TrojanSpy.MSIL.FORMBOOK.PUSYBC

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It logs a user's keystrokes to steal information.

It connects to certain websites to send and receive information. It terminates itself if it detects it is being run in a virtual environment.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following processes:

• {Malware file path and name} "path"

It terminates itself if it finds the following processes in the affected system's memory:

• vmwareuser.exe
• vmwareservice.exe
• vboxservice.exe
• vboxtray.exe
• sandboxiedcomlaunch.exe
• sandboxierpcss.exe
• procmon.exe
• filemon.exe
• wireshark.exe
• netmon.exe
• prl_tools_service.exe
• prl_tools.exe
• prl_cc.exe
• sharedintapp.exe
• vmtoolsd.exe
• vmsrvc.exe
• vmusrvc.exe
• python.exe
• perl.exe
• regmon.exe

Propagation

This Trojan Spy does not have any propagation routine.

Rootkit Capabilities

This Trojan Spy does not have rootkit capabilities.

Information Theft

This Trojan Spy gathers the following data:

• Clipboard data
• Captured screenshots
• Information from the following application:
  • 360 Browser
  • 3DFTP
  • AbsoluteTelnet
  • ALFTP
  • Avant
  • Baidu
  • Barca
  • BitKinex
  • BlackHawk
  • Browzar
  • Canary
  • Chrome
  • Chromium
  • Citrio
  • Comodo Dragon
  • CoolNovo
  • Coowon
  • CoreFTP
  • CyberFox
  • Deepnet
  • Dooble
  • Epic
  • Far File Manager
  • FileZilla
  • Firefox
  • FlashFXP
  • Fling
  • Foxmail
  • GMail
  • IceDragon
  • ICQ Messenger
  • Incmail
  • Internet Explorer
  • Iridium
  • KMeleon
  • LeechFTP
  • Lunascape
  • Maxthon
  • Microsoft Edge
  • Midori
  • Mustang
  • NCFTP
  • Opera
  • Opera Mail
  • Orbitum
  • Outlook
  • PaleMoon
  • Pidgin
  • QTWeb
  • QupZilla
  • Rambler
  • Safari
  • SafeZone
  • ScriptFTP
  • SeaMonkey
  • Skype
  • Sleipnir
  • SmartFTP
  • Superbird
  • Thunderbird
  • Titan
  • Tor Browser
  • Torch
  • Total Commander
  • Trillian
  • UC Browser
  • Vivaldi
  • Waterfox
  • WebDrive
  • WhatsApp
  • WinSCP
  • Yahoo Messenger
  • Yandex

It logs a user's keystrokes to steal information.

Other Details

This Trojan Spy connects to the following website to send and receive information:

• http://www.t{BLOCKED}o.uk/ne28

It terminates itself if it detects it is being run in a virtual environment.

It does the following:

• It adds and injects code to a newly-created process.
• The newly-created process may be any of the following legitimate Windows application:
  • audiodg.exe
  • autochk.exe
  • autoconv.exe
  • autofmt.exe
  • chkdsk.exe
  • cmd.exe
  • cmmon32.exe
  • cmstp.exe
  • colorcpl.exe
  • control.exe
  • cscript.exe
  • dwm.exe
  • explorer.exe
  • help.exe
  • ipconfig.exe
  • lsass.exe
  • lsm.exe
  • msdt.exe
  • msg.exe
  • msiexec.exe
  • mstsc.exe
  • napstat.exe
  • nbtstat.exe
  • netsh.exe
  • netstat.exe
  • raserver.exe
  • rdpclip.exe
  • rundll32.exe
  • services.exe
  • spoolsv.exe
  • svchost.exe
  • systray.exe
  • taskhost.exe
  • wininit.exe
  • wlanext.exe
  • wscript.exe
  • wuapp.exe
  • wuauclt.exe
  • wwahost.exe
• It terminates itself if the following DLL is loaded on its memory:
  • SbieDll.dll
• It checks if its filepath contains the following strings:
  • VIRUS
  • SANDBOX
  • SAMPLE
  • C:\file.exe
• The registry data {String} can contain any of the following:
  • VMWARE
  • VBOX
  • QEMU
• Based on analysis of the codes, it has the following capabilities:
  • Disable Windows Defender
  • Create a scheduled task

NOTES:

It does not proceed to its malicious routine if it detects that it is being debugged.

It does not exploit any vulnerability.