Win32/TrojanProxy.Emotet [Threat Name] go to Threat

Win32/TrojanProxy.Emotet.B [Threat Variant Name]

Category trojan
Size 237568 B
Aliases Trojan:Win32/Emotet.AU (Microsoft)
  Trojan.Emotet.678 (Dr.Web)
  AdWare.Win32.Neoreklami.vho (Kaspersky)
Short description

The trojan serves as a proxy server. The trojan can modify network traffic.


When executed, the trojan copies itself into the following location:

  • %temp%\­%filename%.exe

%filename% represents a random text.

The trojan executes the following commands:

  • netsh.exe advfirewall firewall delete rule name="Remote Assistance (%number%)"
  • netsh advfirewall firewall add rule name="Remote Assistance (%number%)" dir=in action=allow program="%malwarefilepath%" enable=yes

The variable %number% represents a number in the range 0 - 65535 .

The performed command creates an exception in the Windows Firewall.

Information stealing

Win32/TrojanProxy.Emotet.B is a trojan that steals sensitive information.

The trojan collects the following information:

  • computer name
  • volume serial number
  • network parameters

The trojan can send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (5) URLs. The network communication with remote computer/server is encrypted.

The trojan serves as a proxy server.

The trojan can modify network traffic. The TCP, HTTP protocol is used in the communication.

Please enable Javascript to ensure correct displaying of this content and refresh this page.