Win32/Emotet [Threat Name] go to Threat
Win32/Emotet.AA [Threat Variant Name]
| Category | trojan |
| Size | 70144 B |
| Aliases | Trojan-Ransom.Win32.Foreign.kvnr (Kaspersky) |
| Troj/Cridex-EG (Sophos) | |
| Trojan.Emotet.2 (Dr.Web) |
Short description
Win32/Emotet.AA is a trojan which tries to download other malware from the Internet.
Installation
When executed, the trojan creates the following files:
- %appdata%\Microsoft\%variable1%%variable2%.exe (81920 B, Win32/Emotet.AA)
A string with variable content is used instead of %variable1% .
The %variable2% is one of the following strings:
- api32
- audio
- bios
- boot
- cap32
- common
- config
- crypt
- edit32
- error
- mgr32
- serial
- setup
- share
- sock
- system
- update
- video
- windows
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable1%%variable2%.exe" = "%appdata%\Microsoft\%variable1%%variable2%.exe"
The trojan may create and run a new thread with its own program code within any running process.
Information stealing
The trojan collects the following information:
- information about the operating system and system settings
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of 11 URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- create Registry entries
- delete Registry entries
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Office\Common\%variable1%\%variable2%]
- "1"
- "2"
A string with variable content is used instead of %variable1-2% .