Home / malware PWS:Win32/Emotet.E
First posted on 24 December 2014.
Source: MicrosoftAliases :
There are no other names known for PWS:Win32/Emotet.E.
Explanation :
Threat behavior
Installation
This threat is installed by Trojan:Win32/Emotet.C.
It creates the following file on your PC:
- %APPDATA% \mailpv.exe (detected as HackTool:Win32/Mailpassview)
HackTool:Win32/Mailpassview is deleted once your email account information has been stolen.
Payload
Steals your email account user names and passwords
This malware installs HackTool:Win32/Mailpassview onto your PC. This hacktool is run in a hidden window and collects your email credentials before being deleted by the malware.
The malware then connects to one the following remote servers to send the stolen information:
- 192.232.192.235
- bardubar.com/
/ /smtp.php - bigbrotherswhitecarsite.eu/
/ /smtp.php - likesomthingstrongandculture.eu/
/ /smtp.php
The stolen email credentials are then used for sending spam emails that spread malware in the Win32/Emotet family.
Analysis by HeungSoo (David) Kang
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
%APPDATA%\mailpv.exeLast update 24 December 2014