Win32/Emotet [Threat Name] go to Threat

Win32/Emotet.AB [Threat Variant Name]

Category	trojan
Size	184832 B
Aliases	Trojan.Win32.Yakes.hgem (Kaspersky)
	Downloader.Ponik (Symantec)
	TR/Emotet.A.44 (Avira)

Win32/Emotet.AB is a trojan which tries to download other malware from the Internet.

When executed, the trojan copies itself into the following location:

A string with variable content is used instead of %variable1% .

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable1%" = "%appdata%\Identities\%variable1%.exe"

The trojan creates and runs a new thread with its own program code within the following processes:

The trojan creates and runs a new thread with its own program code in all running processes.

The trojan collects the following information:

The trojan attempts to send gathered information to a remote machine.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (85) IP addresses. The HTTP protocol is used.

It can execute the following operations:

The trojan keeps various information in the following Registry keys:

A string with variable content is used instead of %variable2% .

The trojan hooks the following Windows APIs:

The trojan contains both 32-bit and 64-bit program components.