Home / malwarePDF  

Trojan:Win32/Emotet.G


First posted on 11 March 2015.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Emotet.G.

Explanation :

Threat behavior

Installation

This threat usually arrives on your PC as a ZIP or EXE file attached to a spam email. We have seen the attachment use the following file names:

  • ups_lang_de_Tracking_4P63M5427712804597.zip
  • ZustellinfoDHL_Mitteilungen_8445438742.zip


The malware creates a copy of itself as %APPDATA%\Microsoft\msdb.exe, for example %APPDATA%\Microsoft\msdb2457cc6.exe.

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "msdb.exe", for example "msdb2457cc6.exe"
With data: "%APPDATA%\Microsoft\msdb.exe", for example "%APPDATA%\Microsoft\msdb2457cc6.exe"


Payload

Injects code into running processes

This trojan injects code into explorer.exe to add persistence and hide its running process. It can also inject its code to other running processes.

Collects your sensitive information

This threat can collect your sensitive information, including your:

  • Location
  • Operating system version
  • PC name


Downloads other malware

We have seen this threat download the following malware:

  • PWS:Win32/Emotet.E
  • Spammer:Win32/Emotet.B


Contacts a remote host

This threat connects to a remote host to:
  • Download and run files, including updates or other malware
  • Receive instructions from a malicious hacker
  • Report a new infection to its author
  • Upload data taken from your PC


We have seen it connect to the following servers:

  • 106..103.213
  • 106..17.24
  • 134..133.96
  • 142..18.239
  • 162..80.214
  • 162..88.73
  • 162..77.164
  • 185..55.88
  • 192..208.168
  • 197..182.110
  • 198..231.79
  • 198..78.98
  • 200..128.19
  • 209..6.60
  • 46..107.142
  • 69..152.111
  • 72..150.60
  • 74..247.144
  • 88..192.116
  • 88..228.111
  • 94..28.211




Analysis by HeungSoo David Kang

Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "msdb.exe", for example "msdb2457cc6.exe"
    With data: "%APPDATA%\Microsoft\msdb.exe", for example "%APPDATA%\Microsoft\msdb2457cc6.exe"

Last update 11 March 2015

 

TOP

Malware :

Family: