Win32/Formbook [Threat Name] go to Threat

Win32/Formbook.AA [Threat Variant Name]

Category	trojan
Size	208074 B
Detection created	Apr 19, 2018
Detection database version	17249

Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan creates the following files:

%temp%\%variable%.tmp\System.dll (11264 B)
%temp%\abram.dat (157653 B)
%temp%\confectionery.dll (18944 B, Win32/Injector.DXNR)

A string with variable content is used instead of %variable% .

The trojan creates and runs a new thread with its own program code within the following processes:

audiodg.exe
autochk.exe
autoconv.exe
autofmt.exe
chkdsk.exe
cmd.exe
cmmon32.exe
cmstp.exe
colorcpl.exe
control.exe
cscript.exe
dwm.exe
explorer.exe
help.exe
ipconfig.exe
lsass.exe
lsm.exe
msdt.exe
msg.exe
msiexec.exe
mstsc.exe
NAPSTAT.EXE
nbtstat.exe
netsh.exe
NETSTAT.EXE
raserver.exe
rdpclip.exe
rundll32.exe
services.exe
spoolsv.exe
svchost.exe
systray.exe
taskhost.exe
wininit.exe
wlanext.exe
wscript.exe
wuapp.exe
wuauclt.exe
WWAHost.exe
advapi32.dll
kernel32.dll
ws2_32.dll

Information stealing

Win32/Formbook.AA is a trojan that steals sensitive information.

The trojan gathers sensitive information from processes which contain any of the following strings in their path:

360browser.exe
360se.exe
avant.exe
avastszb.exe
browser.exe
chrome.exe
citrio.exe
coolnovo.exe
coowon.exe
cyberfox.exe
deepnet.exe
dooble.exe
dragon.exe
epic.exe
far.exe
filezilla.exe
firefox.exe
fling.exe
foxmail.exe
gmailnotifierpro.exe
icedragon.exe
icq.exe
iexplore.exe
incmail.exe
iridium.exe
k-meleon.exe
luna.exe
maxthon.exe
microsoftedgecp.exe
midori.exe
mustang.exe
notepad.exe
opera.exe
orbitum.exe
outlook.exe
palemoon.exe
pidgin.exe
qtweb.exe
qupzilla.exe
safari.exe
seamonkey.exe
skype.exe
sleipnir.exe
spark.exe
superbird.exe
thunderbird.exe
torch.exe
totalcmd.exe
trillian.exe
ucbrowser.exe
vivaldi.exe
waterfox.exe
webdrive.exe
whatsapp.exe
yahoomessenger.exe
ybrowser.exe

The following information is collected:

login user names for certain applications/services
login passwords for certain applications/services
operating system version
logged keystrokes
data from the clipboard
screenshots

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of URLs. The HTTP protocol is used in the communication.

It can execute the following operations:

download files from a remote computer and/or the Internet
run executable files
execute shell commands
delete cookies
shut down/restart the computer
uninstall itself

The trojan keeps various information in the following files:

%appdata%\%variable1%\%variable2%.ini
%appdata%\%variable1%\%variable2%.jpeg

A string with variable content is used instead of %variable1-2% .

The trojan can detect presence of debuggers and other analytical tools.

The trojan terminates its execution if it detects that it's running in a specific virtual environment.

The trojan quits immediately if the user name is one of the following:

cuckoo
cwsx-
nmsdbox-
sandbox-
wilbert-sc
xpamast-sc
xxxx-ox-

Trojan quits immediately if it detects loaded module within its own process or other running processes containing one of the following strings in its name:

SbieDll.dll
filemon.exe
netmon.exe
perl.exe
prl_cc.exe
prl_tools.exe
prl_tools_service.exe
procmon.exe
python.exe
regmon.exe
sandboxiedcomlaunch.exe
sandboxierpcss.exe
sharedintapp.exe
vboxservice.exe
vboxtray.exe
vmsrvc.exe
vmtoolsd.exe
vmusrvc.exe
vmwareservice.exe
vmwareuser.exe
wireshark.exe

The trojan hooks the following Windows APIs:

WSASend (ws2_32.dll)
GetMessageA (user32.dll)
GetMessageW (user32.dll)
PeekMessageA (user32.dll)
PeekMessageW (user32.dll)
SendMessageA (user32.dll)
SendMessageW (user32.dll)
HttpSendRequestA (wininet.dll)
HttpSendRequestW (wininet.dll)
InternetQueryOptionW (wininet.dll)