TrojanSpy.Win64.EMOTET.FCA

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Fügt die folgenden Ordner hinzu:

• %System%\{random}
• %AppDataLocal%\{random}

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)

Schleust die folgenden Dateien ein und führt sie aus:

• %System%\{random}\{random characters}.dll
• %AppDataLocal%\{random}\{random characters}.dll

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)

Fügt die folgenden Prozesse hinzu:

• %System%\regsvr32.exe "%System%\{random}\{random characters}.dll"
• %System%\regsvr32.exe "%AppDataLocal%\{random}\{random characters}.dll"

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)

Andere Details

It connects to the following possibly malicious URL:

• {BLOCKED}.{BLOCKED}.{BLOCKED}.146:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.93:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.124:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.120:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.198:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.27:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.56:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.3:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.162:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.152:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.25:7080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.25:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.76:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.154:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.28:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.149:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.5:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.244:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.199:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.50:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.166:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.2:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.186:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.86:4143
• {BLOCKED}.{BLOCKED}.{BLOCKED}.30:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.91:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.47:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.31:7080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.56:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.88:80
• {BLOCKED}.{BLOCKED}.{BLOCKED}.165:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.65:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.143:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.33:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.15:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.137:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.26:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.10:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.249:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.224:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.75:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.120:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.162:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.232:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.34:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.217:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.165:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.41:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.3:8080