DeMotet

Unpacking and decryption tools for the Emotet malware by Deep Instinct.
The first tool is a static unpacker for the variants of the Emotet loader listed in Loaders-SHA256.txt. It can extract the encrypted payload from the resource without executing the malware.
The Python scripts reveal the hidden strings and API calls the payload uses. The first one is a standalone script that can be used to extract this information from a large number of payloads. The second one is an IDA plugin. It adds this information as comments in the code.

References

https://www.deepinstinct.com/blog/the-re-emergence-of-emotet
https://cert.grnet.gr/en/blog/reverse-engineering-emotet/
https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de
https://github.com/mauronz/binja-emotet

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

DeMotet

References

Files

README.md

Latest commit

History

README.md

File metadata and controls

DeMotet

References