From e4c5d7696bd685cabb5c8517d6fbe0d511e075ce Mon Sep 17 00:00:00 2001
From: Kevin O'Reilly <kevoreilly@gmail.com>
Date: Fri, 13 Oct 2023 16:03:10 +0100
Subject: [PATCH] Formbook updates

---
 analyzer/windows/data/yara/Formbook.yar     | 40 ++++++++++++++++++---
 changelog.md                                |  1 +
 data/yara/CAPE/Formbook.yar                 | 18 ++++++++++
 modules/processing/parsers/CAPE/Formbook.py | 26 +++++++-------
 4 files changed, 68 insertions(+), 17 deletions(-)
 create mode 100644 data/yara/CAPE/Formbook.yar

diff --git a/analyzer/windows/data/yara/Formbook.yar b/analyzer/windows/data/yara/Formbook.yar
index 74203f6063a..23c0a9acf1f 100644
--- a/analyzer/windows/data/yara/Formbook.yar
+++ b/analyzer/windows/data/yara/Formbook.yar
@@ -2,10 +2,42 @@ rule Formbook
 {
     meta:
         author = "kevoreilly"
-        description = "Formbook Anti-analysis Bypass"
-        cape_options = "bp0=$remap_ntdll-25,action0=setedx:ntdll,count=0"
+        description = "Formbook Anti-hook Bypass"
+        cape_options = "bp0=$remap_ntdll_0,action0=setedx:ntdll,count0=1,bp1=$remap_ntdll_1,action1=setptr:esi+12::ntdll,count1=1"
+        packed = "9e38c0c3c516583da526016c4c6a671c53333d3d156562717db79eac63587522"
+        packed = "b8e44f4a0d92297c5bb5b217c121f0d032850b38749044face2b0014e789adfb"
     strings:
-        $remap_ntdll = {6A 00 6A 04 8D 4D ?? 51 6A 07 52 56 E8 [4] 8B 45 ?? 83 C4 20 3B 06 0F 95 C1 84 C9 74 0E 33 C0 B2 FF 00 54 30 ?? 40 83 F8 0D 72 F6}
+        $remap_ntdll_0 = {33 56 04 8D 86 [2] 00 00 68 F0 00 00 00 50 89 56 ?? E8 [4] 8B [1-5] 6A 00 6A 04 8D 4D ?? 51 6A 07 52 56 E8 [4] 8B 45 ?? 83 C4 20 3B}
+        $remap_ntdll_1 = {33 56 0C 8D 86 [2] 00 00 68 F0 00 00 00 50 89 56 ?? E8 [4] 8B [1-5] 6A 00 6A 04 8D 4D ?? 51 6A 07 52 56 E8 [4] 8B 45 ?? 83 C4 20 3B}
     condition:
-        $remap_ntdll
+        any of them
+}
+
+rule FormconfA
+{
+    meta:
+        author = "kevoreilly"
+        description = "Formbook Config Extraction"
+        cape_options = "clear,bp0=$c2,action0=string:rcx+1,bp1=$decoy+67,action1=string:rcx+1,count=0,typestring=Formbook Config"
+        packed = "b8e44f4a0d92297c5bb5b217c121f0d032850b38749044face2b0014e789adfb"
+    strings:
+        $c2 = {44 8B C6 48 8B D3 49 8B CE E8 [4] 44 88 23 41 8B DD 48 8D [2] 66 66 66 0F 1F 84 00 00 00 00 00 BA 8D 00 00 00 41 FF C4}
+        $decoy = {8B D7 0F 1F 44 00 00 0F B6 03 FF C0 48 98 48 03 D8 48 FF CA 75 ?? 44 0F B6 03 48 8D 53 01 48 8D 4C [2] E8}
+    condition:
+        all of them
+}
+
+rule FormconfB
+{
+    meta:
+        author = "kevoreilly"
+        description = "Formbook Config Extraction"
+        cape_options = "clear,bp0=$c2,action0=string:rcx+1,bp1=$decoy,action1=string:rcx+1,bp2=$config,action2=scan,count=0,typestring=Formbook Config"
+        packed = "ad81131f4f7e0ca1b4b89f17e63d766b1b4c18d1cb873db08de57ed86f9bb140"
+    strings:
+        $c2 = {44 0F B6 5D ?? 45 84 DB 74 ?? 48 8D 4D [1-5] 41 80 FB 2F 74 11 0F B6 41 01 48 FF C1 FF C3 44 0F B6 D8 84 C0 75}
+        $decoy = {45 3B B5 [2] 00 00 44 8D 1C 33 48 8D 7D ?? 42 C6 44 [2] 00 49 0F 44 FF 48 8B CF E8}
+        $config = {40 55 53 56 57 41 54 41 55 41 56 41 57 48 8D AC 24 [4] 48 81 EC [2] 00 00 45 33 F6 33 C0 4C 8B E9 4C 89 75}
+    condition:
+        any of them
 }
diff --git a/changelog.md b/changelog.md
index 5392b455053..488b32bc1f9 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,4 +1,5 @@
 ### [13.10.2023]
+* Formbook updates
 * Monitor updates:
     * NtContinueEx hook
     * Debugger action enhancements: setptr, patch, sleep, exit
diff --git a/data/yara/CAPE/Formbook.yar b/data/yara/CAPE/Formbook.yar
new file mode 100644
index 00000000000..8815b1241f7
--- /dev/null
+++ b/data/yara/CAPE/Formbook.yar
@@ -0,0 +1,18 @@
+rule Formbook
+{
+    meta:
+        author = "kevoreilly"
+        description = "Formbook Payload"
+        cape_type = "Formbook Payload"
+        packed = "9e38c0c3c516583da526016c4c6a671c53333d3d156562717db79eac63587522"
+        packed = "2379a4e1ccdd7849ad7ea9e11ee55b2052e58dda4628cd4e28c3378de503de23"
+    strings:
+        $remap_ntdll = {33 56 0? 8D 86 [2] 00 00 68 F0 00 00 00 50 89 56 ?? E8 [4] 8B [1-5] 6A 00 6A 04 8D 4D ?? 51 6A 07 52 56 E8 [4] 8B 45 ?? 83 C4 20 3B}
+        $rc4dec = {F7 E9 C1 FA 03 8B C2 C1 E8 1F 03 C2 8D 04 80 03 C0 03 C0 8B D1 2B D0 8A 04 3A 88 8C 0D [4] 88 84 0D [4] 41 81 F9 00 01 00 00 7C}
+        $decrypt = {8A 50 01 28 10 48 49 75 F7 83 FE 01 76 14 8B C7 8D 4E FF 8D 9B 00 00 00 00 8A 50 01 28 10 40 49 75 F7}
+        $string = {33 C0 66 39 01 74 0B 8D 49 00 40 66 83 3C 41 00 75 F8 8B 55 0C 8D 44 00 02 50 52 51 E8}
+        $mutant = {64 A1 18 00 00 00 8B 40 ?? 89 45 ?? 8B 45 ?? 8B 40 ?? 8B E5 5D C3}
+        $postmsg = {8B 7D 0C 6A 00 6A 00 68 11 01 00 00 57 FF D6 85 C0 75 ?? 50}
+    condition:
+        2 of them
+}
\ No newline at end of file
diff --git a/modules/processing/parsers/CAPE/Formbook.py b/modules/processing/parsers/CAPE/Formbook.py
index e9ab4b2fd08..d24980fc78b 100644
--- a/modules/processing/parsers/CAPE/Formbook.py
+++ b/modules/processing/parsers/CAPE/Formbook.py
@@ -1,22 +1,22 @@
 def extract_config(data):
     config_dict = {}
-    if data[:4] != b"POST":
-        return
+    i = 0
     try:
         lines = data.decode().split("\n")
     except Exception:
         return
-    i = 0
-    while lines[i] != "dat=":
-        i += 1
-    if lines[i] == "dat=":
-        config_dict["C2"] = lines[i + 1]
-        decoys = []
-        i += 2
-        while len(lines[i]) > 0:
-            decoys.append(lines[i])
+    if lines[0].startswith("POST"):
+        while lines[i] != "dat=":
+            i += 1
+        if lines[i] == "dat=":
             i += 1
-        config_dict["Decoys"] = decoys
-    else:
+    elif "www." not in lines[0]:
         return
+    config_dict["C2"] = lines[i]
+    decoys = []
+    i += 1
+    while len(lines[i]) > 0:
+        decoys.append(lines[i])
+        i += 1
+    config_dict["Decoys"] = decoys
     return config_dict