{ "id": "29d1e34c-57ea-4738-b4dc-0e5560ac4278", "created_at": "2026-04-06T00:09:55.418068Z", "updated_at": "2026-04-10T03:28:06.549071Z", "deleted_at": null, "sha1_hash": "3925b9ad66a00cdac2ec2ef1a724a3183271de1b", "title": "GitHub - NozomiNetworks/greyenergy-unpacker: Toolkit collection developed to help malware analysts dissecting and detecting the packer used by GreyEnergy samples.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49828, "plain_text": "GitHub - NozomiNetworks/greyenergy-unpacker: Toolkit\r\ncollection developed to help malware analysts dissecting and\r\ndetecting the packer used by GreyEnergy samples.\r\nBy adipinto\r\nArchived: 2026-04-05 13:42:15 UTC\r\nRepository\r\nToolkit collection developed to help malware analysts dissecting and detecting the packer used by GreyEnergy\r\nsamples.\r\nPacker Overview\r\nThe GreyEnergy dropper is protected using a custom packer with the following characteristics:\r\nCustom decryption algorithm\r\nLZW (variant) decompression algorithm\r\nJunk code \u0026 JMP instructions (anti-analysis)\r\nMemory wiping (anti-forensic)\r\nDynamically-resolved WinAPIs\r\nOverlay data payload (There are no suspicious sections in the PE header.)\r\nOnce the dropper has been decrypted/decompressed in memory, the packer performs the following steps:\r\nParses the dropper's PE header, searching for the appended data\r\nCopies the final malware in memory, reading it from the appended data\r\nResolves the dropper's imports\r\nRelocates the dropper's executable\r\nJumps to the dropper's entry point\r\nThe dropper stores the final malware in the filesystem, establishing persistence.\r\ngreyenergy_unpacker.py\r\nAn easy-to-run tool that automatically extracts GreyEnergy packed files.\r\nUsage\r\nUnpacks the malware storing it on the disk.\r\nhttps://github.com/NozomiNetworks/greyenergy-unpacker\r\nPage 1 of 3\n\npython3 greyenergy_unpacker.py -f suspicious.bin\r\nINFO : Processing the file 'suspicious.bin' (SHA256 d4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb\r\nINFO : Malware unpacked in 'suspicious.bin_malware_unpacked.bin' (SHA256 7e154d5be14560b8b2c16969effdb8417559758\r\nUnpacks the malware dumping also the dropper component.\r\npython3 greyenergy_unpacker.py -d -f suspicious.bin\r\nINFO : Processing the file 'suspicious.bin' (SHA256 d4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb\r\nINFO : Dropper unpacked in 'suspicious.bin_dropper_unpacked.bin' (SHA256 a7d3f2b6cec72a324c375e4335e42b1f1f4d964\r\nINFO : Malware unpacked in 'suspicious.bin_malware_unpacked.bin' (SHA256 7e154d5be14560b8b2c16969effdb8417559758\r\nYara module\r\nThe file greyenergy.c is a YARA module developed to parse the GreyEnergy packer, decrypting only the first\r\npart of the appdata in order to confirm the detection.\r\nAfter the compilation, it is possible to detect the malicious file just using the new keyword is_packed .\r\nInstallation\r\nDetailed information about the compilation can be found in the official Yara documentation\r\nThe file build.sh contained inside the Yara's root directory configures and compiles automatically the source\r\ncode. Currently it is not mentioned in the documentation, so that could be changed in the near future.\r\nRule example\r\nimport \"pe\"\r\nimport \"greyenergy\"\r\nrule GreyEnergyPacker {\r\n condition:\r\n greyenergy.is_packed(pe.overlay.offset)\r\n}\r\nTested Samples\r\nBoth the Yara module and the unpacker script have been successfully used to unpack the following samples\r\n(SHA-256):\r\nb60c0c04badc8c5defab653c581d57505b3455817b57ee70af74311fa0b65e22\r\nd4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a\r\nhttps://github.com/NozomiNetworks/greyenergy-unpacker\r\nPage 2 of 3\n\nSource: https://github.com/NozomiNetworks/greyenergy-unpacker\r\nhttps://github.com/NozomiNetworks/greyenergy-unpacker\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://github.com/NozomiNetworks/greyenergy-unpacker" ], "report_names": [ "greyenergy-unpacker" ], "threat_actors": [ { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434195, "ts_updated_at": 1775791686, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3925b9ad66a00cdac2ec2ef1a724a3183271de1b.pdf", "text": "https://archive.orkl.eu/3925b9ad66a00cdac2ec2ef1a724a3183271de1b.txt", "img": "https://archive.orkl.eu/3925b9ad66a00cdac2ec2ef1a724a3183271de1b.jpg" } }