In this tutorial we are going to learn how to detect if your PC is infected with the Emotet malware. The first thing we are going to do is explain how this malicious software works. Next, we will talk about the Emocheck tool to detect it, we will also make a series of recommendations to avoid the infection of this malware on our PC.
We are going to start by getting to know this malware better, to do this, we will talk about its history and how it usually acts. With Emotet, we are faced with a banking Trojan that specializes in infiltrating victims’ computers to steal our financial information.
Emotet Malware, History and Operation
Malwarebytes security company is one of those that knows this malware best. Therefore, it also has tools for disinfection. The Emotet malware was detected for the first time in 2014, so we can say that it has a long history. To this day, it continues to infect computers and has gone through different versions.
The first version of this malicious software was designed to steal our bank account data by intercepting Internet traffic . It didn’t take long to evolve and a new version soon appeared. We could classify this as Emotet v2.0 and it came packaged with several modules for:
- The money transfer.
- Sending spam.
- Another banking malware targeting German and Austrian banks.
In January 2015, the third version appeared, containing hidden modifications designed to keep malware off the radar of security software, adding new targets to Swiss banks.
Emotet malware continued its rapid advance, and in 2018 it was noticeably improved. At that time, the possibility of installing other malware on infected computers was added. In addition, it could also include other banking Trojans or spam delivery services.
In terms of how it works, Emotet is a Trojan that spreads mainly through spam emails. Emotet emails may contain brand name images designed to look like legitimate email.
This malicious software uses a number of tricks to try to avoid detection and analysis. In this regard, it should be noted that Emotet is polymorphic , which means that it can change by itself each time it is downloaded and thus avoid signature-based detection.
To date, those affected have been individuals, companies and government entities in the United States and Europe. He has also managed to steal bank records, financial data, and bitcoin wallets. In short, this malware can affect us all, and that is why in this tutorial we will explain how to know if our PC is infected with Emotet malware.
Emotet malware campaign and tips to avoid it
The INCIBE (National Institute of Cybersecurity) has detected an Emotet malware campaign . Regarding the threat of risk, it can be considered as high.
Depending on the version of the malware with which the computer is infected, it could affect us in the following way:
- With a ransomware infection.
- Stealing our bank details, user names and passwords or email address book.
Emotet malware generally spreads via fraudulent emails. The purpose of the emails is for us to download and install a malicious attachment. We can also get infected by clicking on a link from an unknown source that will end up downloading it.
Therefore, to avoid possible infections from Emotet and other types of malware, it is recommended:
- Do not open e-mail from unknown users or that we have not requested.
- It is advisable to review the links before clicking. Also, even if they are from our contacts.
- Be careful with attached files and never open them. You must be sure that you need them and that the sender is trustworthy. In addition, passing the antivirus does not hurt either.
- We must have our operating system and antivirus updated.
How to use Emocheck to detect Emotet
Now comes the turn to check if our PC is infected with the Emotet malware. To perform this task, we are going to use the Emocheck tool. The first thing we are going to do is go to the GitHub page of the Emocheck project . If we access it, we will see the following information:
As you can see, the latest version available is version v1.0. If we explore the page we see that previously there have been two other versions, v.001 and v.002. In this case, I am going to show you how to detect if the PC is infected with the Emotet malware with Emocheck v.1.0 . Also in the event that new versions are released later, it is advisable to always use the latest one. This is because new Emotet variants could be released later that will only detect versions higher than v1.0.
The second thing we have to do is download Emocheck to our team . Here we can download two files to check.
- emocheck_v1.0_x64.
- emocheck_v1.0_x86.exe.
The choice of one or another file will depend on the Windows operating system that we have. If we have a 64-bit operating system we will opt for the executable file finished in x64. On the contrary, if we have a 32-bit operating system, we download the exe file that ends in x86. In our case, the operating system is Windows 10 64-bit. Currently most people have one of this type, to check it just go to the ” Control Panel / System ” section.
Therefore, in our case, we have proceeded to download the file “emocheck_v1.0_x64”. Once saved on the computer, we have executed it by double clicking on it. Next, we will get a screen like this:
Now it is time to find out if our PC is infected with the Emotet malware. To do this, it asks us to press any key to continue. Doing so will run the program and when it is done the window will close. The best way to see the results is to open the .txt file that is generated.
If you look at the screen above, it speaks of a report generated in the file DESKTOP-0ISTM6G_20200826203704_emocheck.txt. Then we go to the place where we save emocheck_v1.0_x64 and we will see that the file with the extension, txt that we mentioned before is in that location. We open it and it will offer us the following information:
Here, as you can see, the Emotet malware has not been detected.
Another way of Emotet detection and how to remove it
An additional way to check if our PC is infected with Emotet malware is by checking the services. The easiest way to get there is with the following key combination CTRL + SHIFT + ESC . Next, the task manager will appear and we will click on the Services tab.
Now it’s time to look for strange services, but since I am not infected, nothing strange can be seen. However, thanks to the security company Sophos I show you an example in which anomalous services are appreciated.
In the case of finding services with random numbers, it may be an indication that your PC is infected with the Emotet malware or other malicious software. The best way to act at that time is to disconnect our PC from the Internet and we must pass an antivirus / antimalware immediately. As for the best way to protect ourselves, it is the use of antivirus and antimalware programs.
The minimum recommended is, at least, to have an antivirus, even if it is free, and our common sense is also an important tool. With this formula we have many possibilities to prevent our PC from being infected with the Emotet malware.
