TrojanSpy.Win32.FORMBOOK.THDOEBC

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It terminates itself if it detects it is being run in a virtual environment.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy drops the following files:

• %Program Files%\{random characters}\{random characters}.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• {Malware File Path}\{Malware File Name} {path}
• {Spawned Process} /c del "{Malware File Path}\{Malware File Name}" → Delete itself
• {Spawned Process} /c copy "{Malware File Path}\{Malware File Name}" "%Program Files%\{random characters}\{random characters}.exe" /V → Create copy of itself

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

• %Program Files%\{random characters}

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {16 random characters derived from the username}

It injects codes into the following process(es):

• {Malware File Path}\{Malware File Name} {path}
• explorer.exe
• Any of the following legitimate Windows applications: (Spawned by the hijacked explorer.exe)
  • systray.exe
  • dwm.exe
  • wuauclt.exe
  • control.exe
  • autoconv.exe
  • audiodg.exe
  • raserver.exe
  • svchost.exe
  • chkdsk.exe
  • lsm.exe
  • services.exe
  • msiexec.exe
  • wininit.exe
  • cscript.exe
  • nbtstat.exe
  • taskhost.exe
  • colorcpl.exe
  • explorer.exe
  • wscript.exe
  • wlanext.exe
  • autochk.exe
  • msg.exe
  • NAPSTAT.exe
  • spoolsv.exe
  • lsass.exe
  • rundll32.exe
  • msdt.exe
  • cmstp.exe
  • autofmt.exe
  • help.exe
  • rdpclip.exe
  • wuapp.exe
  • WWAHost.exe
  • ipconfig.exe
  • NETSTAT.exe
  • mstsc.exe
  • cmmon32.exe
  • netsh.exe
  • cmd.exe
• {Targeted Applications}

It terminates itself if it finds the following processes in the affected system's memory:

• vmwareuser.exe
• vmwareservice.exe
• vboxservice.exe
• vboxtray.exe
• sandboxiedcomlaunch.exe
• sandboxierpcss.exe
• procmon.exe
• filemon.exe
• wireshark.exe
• netmon.exe
• SharedIntApp.exe
• vmtoolsd.exe
• vmsrvc.exe
• vmusrvc.exe
• python.exe
• perl.exe
• regmon.exe

Autostart Technique

This Trojan Spy adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WindowsNT\CurrentVersion\Run
{random characters} = %Program Files%\{random characters}\{random characters}.exe

Information Theft

This Trojan Spy gathers the following data:

• Username
• OS Version and Product Name
• OS Architecture
• CRC32 of SID
• Information from the following applications:
  • Browsers:
    • 360 Browser
    • Avant
    • Avast SafeZone Browser
    • Baidu
    • BlackHawk
    • Chrome
    • Citrio
    • Comodo Dragon
    • Comodo IceDragon
    • CoolNovo
    • Coowon
    • CyberFox
    • Deepnet
    • Dooble
    • Epic
    • Firefox
    • Internet Explorer
    • Iridium
    • KMeleon
    • Lunascape
    • Maxthon
    • Microsoft Edge
    • Midori
    • Mustang
    • Opera
    • Orbitum
    • PaleMoon
    • QTWeb
    • QupZilla
    • Safari
    • SeaMonkey
    • Sleipnir
    • Superbird
    • Torch
    • UC Browser
    • Vivaldi
    • Waterfox
    • Yandex
  • Mail Clients:
    • Barca
    • Foxmail
    • GMail
    • Incredimail
    • Microsoft Outlook
    • Mozilla Thunderbird
    • Opera Mail
  • FTP Client:
    • 3DFTP
  • Instant Messaging (IM) Applications:
    • ICQ Messenger
    • Pidgin
    • Skype
    • Trillian
    • Yahoo Messenger

Other Details

This Trojan Spy terminates itself if it detects it is being run in a virtual environment.

It does the following:

• It terminates itself if the following DLL is loaded on its memory:
• • SbieDll.dll
• It terminates itself if the following DLL loaded on its memory has the following strings in their filepath:
  • \cuckoo\
  • \sandcastle\
  • \aswsnx\
  • \sandbox\
  • \smpdir\
  • \samroot\
  • \avctestsuite\
• It terminates itself if its filename has a length greater than or equal to 32 characters.
• It looks for the following strings on HTTP requests:
  • pass
  • token
  • email
  • login
  • sign in
  • account
  • persistent

It terminates itself if any of the following user name(s) are found in the affected system:

• cuckoo
• cuckoo
• sandbox-
• nmsdbox-
• xxxx-ox-
• cwsx-
• wilbert-sc
• xpamast-sc

It does not proceed to its malicious routine if it detects that it is being debugged.