Win32/TrojanProxy.Emotet [Threat Name] go to Threat
Win32/TrojanProxy.Emotet.B [Threat Variant Name]
Category | trojan |
Size | 237568 B |
Aliases | Trojan:Win32/Emotet.AU (Microsoft) |
Trojan.Emotet.678 (Dr.Web) | |
AdWare.Win32.Neoreklami.vho (Kaspersky) |
Short description
The trojan serves as a proxy server. The trojan can modify network traffic.
Installation
When executed, the trojan copies itself into the following location:
- %temp%\%filename%.exe
%filename% represents a random text.
The trojan executes the following commands:
- netsh.exe advfirewall firewall delete rule name="Remote Assistance (%number%)"
- netsh advfirewall firewall add rule name="Remote Assistance (%number%)" dir=in action=allow program="%malwarefilepath%" enable=yes
The variable %number% represents a number in the range 0 - 65535 .
The performed command creates an exception in the Windows Firewall.
Information stealing
Win32/TrojanProxy.Emotet.B is a trojan that steals sensitive information.
The trojan collects the following information:
- computer name
- volume serial number
- network parameters
The trojan can send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (5) URLs. The network communication with remote computer/server is encrypted.
The trojan serves as a proxy server.
The trojan can modify network traffic. The TCP, HTTP protocol is used in the communication.