Home / malwarePDF  

Trojan:Win32/Emotet.D


First posted on 01 December 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Emotet.D.

Explanation :

Threat behavior

Installation

This threat usually arrives on your PC as a .zip or .exe file attached to a spam email. We have seen the attachment use the following file names:

  • 2014_11Details_zur_Transaktion_pdf.zip
  • 2014_11rechnung_K4768955881.zip
  • 2014_11rechnung_4768955881.zip
  • 2014_11rechnung_pdf_vodafone.zip


The malware creates a copy of itself as %APPDATA%\Identities\.exe, for example %APPDATA%\Identities\hrwkrqii.exe.

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ".exe", for example "hrwkrqii.exe"
With data: "%APPDATA%\Identities\.exe", for example "%APPDATA%\Identities\hrwkrqii.exe"


Payload

Injects code into running processes

This trojan injects code into explorer.exe to add persistence and hide its running process. It can also inject its code to other running processes.

Collects your sensitive information

This threat can collect your sensitive information, including your:

  • PC name
  • Location
  • Operating system version


Contacts a remote host

This threat generates a random 16-letter domain name and appends ".eu" as the top level domain. Some examples of the domains we have seen include:
  • eaivsiosvxvudixc.eu
  • edsryxnxmqbebfpo.eu
  • ehbrejoktmkkjbsc.eu
  • eklnkynpkfpgtkwb.eu
  • eotapwbcrbymctac.eu
  • erejvmnhitqimdrb.eu
  • escauuoblwuskpdp.eu
  • evmvnkbtcpacimuo.eu
  • eywrtanysurkfvyn.eu
  • fcxapenaadntcwky.eu
  • fdvqbmotpseenjjn.eu
  • fggaucbmtljaxsnm.eu
  • fjqvnrarkeovucfy.eu
  • fkommaolnhsggcen.eu
  • fnyispnqeaxcqlim.eu
  • frhixnbdlvtiyhla.eu
  • fureeqnicoyejedm.eu
  • fvpuplocfrdcuqon.eu
  • fyaejobuvwukraga.eu
  • kdepcflnibyotnsv.eu
  • kgoliuksygqkekki.eu
  • kkwxasxrscaeatnv.eu
  • knhhtikkwurmwpru.eu
  • kofxfqlealjkipqj.eu
  • krptlgxjqqbgsyui.eu
  • kuadfjkcujgcdvmu.eu
  • kvxgqelvkmkmbilj.eu
  • kyipwtkbofpilrpi.eu
  • lcjxfxkciaxeisbt.eu
  • lgrkkvxbcvtkqoeh.eu
  • ljctqlktsbygblvg.eu
  • lnkgvjxsmwumjhyt.eu
  • lquccmklqpavtqdg.eu
  • lrssnhlftsegfqcu.eu
  • ludchkxkkljcpatt.eu
  • lxnxaakdoeoxmjxs.eu
  • lyloyuxjehsixvjh.eu
  • qcrjgqhvnuroowkc.eu
  • qgajlouuhqbikgbd.eu
  • qjkfrehnljgeupfc.eu
  • qnsrjcumffpkdyip.eu
  • qqdbdfhfjxhgniac.eu
  • qrbroaiyynlqluld.eu
  • qulnuphedtqmvedp.eu
  • qytaabiqwcagrngd.eu
  • rcuiirueqwuoborb.eu
  • rffrohhwhpaxlxva.eu
  • rjnetfuvbljehhmb.eu
  • rmxaaihofeoarqqa.eu
  • rnvqldiiihskpdpo.eu
  • rqgafgunymkgaahb.eu
  • rtqvxitspfpckjla.eu
  • ruomwqumsitmivwb.eu
  • rxyidthfwbyisfon.eu
  • sbaeykhgqvtepgay.eu
  • sekafntlhoyaadrx.eu
  • sfiqqiufkrdxxcdm.eu
  • sismwxtkbkitiyhl.eu
  • smbmcjuwuseaeixy.eu
  • spliiytcyljvbrcl.eu
  • sweetmttjaxxtwjx.eu
  • sxcufuunmdcvfwim.eu
  • xbipmdeajeocjxjh.eu
  • xfqcrbrypmkirtmu.eu
  • xiblxqqetfpecqeh.eu
  • xjyojyrxjitoaddv.eu
  • xmjxpoeqnbykkmhu.eu
  • xpttveqvetqguvlt.eu
  • xqrkumrphwuqsiki.eu
  • xtctbpeilpaaqfcu.eu
  • xxkggnrhfljgybfi.eu
  • yanxpvdovparkprr.eu
  • yblooeriysecvcqg.eu
  • yevkutqnpljxsluf.eu
  • yiekafrawhseouxs.eu
  • ylogguqfnaxayepf.eu
  • ypwsxferhvtghnss.eu
  • yshcriqwxbycrwwr.eu
  • ytfsdqrqbrdadwvg.eu
  • ywpojgejfkivagns.eu


It then tries to connect to the generated domain and waits for a reply from a malicious hacker. Commonly, malware does this to:

  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files, including updates or other malware
  • Receive instructions from a remote hacker
  • Upload data taken from your PC




Analysis by James Dee

Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: ".exe", for example "hrwkrqii.exe"
    With data: "%APPDATA%\Identities\.exe", for example "%APPDATA%\Identities\hrwkrqii.exe"

Last update 01 December 2014

 

TOP