Home / malware Trojan:Win32/Emotet.N!bit
First posted on 29 August 2017.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Emotet.N!bit.
Explanation :
Installation
Malware from the Win32/Emotet family usually arrives on an infected machine as a .zip or .exe file attached to a spam email.
This threat can also be downloaded onto your PC through malicious links in a PDF attachments.
We have seen this file use the following names:
- 2014_05_rechnungonline_8290155236_sign_deutsche_telekom_ag.exe
- 2014_06informationen_zum_transaktions_pdf.zip that contains the malicious informationen_zum_transaktions_2014_06_10_02092083044_volksbank.exe
- 2014_06rechnung_0020273640_sign_telekom_deutschland_gmbh.exe
- 2014_06rechnung_0724300002_pdf_sign_telekomag_deutschland_gmbh.exe
- 2014_06rechnungonline_pdf_vodafone_00930220374_53790190_82456.exe
- informationen_zum_transaktions_2014_06_10_02092083044_volksbank.exe
- Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
- Rechnung_2314_06_198630274520031.exe
Depending on the platform it's running on, it will inject a DLL (x86 or x64) from the original dropper into explorer.exe.
It creates a copy of itself under %APPDATA%\microsoft\.exe. We have seen it use file names made up of three random letters followed by one of the following key words:
- api32
- audio
- bios
- boot
- cap32
- common
- config
- crypt
- edit32
- error
- mgr32
- serial
- setup
- share
- sock
- system
- update
- video
- windows
For example, %APPDATA%\microsoft\pjrvideo.exe.
This copy will be added to startup by adding a registry value in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run named "", where is the file created on installation. For example:
In subkey: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
Sets value: "fhtupdate.exe"
With data: "fhtupdate.exe"
Payload
Steals your user names and passwords
Win32/Emotet downloads another payload DLL that can intercepts traffic from Internet Explorer, Mozilla Firefox, Google Chrome, and other network traffic by hooking network functions. It can also effect web pages that use http secure (https) connections.
It can also target the following banks or financial portals and institutions:
- BNP Paribas (cortalconsors.de)
- Com Direct (comdirect.de)
- Deutsche Kredit Bank (dkb.de)
- Finducia (finanzportal.fiducia.de)
- GAD (gad.de)
- GE Capital (gecapital.de)
- PostBank (postbank.de)
- PSD Bank (psd-bank.de)
It sends the collected data to a remote server controlled by the malicious hacker. We have seen it connect to the following servers:
- 109.235.56.16
- 111.221.115.86
- 128.100.195.241
- 128.100.195.250
- 132.245.210.12
- 132.245.210.9
- 132.245.226.50
- 132.245.229.146
- 132.245.229.162
- 132.245.229.178
- 141.251.30.134
- 157.56.251.217
- 157.56.251.220
- 157.56.255.226
- 157.56.255.54
- 157.56.255.57
- 157.56.96.123
- 157.56.96.156
- 161.53.97.57
- 173.194.66.108
- 173.194.78.108
- 185.4.124.170
- 192.200.105.132
- 193.158.240.10
- 193.222.73.227
- 193.28.233.32
- 193.47.246.76
- 195.186.145.42
- 195.222.21.12
- 207.46.114.62
- 207.46.201.122
- 212.143.95.24
- 212.227.15.171
- 212.227.15.188
- 212.227.17.162
- 2a01:111:f400:9851::2
- 46.30.211.89
- 5.149.171.178
- 62.146.106.12
- 65.55.242.252
- 74.125.143.109
- 77.105.38.209
- 78.142.182.76
- 80.150.9.158
- 80.67.18.107
- 80.74.157.171
- 81.169.145.103
- 81.19.149.32
- 86.35.0.126
- 88.116.214.146
- 90.177.111.208
- 91.250.66.120
- 93.64.202.165
- distrbilko.pw
- labamito.ru
- naimjax.ru
- usportrock.ru
Downloads other malware
We have seen this threat download the following malware:
- Banking module - manipulates the webpage of targeted banks.
- PWS:Win32/Emotet.E
- Spammer:Win32/Emotet
- TrojanDownloader:Win32/Emotet
Additional information
This threat can create one or more mutexes on your PC. For example:
- 6A0M
- 6A0I
This can be an infection marker to prevent more than one copy of the threat running on your PC.Last update 29 August 2017
