TrojanSpy.Win64.EMOTET.FCA

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Agrega las carpetas siguientes:

• %System%\{random}
• %AppDataLocal%\{random}

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) y 10(64-bit) en C:\Windows\System32).

Infiltra y ejecuta los archivos siguientes:

• %System%\{random}\{random characters}.dll
• %AppDataLocal%\{random}\{random characters}.dll

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) y 10(64-bit) en C:\Windows\System32).

Agrega los procesos siguientes:

• %System%\regsvr32.exe "%System%\{random}\{random characters}.dll"
• %System%\regsvr32.exe "%AppDataLocal%\{random}\{random characters}.dll"

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) y 10(64-bit) en C:\Windows\System32).

Otros detalles

It connects to the following possibly malicious URL:

• {BLOCKED}.{BLOCKED}.{BLOCKED}.146:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.93:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.124:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.120:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.198:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.27:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.56:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.3:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.162:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.152:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.25:7080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.25:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.76:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.154:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.28:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.149:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.5:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.244:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.199:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.50:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.166:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.2:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.186:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.86:4143
• {BLOCKED}.{BLOCKED}.{BLOCKED}.30:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.91:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.47:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.31:7080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.56:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.88:80
• {BLOCKED}.{BLOCKED}.{BLOCKED}.165:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.65:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.143:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.33:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.15:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.137:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.26:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.10:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.249:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.224:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.75:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.120:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.162:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.232:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.34:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.217:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.165:8080
• {BLOCKED}.{BLOCKED}.{BLOCKED}.41:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.3:8080