Win32/Emotet [Threat Name] go to Threat
Win32/Emotet.AD [Threat Variant Name]
| Category | trojan |
| Size | 198531 B |
| Aliases | Trojan.Win32.Inject.upww (Kaspersky) |
| Trojan:Win32/Emotet.G (Microsoft) | |
| Trojan.Zbot (Symantec) | |
| TR/Dropper.VB.28240 (Avira) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %localappdata%\{%variable%}.exe
A string with variable content is used instead of %variable% .
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "{%variable%}" = "%localappdata%\{%variable%}.exe"
It downloads the other part of the infiltration.
After the installation is complete, the trojan deletes the original executable file.
The trojan creates and runs a new thread with its own program code within the following processes:
- explorer.exe
The trojan may create and run a new thread with its own program code within any running process.
Information stealing
The trojan collects the following information:
- operating system version
- computer name
- country
- volume serial number
- login user names for certain applications/services
- login passwords for certain applications/services
- FTP account information
The trojan collects sensitive information when the user browses certain web sites.
The following programs are affected:
- Google Chrome
- Internet Explorer
- Mozilla Firefox
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (14) URLs. The HTTP protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- set up a proxy server
- send requested files
- modify the content of websites
- send the list of running processes to a remote computer
- uninstall itself
The trojan keeps various information in the following Registry keys:
- [HKEY_CURRENT_USER\Identities\{%variable%}\A\(Default)]
- [HKEY_CURRENT_USER\Identities\{%variable%}\C\G]
- [HKEY_CURRENT_USER\Identities\{%variable%}\C\P]
- [HKEY_CURRENT_USER\Identities\{%variable%}\B]
A string with variable content is used instead of %variable% .
The trojan hooks the following Windows APIs:
- closesocket (ws2_32.dll)
- connect (ws2_32.dll)
- HttpOpenRequestW (wininet.dll)
- HttpQueryInfoA (wininet.dll)
- HttpSendRequestExW (wininet.dll)
- HttpSendRequestW (wininet.dll)
- InternetCloseHandle (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- InternetReadFile (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetReadFileExW (wininet.dll)
- LdrLoadDll (ntdll.dll)
- NtClose (ntdll.dll)
- NtCreateThread (ntdll.dll)
- NtCreateUserProcess (ntdll.dll)
- PR_Close (nss3.dll)
- PR_OpenTCPSocket (nss3.dll)
- PR_Read (nss3.dll)
- PR_Write (nss3.dll)
- recv (ws2_32.dll)
- send (ws2_32.dll)
- WSASend (ws2_32.dll)
The trojan contains both 32-bit and 64-bit program components.
The trojan may display a fake error message:
