Win32/Formbook [Threat Name] go to Threat

Win32/Formbook.AA [Threat Variant Name]

Category trojan
Size 208074 B
Detection created Apr 19, 2018
Detection database version 17249
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan creates the following files:

  • %temp%\­%variable%.tmp\­System.dll (11264 B)
  • %temp%\­abram.dat (157653 B)
  • %temp%\­confectionery.dll (18944 B, Win32/Injector.DXNR)

A string with variable content is used instead of %variable% .


The trojan creates and runs a new thread with its own program code within the following processes:

  • audiodg.exe
  • autochk.exe
  • autoconv.exe
  • autofmt.exe
  • chkdsk.exe
  • cmd.exe
  • cmmon32.exe
  • cmstp.exe
  • colorcpl.exe
  • control.exe
  • cscript.exe
  • dwm.exe
  • explorer.exe
  • help.exe
  • ipconfig.exe
  • lsass.exe
  • lsm.exe
  • msdt.exe
  • msg.exe
  • msiexec.exe
  • mstsc.exe
  • NAPSTAT.EXE
  • nbtstat.exe
  • netsh.exe
  • NETSTAT.EXE
  • raserver.exe
  • rdpclip.exe
  • rundll32.exe
  • services.exe
  • spoolsv.exe
  • svchost.exe
  • systray.exe
  • taskhost.exe
  • wininit.exe
  • wlanext.exe
  • wscript.exe
  • wuapp.exe
  • wuauclt.exe
  • WWAHost.exe
  • advapi32.dll
  • kernel32.dll
  • ws2_32.dll
Information stealing

Win32/Formbook.AA is a trojan that steals sensitive information.


The trojan gathers sensitive information from processes which contain any of the following strings in their path:

  • 360browser.exe
  • 360se.exe
  • avant.exe
  • avastszb.exe
  • browser.exe
  • chrome.exe
  • citrio.exe
  • coolnovo.exe
  • coowon.exe
  • cyberfox.exe
  • deepnet.exe
  • dooble.exe
  • dragon.exe
  • epic.exe
  • far.exe
  • filezilla.exe
  • firefox.exe
  • fling.exe
  • foxmail.exe
  • gmailnotifierpro.exe
  • icedragon.exe
  • icq.exe
  • iexplore.exe
  • incmail.exe
  • iridium.exe
  • k-meleon.exe
  • luna.exe
  • maxthon.exe
  • microsoftedgecp.exe
  • midori.exe
  • mustang.exe
  • notepad.exe
  • opera.exe
  • orbitum.exe
  • outlook.exe
  • palemoon.exe
  • pidgin.exe
  • qtweb.exe
  • qupzilla.exe
  • safari.exe
  • seamonkey.exe
  • skype.exe
  • sleipnir.exe
  • spark.exe
  • superbird.exe
  • thunderbird.exe
  • torch.exe
  • totalcmd.exe
  • trillian.exe
  • ucbrowser.exe
  • vivaldi.exe
  • waterfox.exe
  • webdrive.exe
  • whatsapp.exe
  • yahoomessenger.exe
  • ybrowser.exe

The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • operating system version
  • logged keystrokes
  • data from the clipboard
  • screenshots

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • delete cookies
  • shut down/restart the computer
  • uninstall itself

The trojan keeps various information in the following files:

  • %appdata%\­%variable1%\­%variable2%.ini
  • %appdata%\­%variable1%\­%variable2%.jpeg

A string with variable content is used instead of %variable1-2% .


The trojan can detect presence of debuggers and other analytical tools.


The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan quits immediately if the user name is one of the following:

  • cuckoo
  • cwsx-
  • nmsdbox-
  • sandbox-
  • wilbert-sc
  • xpamast-sc
  • xxxx-ox-

Trojan quits immediately if it detects loaded module within its own process or other running processes containing one of the following strings in its name:

  • SbieDll.dll
  • filemon.exe
  • netmon.exe
  • perl.exe
  • prl_cc.exe
  • prl_tools.exe
  • prl_tools_service.exe
  • procmon.exe
  • python.exe
  • regmon.exe
  • sandboxiedcomlaunch.exe
  • sandboxierpcss.exe
  • sharedintapp.exe
  • vboxservice.exe
  • vboxtray.exe
  • vmsrvc.exe
  • vmtoolsd.exe
  • vmusrvc.exe
  • vmwareservice.exe
  • vmwareuser.exe
  • wireshark.exe

The trojan hooks the following Windows APIs:

  • WSASend (ws2_32.dll)
  • GetMessageA (user32.dll)
  • GetMessageW (user32.dll)
  • PeekMessageA (user32.dll)
  • PeekMessageW (user32.dll)
  • SendMessageA (user32.dll)
  • SendMessageW (user32.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetQueryOptionW (wininet.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.