Datei Kimligi
| SHA256 | ab7a9209e242ed3c0a29e678edfd76bed53d00664ec27c4d3ef4ab4aef8a8248 |
|---|---|
| MD5 | c512ff0eb09c96041e38e344ce382995 |
| SHA1 | ad06e6c6bb21a8f91160bf7c9cd1c25155a5e97b |
| Größe | 723380 byte |
| Tur | /opt/ksentinel/samples/64bb3ef49a6f0d11aa926b5af1cd93796af2137e529068859fc15f691 |
| Derleme | Unbekannt |
| Packer | UPX |
Yetenekler
- Tespit edilemedi (obfuskeli)
Gelistirici Ipuclari
PDB Yolu: bash: -c: line 1: syntax error near unexpected token `|'
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\Users\\[^\\]{2,30}\\[^
Telegram: @109M @EpLb @fo4w @JcZ7 @mIn_C
PE Analizi
Binwalk / Packer
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Zip archive data, encrypted compressed size: 72
Familie Tespiti
String kaniti bulunamadi (sifrelenmis/obfuskeli).
FormBook — Malware-Profil
FormBook web form verisi ve credential hırsızı. SmartAssembly paketleyici. İspanyolca LATAM elektrik faturası lür.
Technische Details
C dili, Windows API hooking (form grabbing), HTTP POST C2, browser form stealer, keylogger, screenshot, clipboard monitor, process injection (process hollowing)
Attribution / Bedrohungsakteur
ABD'de gelistirilmis; satis darknet forumlari uzerinden yapilmis. Dunya genelindeki multuple suc gruplarina hizmet veren MaaS platformu.
Fähigkeiten & Verhalten
IOC-Liste (5 Indikatoren)
#
ad06e6c6bb21a8f91160bf7c9cd1c25155a5e97b
# SHA256
ab7a9209e242ed3c0a29e678edfd76bed53d00664ec27c4d3ef4ab4aef8a8248
# MD5
c512ff0eb09c96041e38e344ce382995
# FILEPATH
bash: -c: line 1: syntax error near unexpected token `|'
# FILEPATH
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'
| Typ | Wert | Bemerkung |
|---|---|---|
| ad06e6c6bb21a8f91160bf7c9cd1c25155a5e97b | ||
| sha256 | ab7a9209e242ed3c0a29e678edfd76bed53d00664ec27c4d3ef4ab4aef8a8248 | |
| md5 | c512ff0eb09c96041e38e344ce382995 | |
| filepath | bash: -c: line 1: syntax error near unexpected token `|' | |
| filepath | bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10' |
C2-Server (5 erfasste Server für diese Familie)
| Adresse | Typ | Port | Protokoll | Status | Land |
|---|---|---|---|---|---|
| 45.61.136.16 | ip | 80 | HTTP | active | US |
| hxxp://freeupgrades.net/s1xt/ | domain | 80 | HTTP | inactive | US |
| 103.75.160.239 | ip | 443 | HTTPS | inactive | HK |
| 3.29.19.86 | ip | — | TCP | inactive | — |
| form-book.club | domain | 80 | HTTP | sinkholed | — |
C2-Adressen stammen ausschließlich aus vom KEYDAL-Team manuell verifizierten Malware-Samples. Kommerzielle Nutzung ist untersagt.