{
	"id": "227b4de5-0352-43ea-badf-ff3d7a3ee50c",
	"created_at": "2026-04-06T00:09:53.133857Z",
	"updated_at": "2026-04-10T03:21:27.976788Z",
	"deleted_at": null,
	"sha1_hash": "dc949d77a36cf7daeb3d611a2844360cf7dad9b7",
	"title": "GitHub - d00rt/emotet_research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 350467,
	"plain_text": "GitHub - d00rt/emotet_research\r\nBy Markel\r\nArchived: 2026-04-05 13:28:04 UTC\r\nEmotet research\r\nIn this repository you can find documentation about the packer of Emotet and its unpacker. This unpacker extracts\r\nthe command and controls, and the public RSA key of Emotet (botnet identifier).\r\nGeneral purpouse\r\nThe purpose of this repository is, to show how the packet of emotet works, provide a sample of emotet payload\r\nwith its idc (made by me)\r\nAlso I wrote an unpacker for emotet (using TitanEngine) which extracts the final payload of emotet and the\r\nintermediate layers for extracting it.\r\nIn addition, the unpackers extrats to a file the static configuration of emotet, the command and controls and its\r\npublic RSA key (botnet identifier).\r\nDirectories and files\r\n./unpacker/src:\r\n    - Source code of the packer. main.py file is the script for running the unpacker.\r\nhttps://github.com/d00rt/emotet_research\r\nPage 1 of 4\n\n./unpacker/TitanEngine.dll\r\n    - Titan Engine DLL, or you can download from reversinglabs.com. The DLL must be on\r\nC:/windows/system32/ folder.\r\n./doc:\r\n    - Documentation of the emotet unpacker.\r\n./unpacked_sample_id:\r\n    - In this directory you can find a sample of final payload of the Emotet next to an idc documented by me.\r\nRequeriments\r\nBefore to use the unpacker, I recommend to read the documentation I did about this packer.\r\n(./doc/EN_emotet_packer_analysis_and_config_extraction_v1.pdf)\r\npyrhon2.7\r\nyara-python\r\nTitan Engine DLL. Provided in this repo, or you can download from its web page\r\nOutput\r\nIf success a folder named \"output\" will be created.\r\n./output/unpacked/{packed_file_name}.emotet.unpacked:\r\n    - Emotet payload unpacked. (PE File)\r\n./output/extracted_files/layer2/{packed_file_name}.layer2.bin:\r\n    - Layer2 of emotet packer. (PE File)\r\n./output/extracted_files/broken_payload/{packed_file_name}.payload.bin:\r\n    - Emotet payload unpacked step 1, if you read the packer documentation you will realized that in the first step\r\nthis file doesn't work, it must be fixed up. (PE File)\r\n./output/static_configuration/{packed_file_name}.ips.txt:\r\n    - List of \"ip:port\" of commands and controls.\r\n./output/static_configuration/{packed_file_name}.rsa.txt:\r\n    - RSA key used for communicating with the command and control.\r\nUsage\r\nAfter install all requeriments and the Titan Engine DLL...\r\ncd unpacker/src/\r\n./main.py [options] {filename or folder}\r\nhttps://github.com/d00rt/emotet_research\r\nPage 2 of 4\n\nOR\r\nThen select the target file in the box.\r\nPress the \"UnPack\" buttom.\r\nhttps://github.com/d00rt/emotet_research\r\nPage 3 of 4\n\nEnjoy =)\r\nFinal words\r\nThese documentation and unpacker were done between November and December of 2018 if after these dates it\r\ndoesn't work maybe the unpacker doesn't work well or Emotet developers changed the packer.\r\nThis unpacker isn't perfect, it's my first dynamic unpacker using Titan Engine. I did this research on my free time,\r\nbecause currently I'm not working on this kind of stuff and I don't have enough time.\r\nIt'd be cool keep the repository updated for new versions of the packer or for some future error fixes. Therefore,\r\nfeel free to send PR or open issues. I will try to keep it updated if I have time.\r\nEnjoy and keep fighting against the malware =)\r\nSource: https://github.com/d00rt/emotet_research\r\nhttps://github.com/d00rt/emotet_research\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://github.com/d00rt/emotet_research"
	],
	"report_names": [
		"emotet_research"
	],
	"threat_actors": [],
	"ts_created_at": 1775434193,
	"ts_updated_at": 1775791287,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dc949d77a36cf7daeb3d611a2844360cf7dad9b7.pdf",
		"text": "https://archive.orkl.eu/dc949d77a36cf7daeb3d611a2844360cf7dad9b7.txt",
		"img": "https://archive.orkl.eu/dc949d77a36cf7daeb3d611a2844360cf7dad9b7.jpg"
	}
}