Dosya Kimligi
| SHA256 | 2b775e69fb52f4b7a8c9d37c1e1a3a8b0623b8cb1e7d60e1cc3e5ef6d2f89ab1 |
|---|---|
| Dosya Adi | dstq.exe |
| Boyut | 287.744 byte |
| String Sayisi | 1.218 (sifrelenmis) |
Analiz Bulgulari
FormBook, tum kritik stringlerini (C2 URL, API endpoint, mutex) XOR ile sifrelenmis PE seksiyon icinde saklar. Statik string analizinde hicbir cleartext IOC bulunamamistir.
FormBook Teknik Mimarisi
- Process Injection: Mesgru process'lere (Explorer.exe, svchost.exe) DLL injection
- Form Grabbing: Tarayici formlarina hook ile sifresiz veri yakalama
- Keylogger: SetWindowsHookEx ile keyboard hook
- Screenshot: Belirli araliklarda ekran yakalama
- C2 Pattern: Hardcoded list of multiple domains, rotates randomly
FormBook Yetenekleri
| Kategori | Hedefler |
|---|---|
| Form Veri | Web formlarina girilen TUM veri (HTTP/HTTPS) |
| Tarayicilar | Chrome, Firefox, IE, Edge, Opera, Brave, 80+ tarayici |
| Outlook, Thunderbird, The Bat!, Foxmail | |
| FTP | FileZilla, WinSCP, SmartFTP, Total Commander FTP |
| Keylogger | Tum tus basimalari ve aktif pencere bilgisi |
| Screenshot | Periyodik ekran yakalama |
FormBook Hakkinda
FormBook, 2016 yilinda "ng-Coder" takma adini kullanan bir gelistirici tarafindan underground forumlarda MaaS olarak satisa sunulmustur. 2019'da "XLoader" olarak rebrand edilmis ve macOS destegi eklenmistir. Process injection ve form grabbing teknikleri ile en yakin rekabetci stealerlardan biridir. Turkiye'de de kurban segmenti vardir.
IOC
| SHA256 | 2b775e69fb52f4b7a8c9d37c1e1a3a8b0623b8cb1e7d60e1cc3e5ef6d2f89ab1 |
|---|---|
| C2 | XOR sifreli (runtime decrypt) |
| Injection | Process Hollowing (Explorer/svchost) |
FormBook — Malware Profile
FormBook web form verisi ve credential hırsızı. SmartAssembly paketleyici. İspanyolca LATAM elektrik faturası lür.
Technical Details
C dili, Windows API hooking (form grabbing), HTTP POST C2, browser form stealer, keylogger, screenshot, clipboard monitor, process injection (process hollowing)
Attribution / Threat Actor
ABD'de gelistirilmis; satis darknet forumlari uzerinden yapilmis. Dunya genelindeki multuple suc gruplarina hizmet veren MaaS platformu.
Capabilities & Behavior
IOC List (1 indicators)
# SHA256
2b775e69fb52f4b7a8c9d37c1e1a3a8b0623b8cb1e7d60e1cc3e5ef6d2f89ab1
| Type | Value | Note |
|---|---|---|
| sha256 | 2b775e69fb52f4b7a8c9d37c1e1a3a8b0623b8cb1e7d60e1cc3e5ef6d2f89ab1 |
C2 Servers (5 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| 45.61.136.16 | ip | 80 | HTTP | active | US |
| hxxp://freeupgrades.net/s1xt/ | domain | 80 | HTTP | inactive | US |
| 103.75.160.239 | ip | 443 | HTTPS | inactive | HK |
| 3.29.19.86 | ip | — | TCP | inactive | — |
| form-book.club | domain | 80 | HTTP | sinkholed | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.