Manuel Statik Analiz (LLM Okumali) — FormBook Infostealer | Tehdit: YUKSEK

ファイル Kimligi

SHA2562b775e69fb52f4b7a8c9d37c1e1a3a8b0623b8cb1e7d60e1cc3e5ef6d2f89ab1
ファイル Adidstq.exe
サイズ287.744 byte
String Sayisi1.218 (sifrelenmis)

Analiz Bulgulari

FormBook, tum kritik stringlerini (C2 URL, API endpoint, mutex) XOR ile sifrelenmis PE seksiyon icinde saklar. Statik string analizinde hicbir cleartext IOC bulunamamistir.

FormBook Teknik アーキテクチャsi

  • Process Injection: Mesgru process'lere (Explorer.exe, svchost.exe) DLL injection
  • Form Grabbing: Tarayici formlarina hook ile sifresiz veri yakalama
  • Keylogger: SetWindowsHookEx ile keyboard hook
  • Screenshot: Belirli araliklarda ekran yakalama
  • C2 Pattern: Hardcoded list of multiple domains, rotates randomly

FormBook Yetenekleri

KategoriHedefler
Form VeriWeb formlarina girilen TUM veri (HTTP/HTTPS)
TarayicilarChrome, Firefox, IE, Edge, Opera, Brave, 80+ tarayici
EmailOutlook, Thunderbird, The Bat!, Foxmail
FTPFileZilla, WinSCP, SmartFTP, Total Commander FTP
KeyloggerTum tus basimalari ve aktif pencere bilgisi
ScreenshotPeriyodik ekran yakalama

FormBook Hakkinda

FormBook, 2016 yilinda "ng-Coder" takma adini kullanan bir gelistirici tarafindan underground forumlarda MaaS olarak satisa sunulmustur. 2019'da "XLoader" olarak rebrand edilmis ve macOS destegi eklenmistir. Process injection ve form grabbing teknikleri ile en yakin rekabetci stealerlardan biridir. Turkiye'de de kurban segmenti vardir.

IOC

SHA2562b775e69fb52f4b7a8c9d37c1e1a3a8b0623b8cb1e7d60e1cc3e5ef6d2f89ab1
C2XOR sifreli (runtime decrypt)
InjectionProcess Hollowing (Explorer/svchost)

FormBook — マルウェアプロファイル

FormBook web form verisi ve credential hırsızı. SmartAssembly paketleyici. İspanyolca LATAM elektrik faturası lür.

マルウェアの種類
Infostealer
プログラミング言語
C
C2プロトコル
HTTP
標的システム
Windows
別名 (AKA)
xLoader

技術詳細

C dili, Windows API hooking (form grabbing), HTTP POST C2, browser form stealer, keylogger, screenshot, clipboard monitor, process injection (process hollowing)

アトリビューション / 脅威アクター

ABD'de gelistirilmis; satis darknet forumlari uzerinden yapilmis. Dunya genelindeki multuple suc gruplarina hizmet veren MaaS platformu.

機能と挙動

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

IOCリスト (1 件の指標)

IOC — FormBook
# SHA256 2b775e69fb52f4b7a8c9d37c1e1a3a8b0623b8cb1e7d60e1cc3e5ef6d2f89ab1
タイプメモ
sha256 2b775e69fb52f4b7a8c9d37c1e1a3a8b0623b8cb1e7d60e1cc3e5ef6d2f89ab1

C2サーバー (このファミリーで5台のサーバーを記録)

アドレス タイプ ポート プロトコル ステータス
45.61.136.16 ip 80 HTTP active US
hxxp://freeupgrades.net/s1xt/ domain 80 HTTP inactive US
103.75.160.239 ip 443 HTTPS inactive HK
3.29.19.86 ip — TCP inactive —
form-book.club domain 80 HTTP sinkholed —

C2アドレスはKEYDALチームが手動で検証したマルウェア検体のみに基づいて提供されています。商用利用は禁止です。

タグ
formbookinfostealersifreliform-stealertarayiciprocess-injectionmaas