Follow:

 

Trojan:Win32/Emotet.C


Microsoft security software detects and removes this threat.

This threat can collect your sensitive information and send it to a malicious hacker.

It can be installed on your PC when you open a malicious spam email attachment.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat usually arrives on your PC as a .zip or .exe file attached to a spam email. We have seen the attachment use the following file names:

  • 2014_11Details_zur_Transaktion_pdf.zip
  • 2014_11rechnung_K4768955881.zip
  • 2014_11rechnung_4768955881.zip
  • 2014_11rechnung_pdf_vodafone.zip
     

The malware creates a copy of itself as %APPDATA%\Identities\<random filename>.exe, for example %APPDATA%\Identities\hrwkrqii.exe.

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random filename>.exe", for example "hrwkrqii.exe"
With data: "%APPDATA%\Identities\<random filename>.exe", for example "%APPDATA%\Identities\hrwkrqii.exe"


Payload

Injects code into running processes

This trojan injects code into explorer.exe to add persistence and hide its running process. It can also inject its code to other running processes.

Collects your sensitive information

This threat can collect your sensitive information, including your:

  • PC name
  • Location
  • Operating system version

Contacts a remote host

This threat generates a random 16-letter domain name and appends ".eu" as the top level domain. Some examples of the domains we have seen include:
  • eaivsiosvxvudixc.eu
  • edsryxnxmqbebfpo.eu
  • ehbrejoktmkkjbsc.eu
  • eklnkynpkfpgtkwb.eu
  • eotapwbcrbymctac.eu
  • erejvmnhitqimdrb.eu
  • escauuoblwuskpdp.eu
  • evmvnkbtcpacimuo.eu
  • eywrtanysurkfvyn.eu
  • fcxapenaadntcwky.eu
  • fdvqbmotpseenjjn.eu
  • fggaucbmtljaxsnm.eu
  • fjqvnrarkeovucfy.eu
  • fkommaolnhsggcen.eu
  • fnyispnqeaxcqlim.eu
  • frhixnbdlvtiyhla.eu
  • fureeqnicoyejedm.eu
  • fvpuplocfrdcuqon.eu
  • fyaejobuvwukraga.eu
  • kdepcflnibyotnsv.eu
  • kgoliuksygqkekki.eu
  • kkwxasxrscaeatnv.eu
  • knhhtikkwurmwpru.eu
  • kofxfqlealjkipqj.eu
  • krptlgxjqqbgsyui.eu
  • kuadfjkcujgcdvmu.eu
  • kvxgqelvkmkmbilj.eu
  • kyipwtkbofpilrpi.eu
  • lcjxfxkciaxeisbt.eu
  • lgrkkvxbcvtkqoeh.eu
  • ljctqlktsbygblvg.eu
  • lnkgvjxsmwumjhyt.eu
  • lquccmklqpavtqdg.eu
  • lrssnhlftsegfqcu.eu
  • ludchkxkkljcpatt.eu
  • lxnxaakdoeoxmjxs.eu
  • lyloyuxjehsixvjh.eu
  • qcrjgqhvnuroowkc.eu
  • qgajlouuhqbikgbd.eu
  • qjkfrehnljgeupfc.eu
  • qnsrjcumffpkdyip.eu
  • qqdbdfhfjxhgniac.eu
  • qrbroaiyynlqluld.eu
  • qulnuphedtqmvedp.eu
  • qytaabiqwcagrngd.eu
  • rcuiirueqwuoborb.eu
  • rffrohhwhpaxlxva.eu
  • rjnetfuvbljehhmb.eu
  • rmxaaihofeoarqqa.eu
  • rnvqldiiihskpdpo.eu
  • rqgafgunymkgaahb.eu
  • rtqvxitspfpckjla.eu
  • ruomwqumsitmivwb.eu
  • rxyidthfwbyisfon.eu
  • sbaeykhgqvtepgay.eu
  • sekafntlhoyaadrx.eu
  • sfiqqiufkrdxxcdm.eu
  • sismwxtkbkitiyhl.eu
  • smbmcjuwuseaeixy.eu
  • spliiytcyljvbrcl.eu
  • sweetmttjaxxtwjx.eu
  • sxcufuunmdcvfwim.eu
  • xbipmdeajeocjxjh.eu
  • xfqcrbrypmkirtmu.eu
  • xiblxqqetfpecqeh.eu
  • xjyojyrxjitoaddv.eu
  • xmjxpoeqnbykkmhu.eu
  • xpttveqvetqguvlt.eu
  • xqrkumrphwuqsiki.eu
  • xtctbpeilpaaqfcu.eu
  • xxkggnrhfljgybfi.eu
  • yanxpvdovparkprr.eu
  • yblooeriysecvcqg.eu
  • yevkutqnpljxsluf.eu
  • yiekafrawhseouxs.eu
  • ylogguqfnaxayepf.eu
  • ypwsxferhvtghnss.eu
  • yshcriqwxbycrwwr.eu
  • ytfsdqrqbrdadwvg.eu
  • ywpojgejfkivagns.eu 

It then tries to connect to the generated domain and waits for a reply from a malicious hacker. Commonly, malware does this to:

  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files, including updates or other malware
  • Receive instructions from a remote hacker
  • Upload data taken from your PC

Analysis by James Dee


Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:
     
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<random filename>.exe", for example "hrwkrqii.exe"
    With data: "%APPDATA%\Identities\<random filename>.exe", for example "%APPDATA%\Identities\hrwkrqii.exe"

Prevention


Alert level: Severe
First detected by definition: 1.179.2109.0
Latest detected by definition: 1.203.1578.0 and higher
First detected on: Aug 04, 2014
This entry was first published on: Aug 04, 2014
This entry was updated on: Nov 13, 2014

This threat is also detected as:
  • W32/Trojan.IQPF-5025 (Command)
  • TR/Agent.286208.83 (Avira)
  • W32/Emotet.AA!tr (Fortinet)
  • TROJ_EMOTET.VJB (Trend Micro)