Trojan.Emotet.Generic is Malwarebytes’ generic detection name for a banking Trojan that can steal data, such as user credentials stored on the browser, by eavesdropping on network traffic. Due to its effective combination of persistence and network propagation, Trojan.Emotet.Generic is often used as a downloader for other malware, and is an especially popular delivery mechanism for banking Trojans, such as Qakbot and TrickBot.
Trojan.Emotet.Generic is commonly spread by email, using infected attachments, as well as embedded URLs. These emails may appear to come from trusted sources, as Trojan.Emotet takes over the email accounts of its victims. This helps trick users into downloading the Trojan onto their machine.
Once Trojan.Emotet.Generic has infected a networked machine, it will propagate by enumerating network resources and write to share drives, as well as brute force user accounts. Infected machines attempt to spread Emotet laterally via brute forcing of domain credentials, as well as externally via its built-in spam module. As a result, the Emotet botnet is quite active and responsible for much of the malspam we encounter.
Trojan.Emotet.Generic is changed regularly, and therefore hard to detect by signatures.
Due to the way Emotet spreads through a company’s network, any infected machine on the network will re-infect machines that have been previously cleaned when they rejoin the network. Therefore, IT teams need to isolate, patch, and remediate each infected system one-by-one. Cleaning an affected network is a procedure that can take a long time—sometimes even months—depending on the number of machines involved.
Business and home users already using Malwarebytes are protected from Trojan.Emotet.Generic via our anti-exploit technology:
Malwarebytes users are also protected from Emotet via our real-time protection module:
Malwarebytes can detect and remove Trojan.Emotet.Generic on business endpoints without further user interaction. But to be effective on networked machines, you must first follow these steps:
Identifying the infected machines
If you have unprotected endpoints/machines, you can run Farbar Recovery Scan Tool (FRST) to look for possible Indicators of Compromise (IOC). Besides verifying an infection, FRST can also be used to verify removal before bringing an endpoint/machine back into the network. Refer to Farbar Recovery Scan Tool instructions for details on how to install and run a FRST scan.
Search the FRST.txt file for the following IOCs:
Disabling Administrative Shares
Windows server shares by default install hidden share folders specifically for administrative access to other machines. The Admin$ shares are used by Emotet once it has brute forced the local administrator password. A file share sever has an IPC$ share that Emotet queries to get a list of all endpoints that connect to it. These AdminIP shares are normally protected via UAC, however, Windows will allow the local administrator through with no prompt.
The most recent Emotet variants use C$ with the Admin credentials to move around and re-infect all the other endpoints.
Repeated re-infections are an indication the worm was able to guess or brute force the administrator password successfully. Please change all local and domain administrator passwords.
It is recommended to disable these Admin$ shares via the registry, as discussed here. If you do not see this registry key, it can be added manually and set up to be disabled.
To remove the Emotet Trojan using Malwarebytes business products, follow the instructions below.
If you have infected machines that are not registered endpoints in Malwarebytes Endpoint Protection, you can remove Emotet with our Breach Remediation tool (MBBR).
For detailed instructions on how to remediate this infection using MBBR or Malwarebytes Endpoint Security (MBES), please have a look at our support document on how to protect your network from Emotet Trojan.
Malwarebytes can detect and remove Trojan.Emotet.Generic on home machines without further user interaction.
On consumer systems that have been infected, you can follow these steps:
It is recommended to change all passwords that could have been stolen from the affected system.
Select your language