{
	"id": "9e051fdd-fbd9-4ecb-a43e-651dea01136a",
	"created_at": "2026-04-06T00:13:07.458081Z",
	"updated_at": "2026-04-10T03:21:19.663758Z",
	"deleted_at": null,
	"sha1_hash": "0833d4867b38c7780b97921671dbdcf83ba73141",
	"title": "[Z2A]Bimonthly malware challege – Emotet (Back From the Dead)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 145445,
	"plain_text": "[Z2A]Bimonthly malware challege – Emotet (Back From the Dead)\r\nPublished: 2022-12-19 · Archived: 2026-04-05 22:23:36 UTC\r\nA quick check of information related to sections of this sample shows that it may be crypted/packed to conceal the real\r\nmalware inside the original sample, besides there is an extra section with an unusual name: text\r\nLoad the sample into x64dbg, set a breakpoint at the VirtualAlloc API function, run payload by press F9. It will break at the\r\nVirtualAlloc function:\r\nExecute till return (Ctrl+F9) and follow the allocated memory, trace over the ret instruction to return the Dll’s code will\r\nreach the code area like the following:\r\nTo quickly get the Emotet core payload, set a bp at the ret command below the loop, then press F9 to let the payload\r\nfinish decrypting and fill core payload content to the allocated memory. The resulting core payload is decrypted as shown\r\nbelow:\r\nNow, dump the above memory to disk, then fix total size of the payload to 0x2B800 , we get the final Emotet core Dll\r\n(Md5: 577118e39051f0678a52f871f74cd675 ):\r\nLoad fixed core Dll above into IDA, go to the export function DllRegisterServer we see there are 2 sub routines as\r\nfollows:\r\nAt et_retrieve_api_addr (0x18000F174) function, the code snippet does the following:\r\nContinuing to dive into the et_get_dll_base_from_hash (0x0180002960) function, the process of getting the base address\r\nof the Dll will be as follows:\r\nBased on the above pseudocode, rewrite the hash function in Python for the name of the Dll as follows:\r\nWe can write an IDAPython script that recovers the names of the DLLs that Emotet uses from these pre-computed hashes.\r\nThe script performs the following tasks:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\nimport idc, ida_enum, idautils, ida_bytes, idaapi, ida_bytes\r\nmost_common_dlls =\r\n[ 'kernel32.dll' , 'user32.dll' , 'ntdll.dll' , 'shlwapi.dll' , 'iphlpapi.dll' , 'urlmon.dll' , 'ws2_32.dll' , 'cry\r\n'comctl32.dll' , 'comdlg32.dll' , 'msvcrt.dll' , 'oleaut32.dll' , 'srsvc.dll' , 'winhttp.dll' , 'advpack.dll' ,\r\ndef calc_hash(dll_name):\r\nhash_value = 0x0\r\nmodule_name_list = []\r\nmodule_name_list = list (dll_name)\r\nfor i in range ( len (module_name_list)):\r\nch = ord (module_name_list[i])\r\nhash_value = ((hash_value \u003c\u003c 0x10 ) \u0026 0xFFFFFFFF ) + ((hash_value \u003c\u003c 0x6 ) \u0026 0xFFFFFFFF ) + ch -\r\nreturn ((hash_value ^ 0x106308C0 ) \u0026 0xFFFFFFFF )\r\ndef get_enum_const(constant):\r\nall_enums = ida_enum.get_enum_qty()\r\nfor i in range ( 0 , all_enums):\r\nenum_id = ida_enum.getn_enum(i)\r\nmask = ida_enum.get_first_bmask(enum_id)\r\nenum_constant = ida_enum.get_first_enum_member(enum_id, mask)\r\nname = ida_enum.get_enum_member_name(ida_enum.get_enum_member(enum_id, enum_constant, 0 , mask))\r\nif int (enum_constant) = = constant: return [name, enum_id]\r\nwhile True :\r\nhttps://kienmanowar.wordpress.com/2022/12/19/z2abimonthly-malware-challege-emotet-back-from-the-dead/\r\nPage 1 of 4\n\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\nenum_constant = ida_enum.get_next_enum_member(enum_id, enum_constant, mask)\r\nname = ida_enum.get_enum_member_name(ida_enum.get_enum_member(enum_id, enum_constant, 0 , mask))\r\nif enum_constant = = 0xFFFFFFFF :\r\nbreak\r\nif int (enum_constant) = = constant: return [name, enum_id]\r\nreturn None\r\ndef convert_offset_to_enum(addr):\r\nn_operand = 0\r\nif idc.print_insn_mnem(addr) = = \"push\" :\r\nconstant = idc.get_operand_value(addr, 0 ) \u0026 0xFFFFFFFF\r\nelif idc.print_insn_mnem(addr) = = \"mov\" :\r\nconstant = idc.get_operand_value(addr, 1 ) \u0026 0xFFFFFFFF\r\nn_operand = 1\r\nenum_data = get_enum_const(constant)\r\nif enum_data:\r\nname, enum_id = enum_data\r\nidc.op_enum(addr, n_operand, enum_id, 0 )\r\nreturn True\r\nelse :\r\nreturn False    \r\ndef enum_for_xrefs(func_addr, eid):\r\nfor x in idautils.XrefsTo(func_addr, flags = 0 ):\r\ncall_address = x.frm\r\nif ida_bytes.is_code(ida_bytes.get_full_flags(call_address)):\r\npre_module_hash_addr = idaapi.get_arg_addrs(call_address)[ 1 ]\r\nif idc.print_insn_mnem(pre_module_hash_addr) = = \"mov\" and idc.get_operand_type(pre_module_hash_addr, 1\r\nprint ( \"[+] Target instruction found at 0x{address:x}\" . format (address = pre_module_hash_addr))\r\npre_module_hash = idc.get_operand_value(pre_module_hash_addr, 1 ) \u0026 0xFFFFFFFF\r\nmodule_hash_addr = pre_module_hash_addr\r\nfor dll_name in most_common_dlls:\r\ncalced_hash = calc_hash(dll_name)\r\nif calced_hash = = pre_module_hash:\r\nprint ( ' [+] Module name: %s ==\u003e Hash: 0x%x' % (dll_name, calced_hash))\r\nida_enum.add_enum_member(eid, '%s_hash' % dll_name, int (calced_hash), idaapi.BADADDR)\r\nif convert_offset_to_enum(module_hash_addr):\r\nprint ( \" [+] Converted 0x%x to %s enumeration\" % (idc.get_operand_value(module_hash_addr, 1\r\ndef main():\r\ntarget_function = 0x018000F174\r\nif ida_enum.get_enum( \"MODULE_HASHES\" ) ! = 0xffffffffffffffff :\r\nhttps://kienmanowar.wordpress.com/2022/12/19/z2abimonthly-malware-challege-emotet-back-from-the-dead/\r\nPage 2 of 4\n\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n85\r\n86\r\n87\r\n88\r\nprint ( 'Enum already exists ...' )\r\nreturn 0xffffffffffffffff\r\nelse :\r\neid = ida_enum.add_enum( 0 , \"MODULE_HASHES\" , ida_bytes.hex_flag())\r\nenum_for_xrefs(target_function, eid)\r\nif __name__ = = '__main__' :\r\nmain()\r\nThe pseudocode at the et_get_api_addr_from_hash (0x0180025D84) function does the following task:\r\nBased on the above pseudocode, it can be seen that this hash function is similar to the hash function for Dll name above, we\r\ncan rewrite it in Python in another way as follows:\r\nFollowing this article, we can write python script to perform the following tasks:\r\nOnce JSON file has been generated, we can write another IDAPython script (similar to above script or refer to this code)\r\ndoes the following tasks:\r\nTo find the function that decrypt the strings, the fastest way is to find the function that calls the LoadLibraryW API because\r\nthis function will take as an argument the name of the module to be loaded.\r\nAs the figure above, sub_18002629C will return the name of the module. The pseudocode at sub_18002629C stores its\r\nencrypted string as stack string, then calls the et_decrypt_string (0x180025C58) function to decrypt:\r\nThe et_decrypt_string function accepts parameters for the decryption process, including:\r\nhttps://kienmanowar.wordpress.com/2022/12/19/z2abimonthly-malware-challege-emotet-back-from-the-dead/\r\nPage 3 of 4\n\nAs mentioned above, the encrypted string has a variable length and the values of the encrypted string are dynamically\r\ncalculated by Emotet before being stored to the stack. Therefore, it is difficult to get these values for writing script to\r\nperform decryption. Therefore, one of the most possible ways is to write a script that uses IDA Appcall feature to execute a\r\ncall to the decryption function and receive the decrypted string as the return result.\r\nEnd.\r\nSource: https://kienmanowar.wordpress.com/2022/12/19/z2abimonthly-malware-challege-emotet-back-from-the-dead/\r\nhttps://kienmanowar.wordpress.com/2022/12/19/z2abimonthly-malware-challege-emotet-back-from-the-dead/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://kienmanowar.wordpress.com/2022/12/19/z2abimonthly-malware-challege-emotet-back-from-the-dead/"
	],
	"report_names": [
		"z2abimonthly-malware-challege-emotet-back-from-the-dead"
	],
	"threat_actors": [],
	"ts_created_at": 1775434387,
	"ts_updated_at": 1775791279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0833d4867b38c7780b97921671dbdcf83ba73141.pdf",
		"text": "https://archive.orkl.eu/0833d4867b38c7780b97921671dbdcf83ba73141.txt",
		"img": "https://archive.orkl.eu/0833d4867b38c7780b97921671dbdcf83ba73141.jpg"
	}
}