Win32/Formbook [Threat Name] go to Threat
Win32/Formbook.AA [Threat Variant Name]
Category | trojan |
Size | 208074 B |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan creates the following files:
- %temp%\%variable%.tmp\System.dll (11264 B)
- %temp%\abram.dat (157653 B)
- %temp%\confectionery.dll (18944 B, Win32/Injector.DXNR)
A string with variable content is used instead of %variable% .
The trojan creates and runs a new thread with its own program code within the following processes:
- audiodg.exe
- autochk.exe
- autoconv.exe
- autofmt.exe
- chkdsk.exe
- cmd.exe
- cmmon32.exe
- cmstp.exe
- colorcpl.exe
- control.exe
- cscript.exe
- dwm.exe
- explorer.exe
- help.exe
- ipconfig.exe
- lsass.exe
- lsm.exe
- msdt.exe
- msg.exe
- msiexec.exe
- mstsc.exe
- NAPSTAT.EXE
- nbtstat.exe
- netsh.exe
- NETSTAT.EXE
- raserver.exe
- rdpclip.exe
- rundll32.exe
- services.exe
- spoolsv.exe
- svchost.exe
- systray.exe
- taskhost.exe
- wininit.exe
- wlanext.exe
- wscript.exe
- wuapp.exe
- wuauclt.exe
- WWAHost.exe
- advapi32.dll
- kernel32.dll
- ws2_32.dll
Information stealing
Win32/Formbook.AA is a trojan that steals sensitive information.
The trojan gathers sensitive information from processes which contain any of the following strings in their path:
- 360browser.exe
- 360se.exe
- avant.exe
- avastszb.exe
- browser.exe
- chrome.exe
- citrio.exe
- coolnovo.exe
- coowon.exe
- cyberfox.exe
- deepnet.exe
- dooble.exe
- dragon.exe
- epic.exe
- far.exe
- filezilla.exe
- firefox.exe
- fling.exe
- foxmail.exe
- gmailnotifierpro.exe
- icedragon.exe
- icq.exe
- iexplore.exe
- incmail.exe
- iridium.exe
- k-meleon.exe
- luna.exe
- maxthon.exe
- microsoftedgecp.exe
- midori.exe
- mustang.exe
- notepad.exe
- opera.exe
- orbitum.exe
- outlook.exe
- palemoon.exe
- pidgin.exe
- qtweb.exe
- qupzilla.exe
- safari.exe
- seamonkey.exe
- skype.exe
- sleipnir.exe
- spark.exe
- superbird.exe
- thunderbird.exe
- torch.exe
- totalcmd.exe
- trillian.exe
- ucbrowser.exe
- vivaldi.exe
- waterfox.exe
- webdrive.exe
- whatsapp.exe
- yahoomessenger.exe
- ybrowser.exe
The following information is collected:
- login user names for certain applications/services
- login passwords for certain applications/services
- operating system version
- logged keystrokes
- data from the clipboard
- screenshots
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of URLs. The HTTP protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- execute shell commands
- delete cookies
- shut down/restart the computer
- uninstall itself
The trojan keeps various information in the following files:
- %appdata%\%variable1%\%variable2%.ini
- %appdata%\%variable1%\%variable2%.jpeg
A string with variable content is used instead of %variable1-2% .
The trojan can detect presence of debuggers and other analytical tools.
The trojan terminates its execution if it detects that it's running in a specific virtual environment.
The trojan quits immediately if the user name is one of the following:
- cuckoo
- cwsx-
- nmsdbox-
- sandbox-
- wilbert-sc
- xpamast-sc
- xxxx-ox-
Trojan quits immediately if it detects loaded module within its own process or other running processes containing one of the following strings in its name:
- SbieDll.dll
- filemon.exe
- netmon.exe
- perl.exe
- prl_cc.exe
- prl_tools.exe
- prl_tools_service.exe
- procmon.exe
- python.exe
- regmon.exe
- sandboxiedcomlaunch.exe
- sandboxierpcss.exe
- sharedintapp.exe
- vboxservice.exe
- vboxtray.exe
- vmsrvc.exe
- vmtoolsd.exe
- vmusrvc.exe
- vmwareservice.exe
- vmwareuser.exe
- wireshark.exe
The trojan hooks the following Windows APIs:
- WSASend (ws2_32.dll)
- GetMessageA (user32.dll)
- GetMessageW (user32.dll)
- PeekMessageA (user32.dll)
- PeekMessageW (user32.dll)
- SendMessageA (user32.dll)
- SendMessageW (user32.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestW (wininet.dll)
- InternetQueryOptionW (wininet.dll)