Security home

 

Home / malwarePDF  

PWS:Win32/Emotet.E


First posted on 09 November 2017.
Source: Microsoft

Aliases :

There are no other names known for PWS:Win32/Emotet.E.

Explanation :

Installation

This threat is installed by Trojan:Win32/Emotet.C.

It creates the following file on your PC:

  • %APPDATA% \mailpv.exe (detected as HackTool:Win32/Mailpassview)


HackTool:Win32/Mailpassview is deleted once your email account information has been stolen.

Payload


Steals your email account user names and passwords

This malware installs HackTool:Win32/Mailpassview onto your PC. This hacktool is run in a hidden window and collects your email credentials before being deleted by the malware.

The malware then connects to one the following remote servers to send the stolen information:
  • 192.232.192.235
  • bardubar.com///smtp.php
  • bigbrotherswhitecarsite.eu///smtp.php
  • likesomthingstrongandculture.eu///smtp.php


The stolen email credentials are then used for sending spam emails that spread malware in the Win32/Emotet family.



Analysis by HeungSoo (David) Kang

Last update 09 November 2017

 

TOP

Malware :

Family: