{ "id": "ea885198-38c6-470d-8193-69aebd41fd17", "created_at": "2026-04-06T00:20:16.52881Z", "updated_at": "2026-04-10T03:20:32.379583Z", "deleted_at": null, "sha1_hash": "04fc658289318e68bbfaa83c54a5ce5cb7b41bd6", "title": "Emotet Unpacking:", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1446051, "plain_text": "Emotet Unpacking:\r\nBy Ilan Duhin\r\nPublished: 2023-01-26 · Archived: 2026-04-05 17:23:09 UTC\r\nWriter: Ilan Duhin\r\nExecutive Summary:\r\nEmotet is an advanced, self-propagating and modular Trojan. Emotet was once a banking Trojan, but recently has\r\nbeen used as a downloader for other malware or malicious campaigns. It uses multiple methods for maintaining\r\npersistence and Evasion techniques like packing. In addition, it can be spread through phishing spam emails\r\ncontaining malicious attachments or links.\r\nEmotet uses a number of malicious techniques when he locates on the victim’s computer such as: allocating\r\nmemory for process injection, and creating new processes/threads to make persistence.\r\nStarting with x32dbg \u0026 Running our sample until the Entry point.\r\nPress enter or click to view image in full size\r\nWe should now search for API call of VirtualAlloc (we saw earlier the allocation memory on process hacker in the\r\ndynamic investigation).\r\nSo we need to search in the debugger (Ctrl + G)=VirtualAlloc and press OK so we can put BP on her and see\r\nwhich arguments contain the original code.\r\nWhen we get to the beginning of the function, our goal is to see the “ret” that describe the end of the function so\r\nwe can put BP.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Ilandu/emotet-unpacking-35bbe2980cfb\r\nPage 1 of 5\n\nTo see the end we need to press Enter.\r\nPress enter or click to view image in full size\r\nNow we put BP. To make sure that the BP is set we can look at Breakpoint tab.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nNow Debug \u0026 Run + Step over (F8) the function (the debugger take now us to the original code).\r\nWhen we press step over we jump to the next function below. But if we scroll up one function we see that the\r\nregister edi store the VirtualAlloc function.\r\nPress enter or click to view image in full size\r\nIn situations like this when we found the call that contains our function we need to check the arguments that it\r\npushes into it for searching our MZ Header.\r\nGet Ilan Duhin’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nhttps://medium.com/@Ilandu/emotet-unpacking-35bbe2980cfb\r\nPage 2 of 5\n\nRemember me for faster sign in\r\nThe two arguments we see between the “calls” that used by the function to push them into her are: [esp+28] \u0026\r\n[esp+2C].\r\nPress enter or click to view image in full size\r\nNow we need to check there hex values of unpacked code by clicking “follow in dump”. The first check is\r\nempty (we don’t see any clue about MZ Header).\r\nPress enter or click to view image in full size\r\nAlso the second one.\r\nPress enter or click to view image in full size\r\nIn this situation when we don’t find any hex values of unpacked code we need to Run + Step over one more time\r\nto search for more functions call of VirtualAlloc so we can search there if they have arguments that contain the\r\noriginal unpacked code.\r\nSo when we Run again we jumped to the ret 10 instruction again.\r\nWhen we press (F8) — step over we jump into the function that calls ebp register that contains VirtualAlloc\r\nfunction and a number of arguments we need to explore.\r\nPress enter or click to view image in full size\r\nSimilar to the first arguments, here we have another one: [edi+54].\r\nClick “follow in dump” and let’s see the results. When we scroll up we see that the hex strings looks like\r\nexecutable with description of “This program cannot run in DOS mode”, it is perfect for us because every PE\r\nheader starts like this. Now what is left to find out is where the MZ.\r\nhttps://medium.com/@Ilandu/emotet-unpacking-35bbe2980cfb\r\nPage 3 of 5\n\nLittle bit scrolling up and we see the MZ Header that is probably the unpacked code!\r\nPress enter or click to view image in full size\r\nIn this stage of analysis (after finding the unpacked code) we should go to Memory map TAB to locate the\r\nspecific address that contains Execute permissions and dump her into new file.\r\nTo do this, right click on the hex values table \u0026 “follow in memory map”.\r\nPress enter or click to view image in full size\r\nIts automatically points us to the address that the malware doing it executable capabilities.\r\nAll we have left to do is dump the address of unpacked code into new file like I said earlier.\r\nTo do this, right click on memory address \u0026 “Dump memory to file”.\r\nhttps://medium.com/@Ilandu/emotet-unpacking-35bbe2980cfb\r\nPage 4 of 5\n\nThe most fun part for me in unpacking is when you drag the unpacked file into HxD and clean all the beginning\r\nbefore the MZ.\r\nFirst, we search the MZ string with Ctrl+F, when we locate him, we erase all strings before him so we can save it\r\ninto a cleaned PE File.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nSource: https://medium.com/@Ilandu/emotet-unpacking-35bbe2980cfb\r\nhttps://medium.com/@Ilandu/emotet-unpacking-35bbe2980cfb\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/@Ilandu/emotet-unpacking-35bbe2980cfb" ], "report_names": [ "emotet-unpacking-35bbe2980cfb" ], "threat_actors": [], "ts_created_at": 1775434816, "ts_updated_at": 1775791232, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04fc658289318e68bbfaa83c54a5ce5cb7b41bd6.pdf", "text": "https://archive.orkl.eu/04fc658289318e68bbfaa83c54a5ce5cb7b41bd6.txt", "img": "https://archive.orkl.eu/04fc658289318e68bbfaa83c54a5ce5cb7b41bd6.jpg" } }