1.Moves itself to its preferred directory
2.Creates a LNK file pointing to itself in the start-up folder
3.Collects victim machine information and sends it to the C&C server
It can then download any new payloads from the C&C server, and execute them. Emotet can download an updated version of itself, or any other threat. Existing versions of Emotet download modules from the C&C server that include:
1.Banking module: This module intercepts network traffic from the browser to steal banking details entered by the user.
2. Email client infostealer module: This module steals email credentials from email client software.
3. Browser infostealer module: This module steals information such as browsing history and saved passwords.
4. PST infostealer module: This module reads through Outlook’s message archives and extracts the sender names and email addresses.
Due to the way Emotet spreads through a company’s network, any infected machine on the network will re-infect machines that have been previously cleaned when they rejoin the network. Therefore, IT teams need to isolate, patch, and remediate each infected system one-by-one. Cleaning an affected network is a procedure that can take a long time—sometimes even months—depending on the number of machines involved.
Admin need to disable Admin$ access. Change all local and administrator passwords.
Max Total Security can detect and remove this Trojan.