{
	"id": "623dea5e-23b0-42b9-9eb4-93184dba38cc",
	"created_at": "2026-04-06T00:17:32.162815Z",
	"updated_at": "2026-04-10T13:12:17.126623Z",
	"deleted_at": null,
	"sha1_hash": "a6631c88075ee4876d1bd9a5a7efb43a5c0eedcb",
	"title": "What the Pack(er)? | cyber.wtf",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1579321,
	"plain_text": "What the Pack(er)? | cyber.wtf\r\nArchived: 2026-04-05 15:27:18 UTC\r\nLately, I broke one of the taboos of malware analysis: looking into the packer stub of a couple of malware\r\nsamples. Fortunately, I must say. Because I discovered something I was really surprised by. But first, a little\r\ndetour.\r\nHistorically, Emotet has been observed to assemble infected systems into three botnets dubbed Epoch 1, Epoch 2,\r\nand Epoch 3. After the takedown and the later resurrection, there seems to only be two botnets which have\r\nsubsequently been dubbed Epoch 4 and Epoch 5. The differences between the old and the new core of the botnets\r\nare significant on the technical side - however, the old Epochs 1 through 3 shared the same core and so do the\r\nrecent Epoch 4 and Epoch 5. The only noticeable difference between Epochs 1 through 3 was the config which\r\nwas embedded into the Emotet core before a sample was rolled out to the victims. The same also applies to the\r\nmore recent Epochs 4 and 5.\r\nHowever, there is a significant difference in the operation carried out by the botnets between what happened\r\nbefore the disruption and what was observed since the rebirth. In the past, observations showed that Emotet bots\r\nused to drop whatever their operator’s customers paid them for. Brad Duncan alone already observed Emotet\r\ndropping QakBot/QBot, Trickbot, and Gootkit. Of these, the Trickbot group seemed to be their best and longest-running customer based on the numerous observations of Trickbot being dropped by Emotet. But after the\r\nresurrection, there were no longer observations of additional malware being dropped by Emotet. Instead, starting\r\nin December 2021, researchers observed a CobaltStrike beacon being dropped onto an infected machine without\r\nany evidence that there was another malware involved. Emotet has since been reportedly and repeatedly seen to\r\ndeploy CobaltStrike beacons to infected machines, so this was definitely not a one-off drop and drew the attention\r\nof our researchers.\r\nWith the context of this analysis being setup properly, we can finally come back to the actual topic of this blog\r\npost: breaking taboos by analyzing packing stubs. Enjoy!\r\nPoking (in) Packing Stubs\r\nFor the first period of time after the resurrection, the Emotet core seems to have used XOR encryption to hide\r\ntheir bot from static analysis. It can easily be seen that the algorithms appear to be (almost) identical between\r\nEpoch 4 (left) and Epoch 5 (right) – disregarding a few compiler optimizations due to different key lengths:\r\nhttps://cyber.wtf/2022/03/23/what-the-packer/\r\nPage 1 of 7\n\nFigure 1: Emotet XOR Decrypt for Payload - Epoch 4 (left) vs Epoch 5 (right)\r\nAt some point, the authors changed the encryption scheme to use RC4 instead of plain XOR. Although the code\r\napplying the RC4 algorithm looks different thanks to a substantial amount of superfluous API calls, there are\r\nobvious similarities between Epoch 4 on the left and Epoch 5 on the right:\r\nhttps://cyber.wtf/2022/03/23/what-the-packer/\r\nPage 2 of 7\n\nFigure 2: RC4 decryption routine of a recent Epoch 4 sample\r\nhttps://cyber.wtf/2022/03/23/what-the-packer/\r\nPage 3 of 7\n\nhttps://cyber.wtf/2022/03/23/what-the-packer/\r\nPage 4 of 7\n\nFigure 3: RC4 decryption routine of a recent Epoch 5 sample\r\nEmotet RC4 Decrypt for Payload - Epoch 4 (left) vs Epoch 5 (right) The surprising discovery we made during the\r\nweek preceeding the publication of this post is related to the CobaltStrike drops. Assuming from what was\r\nobserved for Epochs 1 through 3, thoughts were that some other party paid the Emotet operators to drop\r\nCobaltStrike as their desired payload. Having a closer look at the samples reveals an interesting observation: all of\r\nthe CobaltStrike drops used packing stubs which looked extremely familiar. The drops referred to in the following\r\nwere received on March 11th, however, these specific packing stubs were already observed earlier for Emotet\r\ndrops. Unfortunately, we did not see the connection until a couple of days ago. But have a look for yourself:\r\nhttps://cyber.wtf/2022/03/23/what-the-packer/\r\nPage 5 of 7\n\nFigure 4: XOR Decrypt of Payload - Emotet (left) vs CobaltStrike Drop A (right)\r\nFigure 5: RC4 Decrypt of Payload - Emotet (left) vs CobaltStrike Drop B (right)\r\nDecryption Routines for PayloadsAs it can be seen in both examples, Drop A used the packer which was observed\r\nin the early days after the rebirth while Drop B used the same packer as the Emotet core itself at the time of\r\nwriting this post.\r\nConclusion or (Educated) Guessing\r\nPrior to the rebirth, drops were not bound to the operation of Emotet  – the botnet was known to drop whatever\r\ntheir operator’s customers paid them for; but since the resurrection, this seems to have shifted towards drops\r\nwhich are very tightly-bound to the Emotet core and thus the operation as well. Considering that Trickbot was\r\nused to revive the Emotet botnet back in november 2021 and the observation that Emotet since then only dropped\r\nCobaltStrike beacons to infected machines, one thought may arise: have the Trickbot operators perhaps invited\r\ntheir old friends from Emotet over to work for the Conti group as well? It has long been said that the Emotet\r\noperators are closely related to the Trickbot group because of their long-running partnership. The thought is also\r\nsupported by information from the Conti playbook leak in 2021 where it can be seen that Conti makes heavy use\r\nof CobaltStrike as a reconnaissance tools before deploying their ransomware. AdvIntel also suspected that Emotet\r\narose as part of the Conti group. The now-discovered use of identical packers for both the Emotet core and the\r\nCobaltStrike drops supports the claim in a fascinating way.\r\nAlternatively, or additionally, the resurrection of Emotet may have been the final step in replacing Trickbot as the\r\ninitial foothold of the Conti group in their victim’s networks by putting their remaining Trickbot bots to a last use.\r\nIt cannot be denied that Emotet was a surprisingly efficient malware so the Conti operators may have gone for\r\nusing both Emotet and BazarLoader to access their victim’s networks: with the Trickbot developers focusing\r\nhttps://cyber.wtf/2022/03/23/what-the-packer/\r\nPage 6 of 7\n\nsolely on BazarLoader and the Emotet operators back into the business, this leaves the Conti group with two\r\nindependent and powerful tools to access infected machines.\r\nOf course, at the same time the author made the aforementioned discovery, researchers observed another drop\r\nbeing delivered by Emotet: SystemBC. It remains to be seen whether this was a one-time delivery in the sense of a\r\ntest or if researcher will see this drop more often in the future.\r\nReference Samples\r\nc7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01 – old Emotet Epoch 4 sample (2021-\r\n11-15)\r\n1c9f611ce78ab0efd09337c06fd8c65b926ebe932bc91b272e97c6b268ab13a1 – old Emotet Epoch 5 sample (2021-\r\n11-18)\r\n8494831bbfab5beb6a58d1370ac82a4b3caa1f655b78678c57ef93713c476f9c – recent Emotet Epoch 4 sample\r\n(2022-03-14)\r\n31f7e5398c41d7eb8d033dbc7d3b90a2daf54995e20b5ab4a72956b41c8e1455 – recent Emotet Epoch 5 sample\r\n(2022-03-15)\r\ncf7a53b0e07f4a1fabc40a5e711cf423d18db685ed4b3c6c87550fcbc5d1a036 – CobaltStrike Drop A (2022-03-11)\r\n73aba991054b1dc419e35520c2ce41dc263ff402bcbbdcbe1d9f31e50937a88e – CobaltStrike Drop B (2022-03-11)\r\nSource: https://cyber.wtf/2022/03/23/what-the-packer/\r\nhttps://cyber.wtf/2022/03/23/what-the-packer/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cyber.wtf/2022/03/23/what-the-packer/"
	],
	"report_names": [
		"what-the-packer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434652,
	"ts_updated_at": 1775826737,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a6631c88075ee4876d1bd9a5a7efb43a5c0eedcb.pdf",
		"text": "https://archive.orkl.eu/a6631c88075ee4876d1bd9a5a7efb43a5c0eedcb.txt",
		"img": "https://archive.orkl.eu/a6631c88075ee4876d1bd9a5a7efb43a5c0eedcb.jpg"
	}
}