https://techtalk.pcpitstop.com/wp-content/uploads/suspectedajonase-56b4b05e-206b-4441-ad36-22b66b35c570.mp3.mp3 “suspectedajonase (56b4b05e-206b-4441-ad36-22b66b35c570.mp3)”.
https://techtalk.pcpitstop.com/wp-content/uploads/Bogus-Virus-Scam-robotic-voice-alert_enhanced.mp3 “Bogus Virus Scam robotic voice alert_enhanced”. Released: 2018.
DIE and RDG fail to detect Emotet’s customer packer
Dumped Emotet payload
Emotet’s Polymorphic files
Here the PE parsing tool Professional PE Explorer aka Puppy is used to display the DLL exports. Notice how each has a name, ordinal, and relative virtual address (RVA).
Notice the path of rundll32.exe as the main program to load with arguments of the dll file and ordinal number. Make sure you replace these paths with whereever your system32rundll32.exe is and your dll file.
Suspend process on initial DLL Load
In this DLL malware, we see that there are 3 function exports that we can choose to load up.