Dosya Kimligi
| SHA256 | 2b775e69fb52f4b72e8455f3fce7c4cdc4c6c91ee069dd7d3e166de146de7df |
|---|---|
| Dosya Adi | dstq.exe |
| Boyut | 287.744 byte |
| String Sayisi | 1.218 |
Sifrelenmis C2 Config
y2_c2 -- C2 config sekman isaretcisi +c2>2 -- C2 referansi +6*C2 -- C2 sekman
FormBook Hakkinda
FormBook, 2016'dan beri aktif form grabber/stealer ailesidir. HTTP POST hijack (man-in-the-browser), keylogger ve clipboard izleyici icermektedir. Underground forumlarda 29-299 USD arasi satilir.
IOC
| SHA256 | 2b775e69fb52f4b72e8455f3fce7c4cdc4c6c91ee069dd7d3e166de146de7df |
|---|---|
| C2 | HTTPS (sifrelenmis config) |
FormBook — Malware Profile
FormBook web form verisi ve credential hırsızı. SmartAssembly paketleyici. İspanyolca LATAM elektrik faturası lür.
Technical Details
C dili, Windows API hooking (form grabbing), HTTP POST C2, browser form stealer, keylogger, screenshot, clipboard monitor, process injection (process hollowing)
Attribution / Threat Actor
ABD'de gelistirilmis; satis darknet forumlari uzerinden yapilmis. Dunya genelindeki multuple suc gruplarina hizmet veren MaaS platformu.
Capabilities & Behavior
IOC List (1 indicators)
# SHA256
2b775e69fb52f4b72e8455f3fce7c4cdc4c6c91ee069dd7d3e166de146de7df
| Type | Value | Note |
|---|---|---|
| sha256 | 2b775e69fb52f4b72e8455f3fce7c4cdc4c6c91ee069dd7d3e166de146de7df | len=63 |
C2 Servers (5 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| 45.61.136.16 | ip | 80 | HTTP | active | US |
| hxxp://freeupgrades.net/s1xt/ | domain | 80 | HTTP | inactive | US |
| 103.75.160.239 | ip | 443 | HTTPS | inactive | HK |
| 3.29.19.86 | ip | — | TCP | inactive | — |
| form-book.club | domain | 80 | HTTP | sinkholed | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.