Home / malware Trojan:Win32/Emotet
First posted on 06 April 2020.
Source: MicrosoftAliases :
Trojan:Win32/Emotet is also known as W32/Trojan.ENPO-5670, Trojan-Ransom.Win32.Foreign.kurp, winpe/Kryptik.CDSJ, TR/Agent.BDBT.1, Trojan.DownLoader11.10009, Win32/TrojanDownloader.Agent.AOJ, W32/Agent.AOJ!tr, Troj/Ransom-AHN, W32.Cridex.B, TROJ_DLOADR.BDL.
Explanation :
Installation
Win32/Emotet usually arrives on your PC as a .zip or .exe file attached to a spam email.
This threat can also be downloaded onto your PC through malicious links in a PDF attachments.
We have seen this threat use the following names:
2014_05_rechnungonline_8290155236_sign_deutsche_telekom_ag.exe 2014_06informationen_zum_transaktions_pdf.zip 2014_06rechnung_0020273640_sign_telekom_deutschland_gmbh.exe 2014_06rechnung_0724300002_pdf_sign_telekomag_deutschland_gmbh.exe 2014_06rechnungonline_pdf_vodafone_00930220374_53790190_82456.exe informationen_zum_transaktions_2014_06_10_02092083044_volksbank.exe Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe Rechnung_2314_06_198630274520031.exe
Depending on the platform it's running on, it will inject a DLL file from the original dropper into explorer.exe to intercept network traffic.
It creates a copy of itself under %APPDATA%microsoft.exe. We have seen it use file names made up of three random letters followed by one of the following key words:
api32 audio bios boot cap32 common config crypt edit32 error mgr32 serial setup share sock system update video windows
For example, %APPDATA%microsoftpjrvideo.exe.
This copy will be added to startup by adding a registry value in HKCU\Software\Microsoft\Windows\CurrentVersion\Run named "", where is the file created on installation. For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "fhtupdate.exe"
With data: "fhtupdate.exe"
It also injects the payload DLL in all running processes.
Payload
Steals your user names and passwords
Win32/Emotet downloads another payload DLL that intercepts traffic from Internet Explorer, Mozilla Firefox, Google Chrome, and other network traffic by hooking network functions. It can also affect webpages that use HTTP secure (https) connections.
It targets the following banks or financial portals and institutions:
BNP Paribas (cortalconsors.de) Com Direct (comdirect.de) Deutsche Kredit Bank (dkb.de) Finducia (finanzportal.fiducia.de) GAD (gad.de) GE Capital (gecapital.de) PostBank (postbank.de) PSD Bank (psd-bank.de)
It sends the collected data to a remote server controlled by the malicious hacker. We have seen it connect to the following servers:
109.235.56.16 111.221.115.86 128.100.195.241 128.100.195.250 132.245.210.12 132.245.210.9 132.245.226.50 132.245.229.146 132.245.229.162 132.245.229.178 141.251.30.134 157.56.251.217 157.56.251.220 157.56.255.226 157.56.255.54 157.56.255.57 157.56.96.123 157.56.96.156 161.53.97.57 173.194.66.108 173.194.78.108 185.4.124.170 192.200.105.132 193.158.240.10 193.222.73.227 193.28.233.32 193.47.246.76 195.186.145.42 195.222.21.12 207.46.114.62 207.46.201.122 212.143.95.24 212.227.15.171 212.227.15.188 212.227.17.162 2a01:111:f400:9851::2 46.30.211.89 5.149.171.178 62.146.106.12 65.55.242.252 77.105.38.209 78.142.182.76 80.150.9.158 80.67.18.107 80.74.157.171 81.169.145.103 81.19.149.32 86.35.0.126 88.116.214.146 90.177.111.208 91.250.66.120 93.64.202.165 distrbilko.pw labamito.ru naimjax.ru
usportrock.ru
Downloads other malware
We have seen this threat download the following malware:
Banking module - manipulates the webpage of targeted banks. PWS:Win32/Emotet.E Spammer:Win32/Emotet TrojanDownloader:Win32/Emotet Additional information
This threat creates two mutexes, for example 6A0M or 6A0I.
This can be an infection marker to prevent more than one copy of the threat running on your PC.
Analysis by Daniel ChipiristeanuLast update 06 April 2020
