{
	"id": "04e9241c-4827-4b48-97fa-629581c88fc9",
	"created_at": "2026-04-06T00:13:49.149037Z",
	"updated_at": "2026-04-10T03:20:58.391626Z",
	"deleted_at": null,
	"sha1_hash": "73286f83e1a0cff01b572d70a035db032ffee9d1",
	"title": "EMOTET Dynamic Configuration Extraction",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 865531,
	"plain_text": "EMOTET Dynamic Configuration Extraction\r\nBy Remco Sprooten\r\nPublished: 2022-12-01 · Archived: 2026-04-02 11:32:04 UTC\r\nKey takeaways\r\nThe EMOTET developers have changed the way they encode their configuration in the 64bit version of the\r\nmalware.\r\nUsing code emulation we can bypass multiple code obfuscation techniques.\r\nThe use of code emulators in config extractors will become more prevalent in the future.\r\nTo download the EMOTET configuration extractor, check out our post on the tool:\r\nEMOTET configuration extractor\r\nPreamble\r\nThe EMOTET family broke onto the malware scene as a modular banking trojan in 2014, focused on harvesting\r\nand exfiltrating bank account information by inspecting traffic. EMOTET has been adapted as an early-stage\r\nimplant used to load other malware families, such as QAKBOT, TRICKBOT, and RYUK. While multiple\r\nEMOTET campaigns have been dismantled by international law enforcement entities, it has continued to operate\r\nas one of the most prolific cybercrime operations.\r\nFor the last several months, Elastic Security has observed the EMOTET developers transition to a 64-bit version\r\nof their malware. While this change does not seem to impact the core functionality of the samples we have\r\nwitnessed, we did notice a change in how the configuration and strings are obfuscated. In earlier versions of\r\nEMOTET, the configuration was stored in an encrypted form in the .data section of the binary. In the newer\r\nversions the configuration is calculated at runtime. The information we need to extract the configuration from the\r\nbinary is thus hidden within the actual code.\r\nIn the next sections, we’ll discuss the following as it relates to 64-bit EMOTET samples:\r\nEMOTET encryption mechanisms\r\nReviewing the EMOTET C2 list\r\nInteresting EMOTET strings\r\nThe EMOTET configuration extractor utility\r\nEncryption keys\r\nEMOTET uses embedded Elliptic Curve Cryptography (ECC) public keys to encrypt their network\r\ncommunication. While in previous versions, the keys would be stored in an XOR-encrypted blob, now the content\r\nis calculated at runtime.\r\nhttps://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction\r\nPage 1 of 15\n\nEncoded Encryption Key blob in 64-bit version\r\nIn comparison the previous versions of EMOTET would store an encrypted version of the key data in the . text\r\nsection of the binary.\r\nEmbedded key data in previous version of the malware\r\nIn order to make it harder for security researchers to find the given code the malware uses Mixed Boolean-Arithmetic (MBA) as one of its obfuscation techniques. It transforms constants and simple expressions into\r\nexpressions that contain a mix of Boolean and arithmetic operations.\r\nhttps://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction\r\nPage 2 of 15\n\nExample of Mixed Boolean-Arithmetic\r\nIn this example, an array of constants is instantiated, but looking at the assembly we see that every constant is\r\ncalculated at runtime. This method makes it challenging to develop a signature to target this function.\r\nWe noticed that both the Elliptic Curve Diffie-Hellman (ECDH) and Elliptic Curve Digital Signature Algorithm\r\n(ECDSA) keys use the same function to decode the contents.\r\nThe ECDH key (which you can recognize by its magic ECK1 bytes) is used for encryption purposes while the\r\nECDSA key (ECC1) is used for verifying the C2 server's responses.\r\nECK1 magic bytes at the start of the key data\r\nhttps://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction\r\nPage 3 of 15\n\nDecoding algorithm for the key material\r\nBy leveraging a YARA signature to find the location of this decode function within the EMOTET binary we can\r\nobserve the following process:\r\n1. Find the decoding algorithm within the binary.\r\n2. Locate any Cross References (Xrefs) to the decoding function.\r\n3. Emulate the function that calls the decoding function.\r\n4. Read the resulting data from memory.\r\nAs we mentioned, we first find the function in the binary by using YARA. The signature is provided at the end of\r\nthis article. It is worth pointing out that these yara signatures are used to identify locations in the binary but are, in\r\ntheir current form, not usable to identify EMOTET samples.\r\nIn order to automatically retrieve the data from multiple samples, we created a configuration extractor. In the\r\nsnippets below, we will demonstrate, in a high level fashion, how we collect the configuration information from\r\nthe malware samples.\r\nhttps://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction\r\nPage 4 of 15\n\nPython code to find the start of a function\r\nIn the above code snippet:\r\n1. First load the YARA signature.\r\n2. Try to find a match, and if a signature is found in the file.\r\n3. Calculate the function offset based on the offset in the file.\r\nIn order to locate the Xrefs to this function, we use the excellent SMDA decompiler. After locating the Xrefs, we\r\ncan start the emulation process using the CPU emulator, Unicorn.\r\nhttps://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction\r\nPage 5 of 15\n\nPython code used to emulate decoding functions\r\n1. Initialize the Unicorn emulator.\r\n2. Load the executable code from the PE file into memory.\r\n3. Disassemble the function to find the return and the end of the execution.\r\n4. The binary will try to use the windows HeapAlloc API to allocate space for the decoded data. Since we\r\ndon't want to emulate any windows API's, as this would add unnecessary complexity, we hook to code so\r\nthat we can allocate space ourselves.\r\n5. After the emulation has run the 64-bit “long size” register (RAX), it will contain a pointer to the key data in\r\nmemory.\r\n6. To present the key in a more readable way, we convert it to the standard PEM format.\r\nBy emulating the parts of the binary that we are interested in, we no longer have to statically defeat the\r\nobfuscation in order to retrieve the hidden contents. This approach adds a level of complexity to the creation of\r\nhttps://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction\r\nPage 6 of 15\n\nconfig extractors. However, since malware authors are adding ever more obfuscation, there is a need for a generic\r\napproach to defeating these techniques.\r\nExample of the extractor used to find key material\r\nC2 server list\r\nAn important part of tracking malware families is to get new insights by identifying and discovering which C2\r\nservers they use to operate their network.\r\nIn the 64-bit versions of EMOTET, we see that the IP and port information of the C2 servers are also dynamically\r\ncalculated at runtime. Every C2 server is represented by a function that calculates and returns a value for the IP\r\naddress and the port number.\r\nExamples of encoded IP/port combination\r\nThese functions don’t have a direct cross reference available for searching. However, a procedure references all\r\nthe C2 functions and creates the p_c2_list array of pointers.\r\nhttps://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction\r\nPage 7 of 15\n\nC2 server list\r\nAfter that, we can emulate every C2-server function individually to retrieve the IP and port combination as seen\r\nbelow.\r\nExample of the extractor used to find C2 server list\r\nhttps://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction\r\nPage 8 of 15\n\nStrings\r\nThe same method is applied to the use of strings in memory. Every string has its own function. In the following\r\nexample, the function would return a pointer to the string %s\\regsvr32.exe \"%s\".\r\nEncoded string\r\nAll of the EMOTET strings share a common function to decode or resolve the string at runtime. In the sample that\r\nwe are analyzing here, the string resolver function is referenced 29 times.\r\nString decoding algorithm\r\nThis allows us to follow the same approach as noted earlier in order to decode all of the EMOTET strings. We\r\npinpoint the string decoding function using YARA, find the cross-references, and emulate the resulting functions.\r\nhttps://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction\r\nPage 9 of 15\n\nExample of the extractor used to find strings\r\nConfiguration extractor\r\nAutomating the payload extraction from EMOTET is a crucial aspect of threat hunting as it gives visibility of the\r\ncampaign and the malware deployed by the threat actors, enabling practitioners to discover new unknown samples\r\nin a timely manner.\r\n% emotet-config-extractor --help\r\nusage: Emotet Configuration Extractor [-h] (-f FILE | -d DIRECTORY) [-k] [-c] [-s] [-a]\r\noptions:\r\n -h, --help show this help message and exit\r\n -f FILE, --file FILE Emotet sample path\r\n -d DIRECTORY, --directory DIRECTORY\r\n Emotet samples folder\r\n -k Extract Encryption keys\r\n -c Extract C2 information\r\n -s Extract strings\r\n -a Extract strings (ascii)\r\nOur extractor takes either a directory of samples with -d option or -f for a single sample and then can output parts\r\nof the configuration of note, specifically:\r\n-k : extract the encryption keys\r\n-c : extract the C2 information\r\nhttps://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction\r\nPage 10 of 15\n\n-s : extract the wide-character strings\r\n-a : extract the ASCII character stings\r\nEMOTET uses a different routine for decoding wide and ASCII strings. That is why the extractor provides flags to\r\nextract them separately.\r\nThe C2 information displays a list of IP addresses found in the sample. It is worth noting that EMOTET\r\ndownloads submodules to perform specific tasks. These submodules can contain their own list of C2 servers. The\r\nextractor is also able to process these submodules.\r\nThe submodules that we observed do not contain encryption keys. While processing submodules you can omit the\r\n-k flag.\r\n[...]\r\n[+] Key type: ECK1\r\n[+] Key length: 32\r\n-----BEGIN PUBLIC KEY-----\r\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2DWT12OLUMXfzeFp+bE2AJubVDsW\r\nNqJdRC6yODDYRzYuuNL0i2rI2Ex6RUQaBvqPOL7a+wCWnIQszh42gCRQlg==\r\n-----END PUBLIC KEY-----\r\n[...]\r\n[+] Key type: ECS1\r\n[+] Key length: 32\r\n-----BEGIN PUBLIC KEY-----\r\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9C8agzYaJ1GMJPLKqOyFrlJZUXVI\r\nlAZwAnOq6JrEKHtWCQ+8CHuAIXqmKH6WRbnDw1wmdM/YvqKFH36nqC2VNA==\r\n-----END PUBLIC KEY-----\r\n[...]\r\n[+] Found 64 c2 subs\r\n174.138.33.49:7080\r\n188.165.79.151:443\r\n196.44.98.190:8080\r\n[...]\r\n[+] Starting emulation\r\n[+] String BLOB address: 0x4000000\r\nKeyDataBlob\r\n[...]\r\n[+] String BLOB address: 0x4000000\r\nbcrypt.dll\r\n[...]\r\n[+] String BLOB address: 0x4000000\r\nRNG\r\nTo enable the community to further defend themselves against existing and new variants of EMOTET, we are\r\nmaking the payload extractor open source under the Apache 2 License. Access the payload extractor\r\ndocumentation and binary download.\r\nhttps://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction\r\nPage 11 of 15\n\nThe future of EMOTET\r\nThe EMOTET developers are implementing new techniques to hide their configurations from security researchers.\r\nThese techniques will slow down initial analysis, however, EMOTET will eventually have to execute to achieve\r\nits purpose, and that means that we can collect information that we can use to uncover more about the campaign\r\nand infrastructure. Using code emulators, we can still find and extract the information from the binary without\r\nhaving to deal with any obfuscation techniques. EMOTET is a great example where multiple obfuscation\r\ntechniques make static analysis harder. But of course, we expect more malware authors to follow the same\r\nexample. That is why we expect to see more emulation-based configuration extract in the future.\r\nEMOTET running and gathering system information\r\nDetection\r\nYARA\r\nElastic Security has created YARA rules to identify this activity. The YARA rules shown here are not meant to be\r\nused to solely detect EMOTET binaries, they are created to support the configuration extractor. The YARA rules\r\nfor detecting EMOTET can be found in the protections-artifacts repository.\r\nEMOTET key decryption function\r\nrule resolve_keys\r\n{\r\nmeta:\r\n author = \"Elastic Security\"\r\n description = \"EMOTET - find the key decoding algorithm in the PE\"\r\n creation_date = \"2022-08-02\"\r\n last_modified = \"2022-08-11\"\r\n os = \"Windows\"\r\nhttps://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction\r\nPage 12 of 15\n\nfamily = \"EMOTET\"\r\n threat_name = \"Windows.Trojan.EMOTET\"\r\n reference_sample = \"debad0131060d5dd9c4642bd6aed186c4a57b46b0f4c69f1af16b1ff9c0a77b1\"\r\n strings:\r\n $chunk_1 = {\r\n 45 33 C9\r\n 4C 8B D0\r\n 48 85 C0\r\n 74 ??\r\n 48 8D ?? ??\r\n 4C 8B ??\r\n 48 8B ??\r\n 48 2B ??\r\n 48 83 ?? ??\r\n 48 C1 ?? ??\r\n 48 3B ??\r\n 49 0F 47 ??\r\n 48 85 ??\r\n 74 ??\r\n 48 2B D8\r\n 42 8B 04 03\r\n }\r\n condition:\r\n any of them\r\n}\r\nEMOTET C2 aggregation\r\nrule c2_list\r\n{\r\n author = \"Elastic Security\"\r\n description = \"EMOTET - find the C2 collection in the PE\"\r\n creation_date = \"2022-08-02\"\r\n last_modified = \"2022-08-11\"\r\n os = \"Windows\"\r\n family = \"EMOTET\"\r\n threat_name = \"Windows.Trojan.EMOTET\"\r\n reference_sample = \"debad0131060d5dd9c4642bd6aed186c4a57b46b0f4c69f1af16b1ff9c0a77b1\"\r\n strings:\r\n $chunk_1 = {\r\n 48 8D 05 ?? ?? ?? ??\r\n 48 89 81 ?? ?? ?? ??\r\n 48 8D 05 ?? ?? ?? ??\r\n 48 89 81 ?? ?? ?? ??\r\n 48 8D 05 ?? ?? ?? ??\r\n 48 89 81 ?? ?? ?? ??\r\nhttps://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction\r\nPage 13 of 15\n\n48 8D 05 ?? ?? ?? ??\r\n 48 89 81 ?? ?? ?? ??\r\n 48 8D 05 ?? ?? ?? ??\r\n 48 89 81 ?? ?? ?? ??\r\n 48 8D 05 ?? ?? ?? ??\r\n 48 89 81 ?? ?? ?? ??\r\n 48 8D 05 ?? ?? ?? ??\r\n 48 89 81 ?? ?? ?? ??\r\n }\r\n condition:\r\n any of them\r\n}\r\nEMOTET string decoder\r\nrule string_decode\r\n{\r\n meta:\r\n author = \"Elastic Security\"\r\n description = \"EMOTET - find the string decoding algorithm in the PE\"\r\n creation_date = \"2022-08-02\"\r\n last_modified = \"2022-08-11\"\r\n os = \"Windows\"\r\n family = \"EMOTET\"\r\n threat_name = \"Windows.Trojan.EMOTET\"\r\n reference_sample = \"debad0131060d5dd9c4642bd6aed186c4a57b46b0f4c69f1af16b1ff9c0a77b1\"\r\n strings:\r\n $chunk_1 = {\r\n 8B 0B\r\n 49 FF C3\r\n 48 8D 5B ??\r\n 33 CD\r\n 0F B6 C1\r\n 66 41 89 00\r\n 0F B7 C1\r\n C1 E9 10\r\n 66 C1 E8 08\r\n 4D 8D 40 ??\r\n 66 41 89 40 ??\r\n 0F B6 C1\r\n 66 C1 E9 08\r\n 66 41 89 40 ??\r\n 66 41 89 48 ??\r\n 4D 3B D9\r\n 72 ??\r\n }\r\nhttps://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction\r\nPage 14 of 15\n\n$chunk_2 = {\r\n 8B 0B\r\n 49 FF C3\r\n 48 8D 5B ??\r\n 33 CD\r\n 0F B6 C1\r\n 66 41 89 00\r\n 0F B7 C1\r\n C1 E9 ??\r\n 66 C1 E8 ??\r\n 4D 8D 40 ??\r\n 66 41 89 40 ??\r\n 0F B6 C1\r\n 66 C1 E9 ??\r\n 66 41 89 40 ??\r\n 66 41 89 48 ??\r\n 4D 3B D9\r\n 72 ??\r\n }\r\n condition:\r\n any of them\r\n}\r\nSource: https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction\r\nhttps://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction"
	],
	"report_names": [
		"emotet-dynamic-configuration-extraction"
	],
	"threat_actors": [],
	"ts_created_at": 1775434429,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/73286f83e1a0cff01b572d70a035db032ffee9d1.pdf",
		"text": "https://archive.orkl.eu/73286f83e1a0cff01b572d70a035db032ffee9d1.txt",
		"img": "https://archive.orkl.eu/73286f83e1a0cff01b572d70a035db032ffee9d1.jpg"
	}
}