Derin Statik Analiz — FormBook | Tehdit: high
Archivo Kimliği
| SHA256 | 64bb3ef49a6f0d11aa926b5af1cd93796af2137e529068859fc15f691c034510 |
|---|---|
| MD5 | 2e3dd45aaf15c4bc163554aec1f0f287 |
| SHA1 | 52bbcf346aadd9fb197b07192df37aa59af53452 |
| Nombre de archivo | Quotation Request.exe |
| Tamaño | 995840 byte |
| Tipo | /opt/ksentinel/samples/64bb3ef49a6f0d11_QuotationRequest.exe: PE32 executable (GUI) Intel 80386 Mono |
| Fecha de compilación | Desconocido |
| Packer | UPX |
C2 Sunucuları
| Adres | Tip | Durum |
|---|---|---|
3.29.19.86 | IP | active |
Tespit Edilen IOC'lar
| Valor | Tip |
|---|---|
3.29.19.86 | IP |
System.IO | Domain |
Yetenekler
- —
Şifreleme: RijndaelManaged
Geliştirici İpuçları
Telegram: @2pON @8A8B8C8D8E8F8G8H8JI @bYQw @D2zky @D5FG
PE Analizi
PE Confianzalik Taraması
file entropy: 6.955553 (normal) fpu anti-disassembly: no imagebase: normal entrypoint: normal DOS stub: normal TLS directory: not found timestamp: normal section co
Import Tablosu (özet)
Imported functions
Library
Name: mscoree.dll
Functions
Function
Hint: 0
Name: _CorExeMain
Familia Tespiti — String Kanıtı
String kanıtı bulunamadı (obfuscated).
FormBook — Perfil del malware
FormBook web form verisi ve credential hırsızı. SmartAssembly paketleyici. İspanyolca LATAM elektrik faturası lür.
Tipo de malware
Infostealer
Lenguaje de programación
C
Protocolo C2
HTTP
Sistemas objetivo
Windows
También conocido como (AKA)
xLoader
Detalles técnicos
C dili, Windows API hooking (form grabbing), HTTP POST C2, browser form stealer, keylogger, screenshot, clipboard monitor, process injection (process hollowing)
Atribución / Actor de amenaza
ABD'de gelistirilmis; satis darknet forumlari uzerinden yapilmis. Dunya genelindeki multuple suc gruplarina hizmet veren MaaS platformu.
Capacidades y comportamiento
Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı
Lista IOC (5 indicadores)
IOC — FormBook
#
52bbcf346aadd9fb197b07192df37aa59af53452
# SHA256
64bb3ef49a6f0d11aa926b5af1cd93796af2137e529068859fc15f691c034510
# MD5
2e3dd45aaf15c4bc163554aec1f0f287
# IP
3.29.19.86
# DOMAIN
System.IO
| Tipo | Valor | Nota |
|---|---|---|
| 52bbcf346aadd9fb197b07192df37aa59af53452 | ||
| sha256 | 64bb3ef49a6f0d11aa926b5af1cd93796af2137e529068859fc15f691c034510 | |
| md5 | 2e3dd45aaf15c4bc163554aec1f0f287 | |
| ip | 3.29.19.86 | |
| domain | System.IO |
Servidores C2 (5 servidores registrados para esta familia)
| Dirección | Tipo | Puerto | Protocolo | Estado | País |
|---|---|---|---|---|---|
| 45.61.136.16 | ip | 80 | HTTP | active | US |
| hxxp://freeupgrades.net/s1xt/ | domain | 80 | HTTP | inactive | US |
| 103.75.160.239 | ip | 443 | HTTPS | inactive | HK |
| 3.29.19.86 | ip | — | TCP | inactive | — |
| form-book.club | domain | 80 | HTTP | sinkholed | — |
Las direcciones C2 se proporcionan únicamente a partir de muestras de malware verificadas manualmente por el equipo KEYDAL. Se prohíbe el uso comercial.