Using Binary Ninja's HLIL for Config Extraction
Static Emotet Configuration Extraction The goal here is to reproduce this technique from VMRay’s post using Binary Ninja. This post from Open Analysis was also very helpful. With those posts as the foundation I was able to focus on the Binary Ninja API. This turned out to be much easier than anticipated, Binary Ninja’s High Level Intermediate Language did most of the work once I figured out how to access it. Sample used: c688e079a16b3345c83a285ac2ae8dd48680298085421c225680f26ceae73eb7 ...