Win32/Emotet [Threat Name] go to Threat

Win32/Emotet.AD [Threat Variant Name]

Category trojan
Size 198531 B
Aliases Trojan.Win32.Inject.upww (Kaspersky)
  Trojan:Win32/Emotet.G (Microsoft)
  Trojan.Zbot (Symantec)
  TR/Dropper.VB.28240 (Avira)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %localappdata%\­{%variable%}.exe

A string with variable content is used instead of %variable% .

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "{%variable%}" = "%localappdata%\­{%variable%}.exe"

It downloads the other part of the infiltration.

After the installation is complete, the trojan deletes the original executable file.

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

The trojan may create and run a new thread with its own program code within any running process.

Information stealing

The trojan collects the following information:

  • operating system version
  • computer name
  • country
  • volume serial number
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • FTP account information

The trojan collects sensitive information when the user browses certain web sites.

The following programs are affected:

  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (14) URLs. The HTTP protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • set up a proxy server
  • send requested files
  • modify the content of websites
  • send the list of running processes to a remote computer
  • uninstall itself

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Identities\­{%variable%}\­A\­(Default)]
  • [HKEY_CURRENT_USER\­Identities\­{%variable%}\­C\­G]
  • [HKEY_CURRENT_USER\­Identities\­{%variable%}\­C\­P]
  • [HKEY_CURRENT_USER\­Identities\­{%variable%}\­B]

A string with variable content is used instead of %variable% .

The trojan hooks the following Windows APIs:

  • closesocket (ws2_32.dll)
  • connect (ws2_32.dll)
  • HttpOpenRequestW (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetReadFileExW (wininet.dll)
  • LdrLoadDll (ntdll.dll)
  • NtClose (ntdll.dll)
  • NtCreateThread (ntdll.dll)
  • NtCreateUserProcess (ntdll.dll)
  • PR_Close (nss3.dll)
  • PR_OpenTCPSocket (nss3.dll)
  • PR_Read (nss3.dll)
  • PR_Write (nss3.dll)
  • recv (ws2_32.dll)
  • send (ws2_32.dll)
  • WSASend (ws2_32.dll)

The trojan contains both 32-bit and 64-bit program components.

The trojan may display a fake error message:

Please enable Javascript to ensure correct displaying of this content and refresh this page.