arrow_back
search
close

TrojanSpy.Win64.EMOTET.YJCFI

June 11, 2022
 ALIASES:

Trojan:Win64/Emotet.BD!MTB (MICROSOFT)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan Spy

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

  TECHNICAL DETAILS

File Size:

594,432 bytes

File Type:

DLL

Memory Resident:

Yes

Initial Samples Received Date:

09 Jun 2022

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following folders:

  • %System%\{random}
  • %AppDataLocal%\{random}

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops and executes the following files:

  • %System%\{random}\{random characters}.{3 random characters}
  • %AppDataLocal%\{random}\{random characters}.{3 random characters}

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

  • %System%\regsvr32.exe "%System%\{random}\{random characters}.{3 random characters}"
  • %System%\regsvr32.exe "%AppDataLocal%\{random}\{random characters}.{3 random characters}"

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Trojan Spy adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\{File name of dropped file}
ImagePath = %System%\regsvr32.exe "%System%\{random}\{random characters}.{3 random characters}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{File name of dropped file} = %System%\regsvr32.exe "%AppDataLocal%\{random}\{random characters}.{3 random characters}"

Other Details

This Trojan Spy connects to the following possibly malicious URL:

  • http://{BLOCKED}.180.241.186:8080
  • http://{BLOCKED}.95.66.124:8080
  • http://{BLOCKED}.56.131.28:8080
  • http://{BLOCKED}.68.99.3:8080
  • http://{BLOCKED}.100.24.231:80
  • http://{BLOCKED}.165.152.127:8080
  • http://{BLOCKED}.68.227.76:8080
  • http://{BLOCKED}.254.140.238:7080
  • http://{BLOCKED}.189.28.199:8080
  • http://{BLOCKED}.9.116.246:8080
  • http://{BLOCKED}.44.196.120:8080
  • http://{BLOCKED}.235.8.30:8080
  • http://{BLOCKED}.50.0.91:8080
  • http://{BLOCKED}.207.28.33:8080
  • http://{BLOCKED}.23.45.86:4143
  • http://{BLOCKED}.172.253.162:8080
  • http://{BLOCKED}.65.88.10:8080
  • http://{BLOCKED}.137.35.198:8080
  • http://{BLOCKED}.234.21.73:7080
  • http://{BLOCKED}.24.98.99:8080
  • http://{BLOCKED}.234.2.232:8080
  • http://{BLOCKED}.111.227.137:8080
  • http://{BLOCKED}.15.201.15:8080
  • http://{BLOCKED}.4.135.165:8080
  • http://{BLOCKED}.126.146.25:7080
  • http://{BLOCKED}.104.251.154:8080
  • http://{BLOCKED}.242.150.244:8080
  • http://{BLOCKED}.118.115.99:8080
  • http://{BLOCKED}.91.76.89:8080
  • http://{BLOCKED}.212.193.249:8080
  • http://{BLOCKED}.126.98.206:8080
  • http://{BLOCKED}.193.124.41:7080
  • http://{BLOCKED}.232.117.186:8080
  • http://{BLOCKED}.16.142.56:8080
  • http://{BLOCKED}.223.21.224:8080
  • http://{BLOCKED}.132.242.26:8080
  • http://{BLOCKED}.70.28.102:8080
  • http://{BLOCKED}.122.66.193:8080
  • http://{BLOCKED}.187.115.122:8080
  • http://{BLOCKED}.106.112.196:8080
  • http://{BLOCKED}.170.39.149:8080
  • https://{BLOCKED}.73.252.195:443
  • https://{BLOCKED}.89.202.34:443
  • https://{BLOCKED}.69.222.101:443
  • https://{BLOCKED}.94.166.162:443
  • https://{BLOCKED}.194.240.217:443
  • https://{BLOCKED}.97.163.214:443
  • https://{BLOCKED}.241.20.155:443
  • https://{BLOCKED}.114.109.124:443
  • https://{BLOCKED}.218.30.83:443
  • https://{BLOCKED}.65.140.115:443
  • https://{BLOCKED}.232.188.93:443
  • https://{BLOCKED}.59.226.45:443
  • https://{BLOCKED}.55.222.11:443
  • https://{BLOCKED}.75.201.2:443
  • https://{BLOCKED}.176.232.124:443
  • https://{BLOCKED}.43.75.120:443
  • https://{BLOCKED}.44.20.25:443

It deletes the initially executed copy of itself.