Home / malware Trojan:Win32/Emotet.D
First posted on 01 December 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Emotet.D.
Explanation :
Threat behavior
Installation
This threat usually arrives on your PC as a .zip or .exe file attached to a spam email. We have seen the attachment use the following file names:
- 2014_11Details_zur_Transaktion_pdf.zip
- 2014_11rechnung_K4768955881.zip
- 2014_11rechnung_4768955881.zip
- 2014_11rechnung_pdf_vodafone.zip
The malware creates a copy of itself as %APPDATA%\Identities\.exe, for example %APPDATA%\Identities\hrwkrqii.exe.
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ".exe", for example "hrwkrqii.exe"
With data: "%APPDATA%\Identities\.exe", for example "%APPDATA%\Identities\hrwkrqii.exe"
Payload
Injects code into running processes
This trojan injects code into explorer.exe to add persistence and hide its running process. It can also inject its code to other running processes.
Collects your sensitive information
This threat can collect your sensitive information, including your:
- PC name
- Location
- Operating system version
Contacts a remote host
This threat generates a random 16-letter domain name and appends ".eu" as the top level domain. Some examples of the domains we have seen include:
- eaivsiosvxvudixc.eu
- edsryxnxmqbebfpo.eu
- ehbrejoktmkkjbsc.eu
- eklnkynpkfpgtkwb.eu
- eotapwbcrbymctac.eu
- erejvmnhitqimdrb.eu
- escauuoblwuskpdp.eu
- evmvnkbtcpacimuo.eu
- eywrtanysurkfvyn.eu
- fcxapenaadntcwky.eu
- fdvqbmotpseenjjn.eu
- fggaucbmtljaxsnm.eu
- fjqvnrarkeovucfy.eu
- fkommaolnhsggcen.eu
- fnyispnqeaxcqlim.eu
- frhixnbdlvtiyhla.eu
- fureeqnicoyejedm.eu
- fvpuplocfrdcuqon.eu
- fyaejobuvwukraga.eu
- kdepcflnibyotnsv.eu
- kgoliuksygqkekki.eu
- kkwxasxrscaeatnv.eu
- knhhtikkwurmwpru.eu
- kofxfqlealjkipqj.eu
- krptlgxjqqbgsyui.eu
- kuadfjkcujgcdvmu.eu
- kvxgqelvkmkmbilj.eu
- kyipwtkbofpilrpi.eu
- lcjxfxkciaxeisbt.eu
- lgrkkvxbcvtkqoeh.eu
- ljctqlktsbygblvg.eu
- lnkgvjxsmwumjhyt.eu
- lquccmklqpavtqdg.eu
- lrssnhlftsegfqcu.eu
- ludchkxkkljcpatt.eu
- lxnxaakdoeoxmjxs.eu
- lyloyuxjehsixvjh.eu
- qcrjgqhvnuroowkc.eu
- qgajlouuhqbikgbd.eu
- qjkfrehnljgeupfc.eu
- qnsrjcumffpkdyip.eu
- qqdbdfhfjxhgniac.eu
- qrbroaiyynlqluld.eu
- qulnuphedtqmvedp.eu
- qytaabiqwcagrngd.eu
- rcuiirueqwuoborb.eu
- rffrohhwhpaxlxva.eu
- rjnetfuvbljehhmb.eu
- rmxaaihofeoarqqa.eu
- rnvqldiiihskpdpo.eu
- rqgafgunymkgaahb.eu
- rtqvxitspfpckjla.eu
- ruomwqumsitmivwb.eu
- rxyidthfwbyisfon.eu
- sbaeykhgqvtepgay.eu
- sekafntlhoyaadrx.eu
- sfiqqiufkrdxxcdm.eu
- sismwxtkbkitiyhl.eu
- smbmcjuwuseaeixy.eu
- spliiytcyljvbrcl.eu
- sweetmttjaxxtwjx.eu
- sxcufuunmdcvfwim.eu
- xbipmdeajeocjxjh.eu
- xfqcrbrypmkirtmu.eu
- xiblxqqetfpecqeh.eu
- xjyojyrxjitoaddv.eu
- xmjxpoeqnbykkmhu.eu
- xpttveqvetqguvlt.eu
- xqrkumrphwuqsiki.eu
- xtctbpeilpaaqfcu.eu
- xxkggnrhfljgybfi.eu
- yanxpvdovparkprr.eu
- yblooeriysecvcqg.eu
- yevkutqnpljxsluf.eu
- yiekafrawhseouxs.eu
- ylogguqfnaxayepf.eu
- ypwsxferhvtghnss.eu
- yshcriqwxbycrwwr.eu
- ytfsdqrqbrdadwvg.eu
- ywpojgejfkivagns.eu
It then tries to connect to the generated domain and waits for a reply from a malicious hacker. Commonly, malware does this to:
- Report a new infection to its author
- Receive configuration or other data
- Download and run files, including updates or other malware
- Receive instructions from a remote hacker
- Upload data taken from your PC
Analysis by James Dee
Symptoms
The following can indicate that you have this threat on your PC:
- You see these entries or keys in your registry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ".exe", for example "hrwkrqii.exe"
With data: "%APPDATA%\Identities\.exe", for example "%APPDATA%\Identities\hrwkrqii.exe" Last update 01 December 2014
