Analysis by: Jay Garcia
ALIASES:

Trojan-Downloader.VBA.Emotet (Ikarus); TrojanDownloader:O97M/Emotet.SP!MTB (Microsoft)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

However, as of this writing, the said sites are inaccessible.

  TECHNICAL DETAILS

File Size: 67,835 bytes
File Type: DOC
Memory Resident: No
Initial Samples Received Date: 11 Dec 2019

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following processes:

  • powershell -w hidden -en {Base-64 encoded command}

Download Routine

This Trojan saves the files it downloads using the following names:

  • %User Profile%\234.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Trojan connects to the following possibly malicious URL:

  • https://{BLOCKED}uncan.com/wp-content/cd4h1z276/
  • http://{BLOCKED}mach.net.vn/img/0675gy55/
  • http://{BLOCKED}alistassm.com.mx/inoxl28kgldf/vk1vas2/
  • http://{BLOCKED}hodosabor.com.br/site/1m6636/
  • http://{BLOCKED}gaming.in/images/8au539/

However, as of this writing, the said sites are inaccessible.