These emails are presented as invoices, notifications, account reports, invitations, and even as warnings about coronavirus. The goal is to confuse the victim and deceive her to open the attachment.
Emotet usually downloads and installs the banking trojan Trickbot, which steals stored credentials, cookies, browser history information, SSH keys, and more. He is also trying to infect others computers belonging to the same network.
EmoCheck: The tool for detecting Emotet
The folder name is semi-random because it does not use random characters but consists of two keywords from the following list:
duck, mfidl, targets, ptr, Khmer, purge, metrics, acc, inet, msra, symbol, driver, sidebar, restore, msg, volume, cards, shext, query, roam, etw, mexico, basic, url, createa, blb, pal, cors, send, devices, radio, bid, format, thrd, taskmgr, timeout, vmd, ctl, bta, shlp, avi, exce, dbt, pfx, rtp, edge, mult, clr, wmistr, ellipse, vol, cyan, ses, guid, wce, wmp, dvb, elem, channel, space, digital, pdeft, violet, thunk
As shown below, Emotet was installed in the 'symbolguid' folder. (combination of two words in the list).
To check if you are infected with Emotet, you can download the EmoCheck tool from Japan CERT's GitHub repository.
After downloading, export the zip file and double-click emocheck_x64.exe (64-bit version) or emocheck_x86.exe (32 bit version) depending on the downloaded content.
Once it runs, EmoCheck will launch them scans. If he finds out that computer you have been infected with Emotet will notify you. She will find, even her location in which the malicious file is located.
This information will also be stored in a log file located at [path of emocheck.exe] \ yyyymmddhhmmss_emocheck.txt.
If you run EmoCheck and find out that you are infected, you should open it immediately Task Manager and terminate the procedure mentioned.