TrojanSpy.Win32.FORMBOOK.DE

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

It logs a user's keystrokes to steal information.

It terminates itself if it detects it is being run in a virtual environment.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following folders:

• %AppDataLocal%\VirtualDirectoryPlayerGUI
• %Application Data%\{Random characters} → contains logs with gathered data

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following copies of itself into the affected system:

• %Program Files%\{Random characters}\{Random characters}.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %AppDataLocal%\VirtualDirectoryPlayerGUI\VirtualDirectoryPlayer.exe
  • detected as TrojanSpy.Win32.FORMBOOK.DE
• %AppDataLocal%\VirtualDirectoryPlayerGUI\libexiv3.dll → decrypts VirtualDirectoryPlayer.exe
  • detected as TrojanSpy.Win32.FORMBOOK.DE
• %AppDataLocal%\VirtualDirectoryPlayerGUI\configuration.xml → loaded into libexiv3.dll

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following non-malicious files:

• %AppDataLocal%\VirtualDirectoryPlayerGUI\libnspr4.dll
• %AppDataLocal%\VirtualDirectoryPlayerGUI\libsasl2-3.dll
• %AppDataLocal%\VirtualDirectoryPlayerGUI\libwebp-fb2k.dll
• %AppDataLocal%\VirtualDirectoryPlayerGUI\license.txt
• %AppDataLocal%\VirtualDirectoryPlayerGUI\shared.dll
• %AppDataLocal%\VirtualDirectoryPlayerGUI\zlib1.dll
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\16\auth.png
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\16\error.png
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\16\info.png
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\16\mail.png
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\16\question.png
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\64\auth.png
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\64\cool.png
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\64\dialog.png
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\64\error.png
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\64\info.png
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\64\mail.png
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\64\question.png
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\64\warning.png
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\scalable\auth.svg
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\scalable\cool.svg
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\scalable\dialog.svg
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\scalable\error.svg
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\scalable\info.svg
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\scalable\question.svg
• %AppDataLocal%\VirtualDirectoryPlayerGUI\dialogs\scalable\warning.svg

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %AppDataLocal%\VirtualDirectoryPlayerGUI\VirtualDirectoryPlayer.exe
• %System%\cmd.exe /c del {Dropped malicious executable}

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It injects codes into the following process(es):

• explorer.exe → communicates with C2 Server
• Any of the following legitimate Windows Application (spawned by hijacked explorer.exe):
  • audiodg.exe
  • autochk.exe
  • autoconv.exe
  • autofmt.exe
  • chkdsk.exe
  • cmd.exe.
  • cmmon32.exe
  • cmstp.exe
  • colorcpl.exe
  • control.exe
  • cscript.exe
  • dwm.exe
  • explorer.exe
  • help.exe
  • ipconfig.exe
  • lsass.exe
  • lsm.exe
  • msdt.exe
  • msg.exe
  • msiexec.exe
  • mstsc.exe
  • NAPSTAT.EXE
  • nbtstat.exe
  • netsh.exe
  • NETSTAT.EXE
  • raserver.exe
  • rdpclip.exe
  • rundll32.exe
  • services.exe
  • spoolsv.exe
  • svchost.exe
  • systray.exe
  • taskhost.exe
  • wininit.exe
  • wlanext.exe
  • wscript.exe
  • wuapp.exe
  • wuauclt.exe
  • WWAHost.exe
• Targeted Applications

It terminates itself if it finds the following processes in the affected system's memory:

• vmwareuser.exe
• vmwareservice.exe
• vboxservice.exe
• vboxtray.exe
• sandboxiedcomlaunch.exe
• sandboxierpcss.exe
• procmon.exe
• filemon.exe
• wireshark.exe
• netmon.exe
• prl_tools_service.exe
• prl_tools.exe
• prl_cc.exe
• SharedIntApp.exe
• vmtoolsd.exe
• vmsrvc.exe
• vmusrvc.exe
• python.exe
• perl.exe
• regmon.exe

Other System Modifications

This Trojan Spy adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{Random Characters} = %Program Files%\{Random}\{Random}.exe

Propagation

This Trojan Spy does not have any propagation routine.

Backdoor Routine

This Trojan Spy executes the following commands from a remote malicious user:

• Download and execute a file
• Update Self
• Uninstall Self
• Execute Arbitrary Commands
• Clear cookies
• Reboot System
• Shutdown System
• Send gathered data to C2 Server

It connects to the following websites to send and receive information:

• http://www.{BLOCKED}ding.net/vns/
• http://www.{BLOCKED}dhousedesigns.design/vns/
• http://www.{BLOCKED}eatsgamingclan.com/vns/
• http://www.{BLOCKED}erbsindia.com/vns/
• http://www.{BLOCKED}clnicadelvnculo-gvbi.com/vns/
• http://www.{BLOCKED}thalmica.com/vns/
• http://www.{BLOCKED}cia.com/vns/
• http://www.{BLOCKED}i.site/vns/
• http://www.{BLOCKED}lpardis.com/vns/
• http://www.{BLOCKED}portal.com/vns/
• http://www.{BLOCKED}sbroider.com/vns/
• http://www.{BLOCKED}rchids.com/vns/
• http://www.{BLOCKED}art.net/vns/
• http://www.{BLOCKED}ayresidency.com/vns/
• http://www.{BLOCKED}eint.com/vns/
• http://www.{BLOCKED}edmagic.com/vns/
• http://www.{BLOCKED}pressworld.com/vns/
• http://www.{BLOCKED}sresolve.com/vns/
• http://www.{BLOCKED}rsotocheckup-5fcc.com/vns/
• http://www.{BLOCKED}rrapate.com/vns/
• http://www.{BLOCKED}en.com/vns/
• http://www.{BLOCKED}icamackay.com/vns/
• http://www.{BLOCKED}assetmanagement.com/vns/
• http://www.{BLOCKED}ntsbd.com/vns/
• http://www.{BLOCKED}furnituremadera.com/vns/
• http://www.{BLOCKED}etesproduce.com/vns/
• http://www.{BLOCKED}lkservice.com/vns/
• http://www.{BLOCKED}isc.com/vns/
• http://www.{BLOCKED}ndigarh.com/vns/
• http://www.{BLOCKED}do.com/vns/
• http://www.{BLOCKED}rofessionalpodcast.com/vns/
• http://www.{BLOCKED}ioamadori.net/vns/
• http://www.{BLOCKED}ing.com/vns/
• http://www.{BLOCKED}edshop2020.com/vns/
• http://www.{BLOCKED}.com/vns/
• http://www.{BLOCKED}tpetproducts.com/vns/
• http://www.{BLOCKED}scollectionn.com/vns/
• http://www.{BLOCKED}latinumva.com/vns/
• http://www.{BLOCKED}ds.com/vns/
• http://www.{BLOCKED}ssentialmiss.com/vns/
• http://www.{BLOCKED}ht.com/vns/
• http://www.{BLOCKED}om/vns/
• http://www.{BLOCKED}ckl.com/vns/
• http://www.{BLOCKED}.com/vns/
• http://www.{BLOCKED}id.com/vns/

Rootkit Capabilities

This Trojan Spy does not have rootkit capabilities.

Information Theft

This Trojan Spy gathers the following data:

• SID
• Username
• Operating system information
• Clipboard and Keylogged data from the following Targeted Applications:
  • Browsers:
    • 360 Browser
    • Avant
    • Baidu
    • BlackHawk
    • Browzar
    • Canary
    • Chrome
    • Chromium
    • Citrio
    • Comodo Dragon
    • Comodo IceDragon
    • CoolNovo
    • Coowon
    • CyberFox
    • Deepnet
    • Dooble
    • Epic
    • Firefox
    • Internet Explorer
    • Iridium
    • KMeleon
    • Lunascape
    • Maxthon
    • Microsoft Edge
    • Midori
    • Mustang
    • Opera
    • Orbitum
    • PaleMoon
    • QTWeb
    • QupZilla
    • Rambler
    • Safari
    • SafeZone
    • ScriptFTP
    • SeaMonkey
    • Sleipnir
    • Superbird
    • Titan
    • Tor Browser
    • Torch
    • UC Browser
    • Vivaldi
    • Waterfox
    • Yandex
  • Mail Clients:
    • Barca
    • Foxmail
    • GMail
    • Incredimail
    • Microsoft Outlook
    • Mozilla Thunderbird
    • Opera Mail
  • FTP Clients:
    • 3DFTP
    • AbsoluteTelnet
    • ALFTP
    • BitKinex
    • CoreFTP
    • Far File Manager
    • FileZilla
    • FlashFXP
    • Fling FTP
    • LeechFTP
    • NCFTP
    • SmartFTP
    • Total Commander
    • WebDrive
    • WinSCP
  • Instant Messaging (IM) Applications:
    • ICQ Messenger
    • Pidgin
    • Skype
    • Trillian
    • WhatsApp
    • Yahoo Messenger
• Screen Captures

It logs a user's keystrokes to steal information.

Other Details

This Trojan Spy terminates itself if it detects it is being run in a virtual environment.

It does the following:

• terminates itself if a loaded module in the running process contains the following strings:
  • \cuckoo\
  • \sandcastle\
  • \aswsnx\
  • \sandbox\
  • \smpdir\
  • \samroot\
  • \avctestsuite\

It terminates itself if any of the following user name(s) are found in the affected system:

• cuckoo
• sandbox-
• nmsdbox-
• xxxx-ox-
• cwsx-
• wilbert-sc
• xpamast-sc

It does not proceed to its malicious routine if it detects that it is being debugged.

It does not exploit any vulnerability.