Beginner Malware Analysis - Emotet Infection Chain (Stream - 09/02/2025)

In this stream we analyzed a malicious Word document that leads to an Emotet infection. We also looked at all unpacking steps and obfuscation methods used by Emotet once delivered with PowerShell. Learn how to reverse engineer malware: https://training.invokere.com/course/imbtbn Notes: https://github.com/Invoke-RE/stream-notes/tree/main/emotet Twitch: https://www.twitch.tv/InvokeReversing Twitter: https://twitter.com/InvokeReversing Mastodon: https://infosec.exchange/@invokereversing 0:00 Introduction 01:29 Malicious Word Document Analysis 18:50 Emotet Packed Binary Analysis 31:15 Malicious Document PowerShell Analysis 35:43 Emotet Packer Analysis Continued 47:20 Unpacking Shellcode Recovery and Analysis 51:45 Packer Hash Recovery with Hashdb 54:01 Packer Analysis Continued 01:05:52 Second Packer PE Recovered 01:07:01 Final Emotet PE Recovered 01:15:15 Debugging Emotet Infection Chain 01:39:57 Emotet Hash Resolution with IDA and Hashdb 01:52:41 Blue Team vs Red Team Discussion 01:57:15 Testing Previous IDA Scripting and Wrapping Up