Home / malware Trojan:Win32/Emotet.K
First posted on 29 April 2017.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Emotet.K.
Explanation :
Installation
This threat is distributed from a .pdf file attachment which contains a link that points to a JS file. It usually arrives as attachment to spammed fake invoice email messages.
When you are socially-engineered to click the link, it downloads and executes the banking trojan which opens the gate to stealing your banking information.
When this threat gets executed, it drops a [random].lnk file in the %APPDATA%\roaming\microsoft\windows\start menu\programs\startup directory.
Then, it renames the malware to %APPDATA%\local\[random]\[random].exe
Payload
Connects to a remote host
We have seen this threat attempt to connect to the following Command and Control (C2) servers:Malware can connect to a remote host to do any of the following:
- 85.143.221.180:7080
- 104.227.137.34:7080
- 119.82.27.246:8080
- 137.74.254.64:8080
- 173.224.218.25:443
- 173.230.136.67:443
- 188.165.220.214:8080
- 194.88.246.7:8080
- 206.214.220.79:8080
- 212.83.166.45:8080
- Download and run files (including updates or other malware)
- Report a new infection to its author
- Receive configuration or other data
- Receive instructions from a remote hacker
- Upload data taken from your PC
Connects your sensitive information
We have seen this threat collect your sensitive information, including your:
- Email address from Outlook
- Location
- Operating system version
- PC name
Analysis by Jeong MunLast update 29 April 2017
