Home / malwarePDF  

Trojan:Win32/Emotet.D


First posted on 09 November 2017.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Emotet.D.

Explanation :

Installation

This threat usually arrives on your PC as a .zip or .exe file attached to a spam email. We have seen the attachment use the following file names:

  • 2014_11Details_zur_Transaktion_pdf.zip
  • 2014_11rechnung_K4768955881.zip
  • 2014_11rechnung_4768955881.zip
  • 2014_11rechnung_pdf_vodafone.zip


The malware creates a copy of itself as %APPDATA%\Identities\.exe, for example %APPDATA%\Identities\hrwkrqii.exe.

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ".exe", for example "hrwkrqii.exe"
With data: "%APPDATA%\Identities\.exe", for example "%APPDATA%\Identities\hrwkrqii.exe"

Payload

Injects code into running processes

This trojan injects code into explorer.exe to add persistence and hide its running process. It can also inject its code to other running processes.

Collects your sensitive information

This threat can collect your sensitive information, including your:
  • PC name
  • Location
  • Operating system version


Contacts a remote host

This threat generates a random 16-letter domain name and appends ".eu" as the top level domain. Some examples of the domains we have seen include:
  • eaivsiosvxvudixc.eu
  • edsryxnxmqbebfpo.eu
  • ehbrejoktmkkjbsc.eu
  • eklnkynpkfpgtkwb.eu
  • eotapwbcrbymctac.eu
  • erejvmnhitqimdrb.eu
  • escauuoblwuskpdp.eu
  • evmvnkbtcpacimuo.eu
  • eywrtanysurkfvyn.eu
  • fcxapenaadntcwky.eu
  • fdvqbmotpseenjjn.eu
  • fggaucbmtljaxsnm.eu
  • fjqvnrarkeovucfy.eu
  • fkommaolnhsggcen.eu
  • fnyispnqeaxcqlim.eu
  • frhixnbdlvtiyhla.eu
  • fureeqnicoyejedm.eu
  • fvpuplocfrdcuqon.eu
  • fyaejobuvwukraga.eu
  • kdepcflnibyotnsv.eu
  • kgoliuksygqkekki.eu
  • kkwxasxrscaeatnv.eu
  • knhhtikkwurmwpru.eu
  • kofxfqlealjkipqj.eu
  • krptlgxjqqbgsyui.eu
  • kuadfjkcujgcdvmu.eu
  • kvxgqelvkmkmbilj.eu
  • kyipwtkbofpilrpi.eu
  • lcjxfxkciaxeisbt.eu
  • lgrkkvxbcvtkqoeh.eu
  • ljctqlktsbygblvg.eu
  • lnkgvjxsmwumjhyt.eu
  • lquccmklqpavtqdg.eu
  • lrssnhlftsegfqcu.eu
  • ludchkxkkljcpatt.eu
  • lxnxaakdoeoxmjxs.eu
  • lyloyuxjehsixvjh.eu
  • qcrjgqhvnuroowkc.eu
  • qgajlouuhqbikgbd.eu
  • qjkfrehnljgeupfc.eu
  • qnsrjcumffpkdyip.eu
  • qqdbdfhfjxhgniac.eu
  • qrbroaiyynlqluld.eu
  • qulnuphedtqmvedp.eu
  • qytaabiqwcagrngd.eu
  • rcuiirueqwuoborb.eu
  • rffrohhwhpaxlxva.eu
  • rjnetfuvbljehhmb.eu
  • rmxaaihofeoarqqa.eu
  • rnvqldiiihskpdpo.eu
  • rqgafgunymkgaahb.eu
  • rtqvxitspfpckjla.eu
  • ruomwqumsitmivwb.eu
  • rxyidthfwbyisfon.eu
  • sbaeykhgqvtepgay.eu
  • sekafntlhoyaadrx.eu
  • sfiqqiufkrdxxcdm.eu
  • sismwxtkbkitiyhl.eu
  • smbmcjuwuseaeixy.eu
  • spliiytcyljvbrcl.eu
  • sweetmttjaxxtwjx.eu
  • sxcufuunmdcvfwim.eu
  • xbipmdeajeocjxjh.eu
  • xfqcrbrypmkirtmu.eu
  • xiblxqqetfpecqeh.eu
  • xjyojyrxjitoaddv.eu
  • xmjxpoeqnbykkmhu.eu
  • xpttveqvetqguvlt.eu
  • xqrkumrphwuqsiki.eu
  • xtctbpeilpaaqfcu.eu
  • xxkggnrhfljgybfi.eu
  • yanxpvdovparkprr.eu
  • yblooeriysecvcqg.eu
  • yevkutqnpljxsluf.eu
  • yiekafrawhseouxs.eu
  • ylogguqfnaxayepf.eu
  • ypwsxferhvtghnss.eu
  • yshcriqwxbycrwwr.eu
  • ytfsdqrqbrdadwvg.eu
  • ywpojgejfkivagns.eu


It then tries to connect to the generated domain and waits for a reply from a malicious hacker. Commonly, malware does this to:
  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files, including updates or other malware
  • Receive instructions from a remote hacker
  • Upload data taken from your PC




Analysis by James Dee

Last update 09 November 2017

 

TOP

Malware :

Family: