry point also resides within the RemoteExecuterApp class.

caption - Utdmecvq.exe internal classes

The malware first sets a User-Agent and sends a download request to the C&C server. This disguises the malware’s download request to the C&C server as one generated by a common web browser.

The URLs issuing download requests and the configured User-Agent are as follows.

• URL: http://158.247.250[.]251/Gmfbssvfg.vdf

• User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:122.0) Gecko/20100101 Firefox/122.0

caption - Downloading encoded file from C&C server

If the download succeeds, the downloaded file is decrypted using an AES key and IV that are Base64-encoded and loaded into memory. Then the method pY8vRcOLI of the class Ts8mNZe9r3J0nu8Oa0.e4XQsmqqJcMfslpD8o is invoked.

• base64 encoded key : eq78+DV08bw6vTK7GtbEEcXfM/7YWzVL50qlG2HSJkY=

• base64 encoded IV : LqF17M9RPpHJCRbrkD6msw==

caption - Decrypt and invoke method

The downloaded and decrypted PE is also a .NET assembly and is obfuscated with .NET Reactor.

caption -Downloaded and decrypted .NET file

The assembly information reveals details about the Newtonsoft.Json framework, indicating that the malware utilizes PureCrypter.

caption - Assembly information

Resource Data Decryption

After execution, the malware first retrieves the encrypted data from the resource section, decrypts it, and stores it as a hash table. The encryption algorithm can be selected from DES, AES, TDES, Rijndael, RC2, or a custom block cipher; in the analyzed case, AES is used.

• AES key hex: A872738399912091389AE9720D5E068A0EF3B7D4C42B1FF24EA864F6C85683E9

• AES IV hex: F96CF8CAFBAF112548F6F122D9270CCA

caption - Resource data decryption

The decrypted data table contains various strings used by the malware, which are later retrieved by accessing the hash table with a key. After extracting the resource name strings, using dnSpy’s Watch feature to call the AppDomain.CurrentDomain.GetData method allows inspection of the fully decrypted Hashtable.

caption - Decrypted string hash table

Configuration Data Deserialization

When PureCrypter is applied, various options such as injection method, target process, and whether to bypass security features can be configured. The configuration data is serialized and AES encrypted, then stored in the resource section of the packed file. At runtime, the configuration in the resource section is dynamically deserialized and used.

caption - Configuration data deserialization

Configuration Data Structure

The data indexing is defined based on ProtoMember identifiers, and three configuration groups are present: "Payload injection configuration data", "Detection‑evasion configuration data", and "Additional configuration data".

1. Payload injection configuration data

| ProtoMember | Description | Info |
| --- | --- | --- |
| 1 | A flag that determines whether to use an internally stored payload or download it (True loads internal data; False downloads externally). | true |
| 2 | A byte array that stores either the payload to be injected or the download URL. | Formbook payload |
| 3 | A flag indicating whether the malware’s execution process is 64-bit. | false |
| 4 | An enum that determines the payload injection method (0: .NET assembly load and Invoke, 1: process hollowing, 2: reflective DLL injection). | 1 |
| 5 | A string specifying the target process name into which the payload will be executed or injected. | "Itself" |
| 6 | A string of command-line arguments passed when executing the injected payload. | "" |
| 7 | A string specifying the process name to be used as the parent process. | "explorer" |
| 8 | An unused value. | null |
| 9 | A DWORD value that determines the window style at process creation. | 1

2. Detection‑evasion configuration data

| ProtoMember | Description | Info |
| --- | --- | --- |
| 1 | A variable that determines how many times the malware will execute the SleepEx(999) function during runtime. | 0x15 |
| 2 | A flag that determines whether to perform mutex creation. | false |
| 3 | The string used when creating the mutex. | "Xilnulmx" |
| 4 | A flag that determines whether to exclude the current process’s file and the file copied to %Temp% from Windows Defender scans | false |
| 5 | A flag that determines whether to execute VM and sandbox detection logic using system and process information. | false |
| 6 | A flag that determines whether to perform process handle duplication. | false |
| 7 | A flag that determines whether to execute IP release or renew commands. | false |
| 8 | An additional PowerShell script string. | null |
| 9 | A flag that determines whether to perform library-hooking detection. | false |
| 10 | A flag that determines whether to perform AMSI bypass. | false |
| 11 | A flag that determines whether to perform ETW-based detection evasion. | false |
| 12 | An unused value. | false |
| 13 | A flag that determines whether to perform self-deletion. | false |
| 16 | A flag that determines whether to run the additional PowerShell script with administrative privileges. | false

3. Additional configuration data

3.1. Persistence configuration data

| ProtoMember | Description | Info |
| --- | --- | --- |
| 1 | An enum that determines the persistence mechanism (0: registry key registration, 1: startup directory/program registration, 2: scheduled task). | 1 |
| 2 | A string used as the self-replication path. | "%appdata%" |
| 3 | A string used as the self-replication file name. | "temp.exe" |
| 4 | A flag that determines whether to append dummy bytes during self-replication. | false

3.2. MessageBox display configuration data

| ProtoMember | Description | Info |
| --- | --- | --- |
| 1 | A flag that determines whether a MessageBox should display a warning or information indicator. | false |
| 2 | The string displayed in the MessageBox. | null

3.3. File drop-and-execute configuration data

| ProtoMember | Description | Info (null) |
| --- | --- | --- |
| 1 | A byte array containing the executable file data to be dropped and executed. | null |
| 2 | A string specifying the file name of the executable to be dropped and executed. | null |
| 3 | A flag that determines whether to perform file drop and execution. | false |
| 4 | A flag that determines whether to perform file drop and execution. | false

3.4. GZIP compression configuration data

| ProtoMember | Description | Info (null) |
| --- | --- | --- |
| 1 | An additional GZIP-compressed payload to be injected. | null

Detailed Behavior

Mutex Creation

If a specific flag in the deserialized structure is set, the malware attempts to create and acquire a mutex. In the analyzed sample, the flag is set to False. It waits up to 15 seconds to acquire the mutex, and it executes the ipconfig command to renew the IP. The mutex name is as follows

• Xilnulmx

caption - Mutex creation

Anti Debugging

The process terminates when predefined conditions are satisfied.

• A debugger is detected via CheckRemoteDebuggerPresent().

• Modules such as SbieDll.dll or cuckoomon.dll are loaded in the current process.

• Execution environment reports two or fewer CPU cores.

• The parent process name contains "cmd"

• BIOS Version or SerialNumber contain "Microsoft", "VMWare", or "Virtual".

• BIOS manufacturer or model contain "Microsoft", "VMWare", or "Virtual".

• display resolution is low.

• OS is 32-bit.

• Username is "john", "anna", or "xxxxxxxx".

IP Release

The malware invokes ipconfig to release the assigned IP address

caption - IP release

Amsi Bypass

The routine first resolves the address of AmsiScanBuffer used in AMSI scanning, and adjusts the page’s protection to allow writing. Then it patches the prologue so the function immediately returns a benign result depending on the Windows bitness, effectively disabling scanning.

caption - Amsi bypass

The code reconstructs the AmsiScanBuffer identifier at runtime by stripping "Janroe" from the stored string before use.

caption - Stripping "Janroe"

caption - AmsiScanBuffer string before stripping

ETW-based Detection Evasion

EtwEventWrite is patched in the same manner as AmsiScanBuffer. Unlike the AMSI patch routine, no specific substring is stripped to obtain the function name.

caption - ETW-based detection evasion

Anti library hooking

The malware overwrites the ntdll.dll or kernel32.dll loaded in the current process with the original files from the %System% directory.

caption - Anti library hooking

Windows Defender Exclusion

The routine checks whether the current executable path equals "%appdata%\temp.exe". If not, it constructs a Base64-encoded PowerShell payload and launches PowerShell with -enc to run it. The script uses Add-MpPreference to register both the current executable and %appdata%\temp.exe as Defender exclusion processes

Add-MpPreference -ExclusionPath {filepath};
Add-MpPreference -ExclusionProcess {filepath};
Add-MpPreference -ExclusionPath %appdata%\\temp.exe;
Add-MpPreference -ExclusionProcess %appdata%\\temp.exe;

The executed script adds the currently running file and the %appdata%\temp.exe file to the Windows Defender scan exclusion process.

caption - Windows defender exclusion

PowerShell Script Execution

If a specific field in the structure contains a PowerShell script, the script is passed as an argument to a new PowerShell process launched either normally or with administrator privileges, depending on a flag.

caption - PowerShell script execution

File Drop and Execution

If a file at the path and name stored in the structure does not exist, the data stored in the structure is reversed, Gzip‑decompressed, saved to that path, and executed.

caption - File drop and execution

Displaying MessageBox

If the currently running process is not "%Appdata%\temp.exe" or is not under the %Windows% path, a specific string in the structure is displayed via a MessageBox. In this case, if a specific constant in the field is 0, a warning icon is used; otherwise, an information icon is used.

caption - Displaying messageBox

Persistence and Self-replication

If the current process executable is not %Appdata%\temp.exe or is not under the %Windows% directory path, create the %Appdata%\temp.exe path. If the %Appdata% directory does not exist, create the directory. The self-replication path and file name can be configured by the attacker.

caption - Self-replication

Then, different actions are performed depending on the value stored in the structure.

• If 0: Register the path "%Appdata%\temp.exe" to the key "HKCR\Software\Microsoft\Windows\CurrentVersion\Run" to establish persistence.

  

  caption - Register registry key

• If 1: Create a temp.vbs file in the Startup directory that executes "%Appdata%\temp.exe," and register it as a startup program.

  

  caption - Startup program registration

• If 2: Create a scheduled task that executes "%Appdata%\temp.exe" at random intervals between 2 and 4 minutes. The task name is used as-is from the self-replication result file’s name.

  

  caption - Task creation

After completing the persistence setup, copy the currently running process executable to "%Appdata%\temp.exe."

Process Handle Duplication

By duplicating the malware’s process handle into explorer.exe, the file appears to be in use and cannot be deleted or modified.

caption - Process Handle Duplication

Payload Injection

First, if the current process is running with administrator privileges, it enters DebugMode before proceeding. Depending on a specific field flag, the payload is either obtained by directly AES‑decrypting and Gzip‑decompressing the data stored internally, or by downloading it from an external URL. The AES key and IV used here are identical to those used during the initial resource decryption. The analyzed malware embeds the encrypted payload within the file.

caption - Additional payload acquisition

Different injection methods are used depending on a specific value stored in the structure.

• If 0: Load the assembly data into memory and invoke the method.

  

  caption - Loading and invoking .NET assembly

• If 1: Inject code via process hollowing and execute it. Depending on the provided parameter, either perform standard process hollowing or hollowing preceded by parent process spoofing.

  

  caption - Standard process hollowing

  

  caption - Process hollowing with parent process spoofing

• If 2: Allocate native shellcode in memory and execute it. Depending on the provided parameter, load and execute the shellcode in the current process or in another process.

  

  caption - Executing the shellcode in the current process

  

  caption - Executing the shellcode in another process

The analyzed malware spoofs explorer.exe as the parent process and then performs process hollowing into itself.

Compressed Payload Injection

Reverse specific data inside the structure, Gzip-decompress it, and inject it into a target process using the previously described shellcode injection method.

caption - Compressed Payload Injection

Self-deletion and process termination

Execute a PowerShell script to self-delete the malware, then forcibly terminate the currently running process. The PowerShell script executed is as follows:

• Start-Sleep -Seconds 5; Remove-Item -Path '{filepath}' -Force

caption - Self-deletion and process termination

2.3. Formbook

The payload stored in encrypted form is a PE format, and identified as Formbook upon analysis.

caption - Formbook PE information

The malware’s behavior and the code-area decryption process are highly similar to those described in the referenced analysis of Formbook.

• https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii

This Formbook variant dynamically loads and uses low-level libraries to conceal API calls. To do this, it obtains a handle to ntdll.dll via ZwCreateFile, stores it in memory via NtReadFile, and grants ERW permissions via NtAllocateVirtualMemory. Thereafter, whenever an ntdll.dll API is invoked, the code refers to that memory region.

caption - ntdll.dll separately loaded in memory

The detailed behavior can be identified by analyzing the register values and arguments passed to instructions that dynamically resolve and call ntdll.dll API addresses.

The malware is comprehensively encrypted by a complex encryption routine, and upon execution, the main logic is decrypted and jumped to immediately. Even after this first-stage decryption, key functions remain encrypted. The malware decrypts each function just before use and re-encrypts it after the function returns.

caption - Function decryption and re-encryption

There is also logic to detect debugging environments prior to malicious activity. Because the system information loaded during anti-debugging is also used by the malware’s behavior, dynamic analysis must proceed at least to the return point of the data-loading function. The anti-debug checks include specific process names, parent directory names, Windows account names, and kernel information classes.

caption - Environment information collection and debugger detection

After detection logic completes, preparation begins to inject the Formbook module. During this process, the Heaven’s Gate technique is used to transition from 32-bit code to 64-bit code. The stored 64-bit code performs different actions depending on the execution point. In this case, it copies the same 64-bit code into another process and executes it.

caption - Routine for jumping to 64-bit code

caption - 64-bit pseudocode in use.

The 64-bit shellcode copied into another process (in this case, OneDrive.exe) creates runonce.exe as a child process. It then creates a shared memory section between the newly created runonce.exe process and the original parent process, OneDrive.exe.

caption - runonce.exe created by the 64-bit shellcode

The original Formbook process copies the Formbook payload into the runonce.exe process via the shared memory section. Using ntdll.dll’s thread APIs, it adjusts the rax register for RtlUserThreadStart and resumes the thread so the injected payload runs.

Information collection and remote command execution module

The shellcode injected into the runonce.exe process decrypts the entire code. After decryption, the module performs anti-debugging checks and then calls the main operation routine.

caption - Formbook module’s anti-debugging routine

First, it collects basic system and user information using registry keys and advapi32.dll APIs. The merged data is structured as follows, with each field separated by a colon (":").

• Windows Information

• Computer name and user name, Base64‑encoded

caption - Collected system and user information

The collected data is encrypted through the following steps.

1. RC4 encryption

2. Base64 encoding

3. Prefix "PKT2:" is attached, then RC4 encryption again

The RC4 keys used in this process are as follows.

• First RC4 key (hex): 1DC0668A628EA91766A75C87319A23B24939C07B

• Second RC4 key (hex): 3A665CF99A9B7A79F4FECB77BBE2BF5FF79687E3

After the initial information gathering, it invokes the 64-bit code again to inject a Formbook communications module payload into one of explorer.exe’s 64-bit child processes. This injected payload is then used for subsequent C&C server communications.

After injection and RIP manipulation, execution returns to 32‑bit code, which sends a WM_COMMAND message via PostThreadMessageW to the communications module thread waiting for user requests, resuming its execution. The injected payload runs from a different entry point and serves as the communications module.

Following injection, it repeats the cycle of information collection, command reception, and command execution. During collection, it harvests various browser and email data, including:

• Windows information

• Email profiles (Outlook, Thunderbird, Foxmail, etc.)

• Browser (Internet Explorer, Firefox, Chrome, etc.) personal data

• Windows Vault credentials

caption - Collecting sensitive data

For Chrome’s Login Data, the database is copied to %Temp%\IE13ci5 and then queried via SQL to extract the data.

caption - Login Data copy routine

All collected data is stored in shared memory with the 64‑bit communications module process and is transmitted when the module communicates with the C&C server.

Formbook also receives data from the C&C server to execute remote commands. If the data received by the communications module and saved to shared memory begins with the magic string "XLNG," the next byte is treated as the opcode.

caption - Packet parsing routine

Command identifiers consist of "1" through "9," with each corresponding to a specific action.

| Command | Behavior |
| --- | --- |
| "1" | Download files with the extensions exe, dll, and ps1, save them to the `%Temp%` directory, and execute them. |
| "2" | Download a PE file, verify its header, save it to the `%Temp%` directory, and execute it. |
| "3" | Self-delete and restart explorer.exe. |
| "4" | Download and execute an exe or ps1 file in the `%Temp%` directory. |
| "5" | Collect browser data (cookies, login credentials, profiles, sessions). |
| "6" | Collect Windows, operating system, and user name information. |
| "7" | Reboot the system. |
| "8" | Shut down the system. |
| "9" | Do nothing

Formbook Communication Module

The payload injected into the 64-bit process initiates communications with the C&C server. Formbook stores not only the real C&C address but also numerous fake dummy C&C addresses, sending requests to all of them to make identifying the real C&C difficult.

caption - Decrypted domains

The malware dynamically decrypts the encrypted C&C server URLs and issues requests to them. Exfiltrated data is included in packets after custom encryption followed by Base64 encoding. The collected URLs are attached in the appendix under “Formbook URLs.”

The communications module also collects clipboard data via the GetClipboardData API and stores it in shared memory. The clipboard data is sent to the C&C server together with sensitive information that the information-collection module running in runonce.exe has written to shared memory.

caption - Functions for collecting clipboard data