highPhishing

Formbook/XLoader Unpacked: Three-Layer AutoIt Wrapper, Recovered XOR Keys, and an Operator's XAMPP Build Server Exposed

PublishedMarch 12, 2026

Threat Actors:ProfileAssessmentProfile Indicators](https://github.com/uint8ptr/formbook-config-extractor)

phishingcredential-theftc2botnetapt

TL;DR: A fresh Formbook/XLoader infostealer sample compiled March 5, 2026 uses a three-layer delivery architecture -- an AutoIt v3 wrapper drops an XOR-encrypted blob to %TEMP%, decrypts it with a recoverable 20-byte key (WADEJD3GLJQWUK1CSRTG), and executes the Formbook core via process hollowing. The Formbook payload itself dates to May 2021, confirming a long-running base kit reused across campaigns. Operator OPSEC failures leak a XAMPP-based build environment (D:\xampp\htdocs\8HYUIOMQ9R\) running under the default Administrator account, with timestamps clustered within 16 seconds -- pointing to automated malware generation infrastructure.

The Three-Layer Kill Chain

The sample arrives as a 1.2 MB PE32 executable compiled with AutoIt v3. At no point does the binary contain a plaintext Formbook payload. Instead, it implements a three-stage unpacking chain, each layer using a different encryption scheme, designed to defeat both static analysis and AV signature scans.

[Phishing Email]
       |
       v
[ZIP/RAR Archive]
       |
       v
[Outer PE] AutoIt v3 Wrapper (1,261,568 bytes)
  |  SHA256: 8e59fd060314be...0d558a
  |  Compiled: 2026-03-05 00:17:06 UTC
  |
  |-- FileInstall: drops "intersentimental" to %TEMP%
  |-- Builds 27,892-byte shellcode in memory
  |-- Decrypts shellcode with key "Tc55s2WqM"
  |-- VirtualAlloc(PAGE_EXECUTE_READWRITE)
  |-- Executes shellcode at offset 0x23B0
       |
       v
[Shellcode] Process hollowing setup
  |  Reads "intersentimental" from %TEMP%
  |  XOR decrypts with key: WADEJD3GLJQWUK1CSRTG
       |
       v
[Formbook Core PE] (282,112 bytes)
  |  Compiled: 2021-05-23 03:27:59 UTC (reused base kit)
  |  Single .text section, entropy 7.995
  |
  |-- PUSHEBP VM + RC4 + SHA1 self-decryption
  |-- API resolution via hash tables
  |-- Process injection into legitimate Windows processes
       |
       v
[Formbook Active]
  |-- Form grabbing / keylogging / clipboard / screenshots
  |-- C2 over HTTP with real server hidden among 64 decoys

The three layers use entirely different algorithms: a custom byte-level subtraction cipher for AutoIt string obfuscation, repeating multi-byte XOR for the intermediate payload, and Formbook's signature PUSHEBP virtual machine with RC4/SHA1 for the core binary. This layering means no single decryption approach works across all stages.

Layer 1: The AutoIt Wrapper

The outer executable is a standard AutoIt v3 compiled binary. Extracting the embedded script (via tools like AutoIt-Ripper) reveals 3,788 lines of AutoIt code -- but the vast majority is dead code injected purely to waste analyst time.

Property	Value
SHA256	`8e59fd060314be874b16a85af69bac2ca32bb8570698d635d33aa18c9b0d558a`
MD5	`871faf43e48c37ed1d378331ef109c9f`
Size	1,261,568 bytes (1.2 MB)
Compiler	AutoIt v3.26+ (Aut2Exe)
Compiled	2026-03-05 00:17:06 UTC
Sections	5 (.text, .rdata, .data, .rsrc, .reloc)

String Obfuscation

Every meaningful string in the AutoIt script -- API names, DLL names, struct definitions -- is encrypted with a custom cipher using the key Tc55s2WqM. The decryption function (LCOUQUA) subtracts key character ordinals from ciphertext character ordinals mod 256. On top of this, API call strings are split across concatenated fragments and evaluated with Execute():

Execute("D" & "llC" & "al" & "l(...")

This double layer -- encrypted strings reconstructed through concatenation and runtime evaluation -- prevents both static signature matching and simple string extraction.

Dead Code Camouflage

Approximately 3,700 of the script's 3,788 lines are non-functional junk: random GUI operations, FileGetTime calls, MouseDown events, and meaningless variable assignments. The actual payload logic -- building the shellcode buffer $RTRADVU, calling VirtualAlloc, and executing via DllCallAddress -- hides within fewer than 100 lines scattered throughout the noise.

Layer 2: The XOR-Encrypted Payload

The AutoIt wrapper uses FileInstall to drop a file named intersentimental to the victim's %TEMP% directory. This file is 282,112 bytes of encrypted data with near-maximum entropy (7.9959), indistinguishable from random noise at first glance.

Property	Value
SHA256	`e8fea95881613739a30cad101e5cc5409524fb04efdcd4b8304ee56b6af0920f`
MD5	`804153d7fd7509f650e368bd151ddebf`
Size	282,112 bytes
Entropy	7.9959 (encrypted)
XOR Key	`WADEJD3GLJQWUK1CSRTG` (20 bytes)
Key Alignment	Offset 17 bytes from file start

Key Recovery

The XOR key was recovered through frequency analysis. PE files contain large regions of null bytes (section padding, alignment gaps), and XORing null bytes with a repeating key produces the key itself in the ciphertext. Scanning the encrypted payload for repeating 20-character patterns corresponding to null plaintext regions revealed the key WADEJD3GLJQWUK1CSRTG at multiple offsets, confirming a simple repeating XOR with no additional transformations.

The shellcode ($RTRADVU, 27,892 bytes, SHA256: 71994e5a873960ea0cf9beeccd9047883b3e6fd60c68f649e8e7a36a45e77457) reads the dropped file, applies the XOR decryption, and sets up process hollowing to inject the resulting PE into a legitimate Windows process.

Layer 3: The Formbook Core

After XOR decryption, the result is a valid PE32 binary -- the actual Formbook infostealer. This binary is architecturally distinctive: a single .text section at near-maximum entropy (7.995), an empty import table, and no readable strings.

Property	Value
SHA256	`34265b21d08db558cef3273edd46e78f5aef684b6da22c208e9d44c48f284918`
MD5	`239434cc0b1ad3e68938a8885552d26a`
SHA1	`ed54ac5753c012bf39e949e5eabb233b0bc55f7a`
Size	282,112 bytes
Compiled	2021-05-23 03:27:59 UTC
Sections	1 (.text only, 278,016 bytes)
Imports	None (runtime resolution via API hashing)
Rich Header MD5	`b8624b188b7f0dd8b47cd4fcffe1e0ff`

The May 2021 compile timestamp on the Formbook core is significant. This is not a freshly built payload -- it is a long-running base kit that operators purchase from underground markets and wrap in new delivery mechanisms. The operator's contribution is the AutoIt packing layer; the Formbook engine itself has been circulating for nearly five years.

Formbook's Internal Encryption

The core binary implements Formbook's well-documented multi-stage self-decryption:

PUSHEBP VM -- encrypted code blocks disguised as x86 function prologues (push ebp; mov ebp, esp) that are actually VM bytecode
RC4 decryption with modified pre/post subtraction encoding
SHA1-derived keys using a modified SHA1 implementation (DWORD-reversed output)

Static extraction of C2 URLs, API hash tables, and configuration data from this layer requires x86 emulation or sandbox execution. The encrypted content includes the real C2 server address hidden among 64 decoy domains -- a Formbook signature designed to make network-level C2 identification unreliable without behavioral analysis.

Infostealer Capabilities

Once fully unpacked in memory, Formbook provides a comprehensive credential theft toolkit:

Form grabbing -- intercepts form submissions from browsers and email clients
Keylogging -- via RegisterHotKey and GetForegroundWindow hooks
Clipboard monitoring -- IsClipboardFormatAvailable, CountClipboardFormats
Screenshot capture -- GDI32.dll-based screen capture
C2 communication -- HTTP GET/POST with RC4+Base64 encoded parameters, character substitution (+ to -, / to _, = to .)
Process injection -- hollowing into legitimate Windows processes for persistence and evasion

Anti-Analysis Arsenal

The sample deploys an unusually thorough set of anti-analysis techniques across all three layers:

Technique	MITRE ID	Description
Fake .NET CLR Header	T1027.002	CLR data directory populated with garbage values (Size: 1043949126, Runtime: 62580.32139) to confuse .NET decompilers
Empty Import Table	T1027	Import table RVA zeroed; all API calls resolved at runtime via hash tables
Dead Code Injection	T1027.001	~3,700 lines of non-functional AutoIt code obscure ~88 lines of actual payload logic
String Obfuscation	T1027	Custom subtraction cipher + string concatenation + `Execute()` evaluation
PCRE2 Engine	T1027	Full regex library embedded for form-grabbing target matching
Header Manipulation	T1027.002	DelayImport RVA corrupted to `0x7865742E` (ASCII ".tex"); TLS directory present with callbacks
Multi-Layer Encryption	T1027.002	Three distinct algorithms across three layers (subtraction cipher, XOR, RC4+VM)
Process Injection	T1055	`WriteProcessMemory` / `ReadProcessMemory` / `CreateProcessW` for process hollowing
Anti-Debug	T1497.001	`IsDebuggerPresent`, `QueryPerformanceCounter` timing checks

The fake .NET CLR header is a particularly effective trick. Many automated analysis pipelines check for CLR metadata and route apparent .NET binaries to specialized decompilers (dnSpy, ILSpy). Populating the CLR data directory with garbage values sends the binary down the wrong analysis path, wasting time before an analyst realizes it is native x86 code wrapped in AutoIt.

Operator OPSEC Failures

The operator made several mistakes that reveal details about their build environment:

1. Build Path Exposure

D:\xampp\htdocs\8HYUIOMQ9R\intersentimental

The encrypted payload's source path was embedded in the AutoIt script. This reveals:

XAMPP web server installation on the D: drive -- a common local development stack popular among less sophisticated operators
Randomized 10-character directory (8HYUIOMQ9R) suggests an automated build pipeline that creates a unique workspace per campaign
Web server document root used as malware staging -- the operator may be using the same XAMPP instance to host C2 panels or phishing infrastructure

2. Default Administrator Account

C:\Users\Administrator\AppData\Local\AutoIt v3\Aut2Exe\aut57A5.tmp
C:\Users\Administrator\AppData\Local\AutoIt v3\Aut2Exe\aut5785.tmp.tok

The operator is using the default Windows Administrator account with a standard AutoIt v3 installation. No dedicated build user, no VM isolation, no path sanitization.

3. Timestamp Clustering

All compilation timestamps cluster within a 16-second window (00:16:50 to 00:17:06 UTC on March 5, 2026), confirming an automated build process rather than manual compilation. The operator likely has a script or builder tool that compiles the AutoIt wrapper, embeds the encrypted payload, and produces the final PE in a single automated run.

4. Static XOR Key Reuse

The 20-byte XOR key WADEJD3GLJQWUK1CSRTG is applied uniformly across the entire payload. Once recovered (trivially, via frequency analysis against PE null-byte regions), it decrypts the entire intermediate payload in a single pass. A more sophisticated operator would use per-block key derivation or at minimum a different key per campaign.

Network Indicators

Formbook's C2 communication follows a well-documented pattern: HTTP requests to www.domain[.]tld/xxxx/ where xxxx is a 4-character botnet identifier. The real C2 is encrypted within the core binary alongside 64 decoy domains, and extraction requires sandbox execution.

Recent Formbook C2 domains from ThreatFox reporting during the same campaign period (February-March 2026):

www[.]yakutianguide[.]ru
www[.]xtmmm[.]top
www[.]xfqjrms[.]bond
www[.]xeoc[.]shop
www[.]xn--essncesensorial-tnb[.]com[.]br

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Execution	AutoIt Scripting	T1059.010	AutoIt v3 wrapper executes obfuscated loader script
Execution	Native API	T1106	DllCall to VirtualAlloc, DllCallAddress for shellcode execution
Defense Evasion	Obfuscated Files	T1027	Three-layer encryption, string obfuscation, dead code injection
Defense Evasion	Software Packing	T1027.002	AutoIt compiled script, XOR encryption, PUSHEBP VM packing
Defense Evasion	Indicator Removal	T1070.004	Dropped file uses innocuous name ("intersentimental")
Defense Evasion	Process Injection	T1055	Process hollowing via WriteProcessMemory/CreateProcessW
Defense Evasion	Deobfuscate/Decode	T1140	Runtime XOR decryption, LCOUQUA string decryption function
Defense Evasion	Virtualization/Sandbox Evasion	T1497.001	IsDebuggerPresent, QueryPerformanceCounter timing checks
Credential Access	Input Capture: Keylogging	T1056.001	RegisterHotKey, GetForegroundWindow hooks
Credential Access	Credentials from Web Browsers	T1555.003	Form grabbing from browser processes
Collection	Clipboard Data	T1115	IsClipboardFormatAvailable, CountClipboardFormats monitoring
Collection	Screen Capture	T1113	GDI32.dll-based screenshot capability
Discovery	Process Discovery	T1057	Process32FirstW, Process32NextW enumeration
Discovery	System Information Discovery	T1082	GetVolumeInformationW, IsWow64Process fingerprinting
Command and Control	Application Layer Protocol	T1071.001	HTTP/HTTPS C2 with encrypted parameters
Command and Control	Data Encoding	T1132	RC4+Base64 with character substitution (+/-, //_, =/.)
Persistence	Registry Run Keys	T1547.001	RegCreateKeyExW, RegSetValueExW for persistence

Indicators of Compromise

File Indicators

# Outer Wrapper (AutoIt)
SHA256: 8e59fd060314be874b16a85af69bac2ca32bb8570698d635d33aa18c9b0d558a
MD5:    871faf43e48c37ed1d378331ef109c9f
SHA1:   c9842e3dfb8f6f44ff08ff5790b231ede99c57d3

# Encrypted Intermediate ("intersentimental")
SHA256: e8fea95881613739a30cad101e5cc5409524fb04efdcd4b8304ee56b6af0920f
MD5:    804153d7fd7509f650e368bd151ddebf

# Decrypted Formbook Core
SHA256: 34265b21d08db558cef3273edd46e78f5aef684b6da22c208e9d44c48f284918
MD5:    239434cc0b1ad3e68938a8885552d26a
SHA1:   ed54ac5753c012bf39e949e5eabb233b0bc55f7a
Rich Header MD5: b8624b188b7f0dd8b47cd4fcffe1e0ff

# Shellcode ($RTRADVU)
SHA256: 71994e5a873960ea0cf9beeccd9047883b3e6fd60c68f649e8e7a36a45e77457

# AutoIt Script (extracted)
SHA256: 4e471830ea7d46d3a81dba7770730acb90627071a42937b7a3016db446de971b

Behavioral Indicators

# Dropped files
%TEMP%\intersentimental

# Decryption keys
WADEJD3GLJQWUK1CSRTG  (20-byte XOR key, payload decryption)
Tc55s2WqM             (9-byte key, AutoIt string deobfuscation)

# Build artifacts (operator environment)
D:\xampp\htdocs\8HYUIOMQ9R\intersentimental
C:\Users\Administrator\AppData\Local\AutoIt v3\Aut2Exe\aut57A5.tmp
C:\Users\Administrator\AppData\Local\AutoIt v3\Aut2Exe\aut5785.tmp.tok

# Process injection API chain
VirtualAlloc(PAGE_EXECUTE_READWRITE)
DllCallAddress at shellcode+0x23B0
WriteProcessMemory / ReadProcessMemory / CreateProcessW

Network Indicators

# Formbook C2 communication pattern
# Format: www.domain[.]tld/xxxx/ (4-char botnet ID)
# Real C2 encrypted in core binary; extraction requires sandbox

# Recent campaign-period C2 domains (ThreatFox, Feb-Mar 2026)
www[.]yakutianguide[.]ru
www[.]xtmmm[.]top
www[.]xfqjrms[.]bond
www[.]xeoc[.]shop
www[.]xn--essncesensorial-tnb[.]com[.]br

Detection Opportunities

YARA Rules

rule Formbook_AutoIt_Wrapper_March2026 {
    meta:
        author = "Breakglass Intelligence"
        description = "Detects Formbook/XLoader AutoIt wrapper from March 2026 campaign"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
        hash = "8e59fd060314be874b16a85af69bac2ca32bb8570698d635d33aa18c9b0d558a"
    strings:
        $au3_sig = "AU3!EA06"
        $xor_key = "WADEJD3GLJQWUK1CSRTG"
        $xor_key_alt = "EJD3GLJQWUK1CSRTGWAD"
        $obf_key = "Tc55s2WqM"
        $drop_name = "intersentimental"
        $build_path = "8HYUIOMQ9R" wide ascii
        $api1 = "WriteProcessMemory"
        $api2 = "ReadProcessMemory"
        $api3 = "IsDebuggerPresent"
        $api4 = "GetForegroundWindow"
        $api5 = "RegisterHotKey"
    condition:
        uint16(0) == 0x5A4D and
        filesize > 500KB and filesize < 3MB and
        $au3_sig and
        (
            ($xor_key or $xor_key_alt) or
            ($obf_key and $drop_name) or
            ($build_path)
        ) and
        3 of ($api*)
}

rule Formbook_XOR_Encrypted_Payload {
    meta:
        author = "Breakglass Intelligence"
        description = "Detects XOR-encrypted Formbook payloads via repeating key in null-byte regions"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
    strings:
        $key1 = "WADEJD3GLJQWUK1CSRTG"
        $key2 = "EJD3GLJQWUK1CSRTGWAD"
        $key3 = "D3GLJQWUK1CSRTGWADEJ"
    condition:
        filesize > 100KB and filesize < 500KB and
        uint16(0) != 0x5A4D and
        (#key1 > 10 or #key2 > 10 or #key3 > 10)
}

rule Formbook_Core_Decrypted {
    meta:
        author = "Breakglass Intelligence"
        description = "Detects decrypted Formbook core binary -- single .text section, no imports"
        date = "2026-03-09"
        hash = "34265b21d08db558cef3273edd46e78f5aef684b6da22c208e9d44c48f284918"
        tlp = "TLP:CLEAR"
    strings:
        $rich = { 52 69 63 68 }
    condition:
        uint16(0) == 0x5A4D and
        filesize > 200KB and filesize < 400KB and
        uint16(uint32(0x3C) + 6) == 1 and
        uint32(uint32(0x3C) + 4 + 20 + uint16(uint32(0x3C) + 4 + 16)) == 0x7865742E and
        $rich and
        uint16(uint32(0x3C) + 4 + 20) == 0x010B
}

Suricata Rules

# Formbook C2 POST -- modified Base64 encoding (+ -> -, / -> _, = -> .)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"BREAKGLASS Formbook C2 POST Modified Base64"; \
  flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/[a-z0-9]{4}\//i"; \
  http.request_body; content:"|26|"; pcre:"/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/"; \
  classtype:trojan-activity; sid:3000001; rev:1;)

# Formbook C2 GET beacon -- www. prefix with 4-char path
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"BREAKGLASS Formbook C2 GET Beacon 4-Char Path"; \
  flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-z0-9]{4}\/$/"; \
  http.host; content:"www."; startswith; classtype:trojan-activity; sid:3000002; rev:1;)

# Formbook decoy domain spray -- 5+ hits in 60s from same source
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"BREAKGLASS Formbook Decoy Domain Spray"; \
  flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-z0-9]{4}\/$/"; \
  threshold:type both, track by_src, count 5, seconds 60; classtype:trojan-activity; sid:3000003; rev:1;)

# Known campaign C2 domains
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"BREAKGLASS Formbook C2 yakutianguide.ru"; \
  flow:established,to_server; http.host; content:"yakutianguide.ru"; classtype:trojan-activity; sid:3000004; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"BREAKGLASS Formbook C2 xtmmm.top"; \
  flow:established,to_server; http.host; content:"xtmmm.top"; classtype:trojan-activity; sid:3000005; rev:1;)

Hunting Queries

Endpoint -- AutoIt process injection chain: Look for AutoIt3.exe or any process with an AU3 resource section calling VirtualAlloc with PAGE_EXECUTE_READWRITE followed by DllCallAddress or CallWindowProc execution. This is the behavioral signature of the shellcode injection regardless of the specific Formbook variant.

Endpoint -- TEMP directory file drops with high entropy: Monitor for files dropped to %TEMP% with entropy above 7.9 and sizes between 200KB and 400KB, especially when the parent process is an AutoIt-compiled binary. The filename intersentimental is campaign-specific, but the pattern (single high-entropy blob to TEMP, immediate read-back and deletion) is consistent across Formbook AutoIt variants.

Network -- Formbook decoy domain spray: Formbook contacts its 64 decoy domains and 1 real C2 using the same HTTP pattern (GET /xxxx/ where xxxx is the 4-character botnet ID). A single infected host generating 60+ HTTP GET requests to distinct www. prefixed domains with identical 4-character paths within a short window is a high-confidence Formbook indicator.

Rich header correlation: The Formbook core's Rich header hash b8624b188b7f0dd8b47cd4fcffe1e0ff can be correlated against sample repositories (VirusTotal, MalwareBazaar) to identify other samples compiled with the same toolchain -- likely from the same Formbook base kit dating to May 2021.

Published by Breakglass Intelligence. Investigation conducted 2026-03-09. Three encryption layers decrypted. Two XOR keys recovered. Operator build environment exposed via XAMPP path artifacts. Classification: TLP:CLEAR