Manuel Statik Analiz — FormBook | Tehdit: YUKSEK

Dosya Kimligi

SHA2562b775e69fb52f4b72e8455f3fce7c4cdc4c6c91ee069dd7d3e166de146de7df
Dosya Adidstq.exe
Boyut287.744 byte
String Sayisi1.218

Sifrelenmis C2 Config

y2_c2    -- C2 config sekman isaretcisi
+c2>2    -- C2 referansi
+6*C2    -- C2 sekman

FormBook Hakkinda

FormBook, 2016'dan beri aktif form grabber/stealer ailesidir. HTTP POST hijack (man-in-the-browser), keylogger ve clipboard izleyici icermektedir. Underground forumlarda 29-299 USD arasi satilir.

IOC

SHA2562b775e69fb52f4b72e8455f3fce7c4cdc4c6c91ee069dd7d3e166de146de7df
C2HTTPS (sifrelenmis config)

FormBook — Malware Profile

FormBook web form verisi ve credential hırsızı. SmartAssembly paketleyici. İspanyolca LATAM elektrik faturası lür.

Malware Type
Infostealer
Programming Language
C
C2 Protocol
HTTP
Target Systems
Windows
Also Known As (AKA)
xLoader

Technical Details

C dili, Windows API hooking (form grabbing), HTTP POST C2, browser form stealer, keylogger, screenshot, clipboard monitor, process injection (process hollowing)

Attribution / Threat Actor

ABD'de gelistirilmis; satis darknet forumlari uzerinden yapilmis. Dunya genelindeki multuple suc gruplarina hizmet veren MaaS platformu.

Capabilities & Behavior

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

IOC List (1 indicators)

IOC — FormBook
# SHA256 2b775e69fb52f4b72e8455f3fce7c4cdc4c6c91ee069dd7d3e166de146de7df
TypeValueNote
sha256 2b775e69fb52f4b72e8455f3fce7c4cdc4c6c91ee069dd7d3e166de146de7df len=63

C2 Servers (5 recorded servers for this family)

Address Type Port Protocol Status Country
45.61.136.16 ip 80 HTTP active US
hxxp://freeupgrades.net/s1xt/ domain 80 HTTP inactive US
103.75.160.239 ip 443 HTTPS inactive HK
3.29.19.86 ip — TCP inactive —
form-book.club domain 80 HTTP sinkholed —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
formbookstealerhtml-formanti-debugsifrelenmis-c2