Analysis of the Frenchy Shellcode

In this post I analyze a shellcode that I have named "Frenchy shellcode" because of the mutex that it creates (depending on the version: frenchy_shellcode_01, frenchy_shellcode_002, frenchy_shellcode_003,...). This shellcode has been seen together with different packers and loading different malware families (agenttesla, avemaria stealer, formbook, netwire, etc...). Because of this, I decided to take a look at this shellcode and share my notes. Additionally I share a PoC, a python script that loads Frenchy shellcode and uses it to perform hollow processes and execute calc.exe in the context of notepad.exe.

• Original packed samples
• Frenchy shellcode v1 + autoit packer: 0a1340bb124cd0d79fa19a09c821a049 (Avemaria)
• Frenchy shellcode v2 + autoit packer: d009bfed001586db95623e2896fb93aa 
• Frenchy shellcode v2 + autoit packer: 20de5694d7afa40cf8f0c88c86d22b1d (Formbook)
• Frenchy shellcode v3 + .Net packer: 21c1d45977877018568e8073c3Acf7c5 (Netwire)
• Extracted frenchy shellcodes:
• Frenchy shellcode v1 at hybrid analysis
• Frenchy shellcode v2 at hybrid analysis
• Frenchy shellcode v3 at hybrid analysis
• Related links:
• https://tccontre.blogspot.com/2019/07/autoit-compiled-formbook-malware.html (I recommend to read this post about the AutoIt script that loads frenchy shellcode).
• https://twitter.com/P3pperP0tts/status/1135976656751996928?s=20
• https://twitter.com/JayTHL/status/1146482606185308160?s=20
• https://twitter.com/James_inthe_box/status/1148966237684133888?s=20
• https://cape.contextis.com/analysis/85189/
• https://twitter.com/James_inthe_box/status/1146527056567472128?s=20