Win32/Emotet [Threat Name] go to Threat

Win32/Emotet.BK [Threat Variant Name]

Category trojan
Size 204800 B
Detection created Jun 04, 2018
Detection database version 17498
Aliases Trojan.Emotet (Symantec)
  Trojan-Banker.Win32.Emotet.aqie (Kaspersky)
  Trojan:Win32/Occamy.C (Microsoft)
Short description

Win32/Emotet.BK serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan may create copies of itself using the following filenames:

  • %system%\­%variable1%%variable2%.exe
  • %localappdata%\­Microsoft\­Windows\­%variable1%%variable2%.exe

The %variable1%, %variable2% is one of the following strings:

  • account
  • als
  • batch
  • batt
  • bthpan
  • capture
  • cards
  • cmn
  • connect
  • cosine
  • crash
  • ctx
  • defrag
  • extid
  • exts
  • fault
  • fondue
  • genral
  • hyper
  • init
  • iwamreg
  • jit
  • lanes
  • lso
  • markers
  • mci
  • mcr
  • mdmaus
  • mrm
  • mspthrd
  • nevada
  • nla
  • pack
  • pix
  • prxy
  • quota
  • scalar
  • serif
  • shared
  • sharpen
  • shlp
  • shv
  • sls
  • spi
  • square
  • swim
  • sync
  • table
  • tag
  • tcp
  • texture
  • tiny
  • tip
  • tlnt
  • utilman
  • viewer
  • vsgd
  • wait
  • watch
  • wmistr
  • wscapi
  • wsd
  • wwa
  • xinput

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%%variable2%" = "%localappdata%\­Microsoft\­Windows\­%variable1%%variable2%.exe"

The trojan may register itself as a system service using the following name:

  • %variable1%%variable2%

This causes the trojan to be executed on every system start.


After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Emotet.BK is a trojan that steals sensitive information.


The following information is collected:

  • computer name
  • volume serial number
  • operating system version
  • list of running processes

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (40) IP addresses. The HTTP, HTTPS protocol is used in the communication.


The network communication with remote computer/server is encrypted. The RSA, AES encryption algorithm is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • stop itself for a certain time period

The trojan may delete the following files:

  • %systemr%\­%variable1%%variable2%.exe:Zone.Identifier
  • %localappdata%\­Microsoft\­Windows\­%variable1%%variable2%.exe:Zone.Identifier

Please enable Javascript to ensure correct displaying of this content and refresh this page.