Win32/Emotet [Threat Name] go to Threat

Win32/Emotet.AB [Threat Variant Name]

Category trojan
Size 184832 B
Detection created Oct 28, 2014
Detection database version 10633
Aliases Trojan.Win32.Yakes.hgem (Kaspersky)
  Downloader.Ponik (Symantec)
  TR/Emotet.A.44 (Avira)
Short description

Win32/Emotet.AB is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­Identities\­%variable1%.exe

A string with variable content is used instead of %variable1% .


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = "%appdata%\­Identities\­%variable1%.exe"

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

The trojan creates and runs a new thread with its own program code in all running processes.

Information stealing

The trojan collects the following information:

  • information about the operating system and system settings
  • computer name
  • country
  • volume serial number

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (85) IP addresses. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • create Registry entries
  • delete Registry entries

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­Netscape\­5.0\­%variable2%\­q%variable2%]
  • [HKEY_CURRENT_USER\­Software\­Netscape\­5.0\­%variable2%\­w%variable2%]
  • [HKEY_CURRENT_USER\­Software\­Netscape\­5.0\­%variable2%\­e%variable2%]
  • [HKEY_CURRENT_USER\­Software\­Netscape\­5.0\­%variable2%\­e%variable2%\­t]
  • [HKEY_CURRENT_USER\­Software\­Netscape\­5.0\­%variable2%\­e%variable2%\­y]
  • [HKEY_CURRENT_USER\­Software\­Netscape\­5.0\­%variable2%\­r%variable2%]

A string with variable content is used instead of %variable2% .


The trojan hooks the following Windows APIs:

  • NtResumeThread (ntdll.dll)

The trojan contains both 32-bit and 64-bit program components.

Please enable Javascript to ensure correct displaying of this content and refresh this page.