Home / malwarePDF  

PWS:Win32/Emotet.E


First posted on 24 December 2014.
Source: Microsoft

Aliases :

There are no other names known for PWS:Win32/Emotet.E.

Explanation :

Threat behavior

Installation

This threat is installed by Trojan:Win32/Emotet.C.

It creates the following file on your PC:

  • %APPDATA% \mailpv.exe (detected as HackTool:Win32/Mailpassview)


HackTool:Win32/Mailpassview is deleted once your email account information has been stolen.

Payload


Steals your email account user names and passwords

This malware installs HackTool:Win32/Mailpassview onto your PC. This hacktool is run in a hidden window and collects your email credentials before being deleted by the malware.

The malware then connects to one the following remote servers to send the stolen information:

  • 192.232.192.235
  • bardubar.com///smtp.php
  • bigbrotherswhitecarsite.eu///smtp.php
  • likesomthingstrongandculture.eu///smtp.php


The stolen email credentials are then used for sending spam emails that spread malware in the Win32/Emotet family.



Analysis by HeungSoo (David) Kang

Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:

    %APPDATA%\mailpv.exe

Last update 24 December 2014

 

TOP