Troj/Emotet-DH

Category: Viruses and Spyware Protection available since:11 Aug 2017 13:39:20 (GMT)
Type: Trojan Last Updated:11 Aug 2017 13:39:20 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Emotet-DH include:

Example 1

File Information

Size
132K
SHA-1
36d9183f5df9b205a653884faaab1d348f200b83
MD5
33e65fe1cc7e0e5038a677775a6d9201
CRC-32
a45e0a75
File type
PK ZIP archive
First seen
2017-08-11

Example 2

File Information

Size
249K
SHA-1
481563490c72f273be0e7aa7e62e240c889a1e06
MD5
ff5498eb451fdcf82f2378140ef4d180
CRC-32
bf2821c2
File type
Windows executable
First seen
2017-08-11

Runtime Analysis

Copies Itself To
  • C:\WINDOWS\system32\cryptcert.exe
Modified Files
  • C:\Documents and Settings\LocalService\Local Settings\History
    • Set the hidden and system flags
  • C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
    • Set the hidden and system flags
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\cryptcert\Security
    Security
    □□□@□□□□□□□□□□□□□□@□□□□□□□□□□□ □□□□□□□□□□□ □□@□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□@□□□□□□□□@□□□□□ □□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□0□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□ □□□□□
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□k□□-□p□□0□□□□□□□□□□□□□□□□□□□□□□□□□□
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    DefaultConnectionSettings
    <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□k□□-□p□□0□□□□□□□□□□□□□□□□□□□□□□□□□□
  • HKLM\SYSTEM\CurrentControlSet\Services\cryptcert
    Description
    Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
  • HKLM\SYSTEM\CurrentControlSet\Services\cryptcert\Enum
    NextInstance
    0x00000001
Registry Keys Modified
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
    Directory
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
    SavedLegacySettings
    3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Processes Created
  • c:\windows\system32\cryptcert.exe
IP Connections
  • 5.196.73.150:443
  • 77.73.1.167:8080

download Try Sophos products for free
Download now