Home / malware Trojan:Win32/Emotet.P
First posted on 04 October 2017.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Emotet.P.
Explanation :
Arrival
This trojan has been distributed through Office documents or PDFs attached on spam email. The documents usually contain macro code or links that download and install this trojan.
Installation
During installation, this trojan might copy itself to the following folders:
- %LOCALAPPDATA%\Microsoft
It uses the following file names:
- homeevent.exe
- netshedule.exe
This trojan might create a service to automatically start with Windows. To do so, it creates the following registry entries:
In subkey: HKLM\SYSTEM\ControlSet001\services\netshedule
Sets value: "Type"
With data: "0x00000010" (REG_DWORD)
In subkey: HKLM\SYSTEM\ControlSet001\services\netshedule
Sets value: "Start"
With data: "0x00000002" (REG_DWORD)
In subkey: HKLM\SYSTEM\ControlSet001\services\netshedule
Sets value: "ErrorControl"
With data: "0x00000000" (REG_DWORD)
In subkey: HKLM\SYSTEM\ControlSet001\services\netshedule
Sets value: "DisplayName"
With data: "netshedule" (REG_SZ)
In subkey: HKLM\SYSTEM\ControlSet001\services\netshedule
Sets value: "ObjectName"
With data: "LocalSystem" (REG_SZ)
In subkey: HKLM\SYSTEM\ControlSet001\services\netshedule
Sets value: "ImagePath"
With data: "C:\Windows\system32\netshedule.exe" (REG_EXPAND_SZ)
Payload
The Win32/Emotet family is known to do the following:
- Steals user names and passwords
- Sends collected data to a remote server
- Download and install other malware
Analyzed samples have been observed to connect to:
hXXp://74.208.155.175:8080/
With the following User-Agent header:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)Last update 04 October 2017
