Emotet's Identity Crisis: Two Samples, Two Families, Zero Shared DNA -- How AV Mislabeling Masks a Silver Fox APT Trojanized Game Server
TL;DR: Analysis of two samples flagged as "Emotet/SilverFox" reveals they are fundamentally different malware families incorrectly lumped together by AV signature overlap. Sample 1 is a 30.55 MB trojanized Arma 3 game server binary with ASLR deliberately stripped and UAC elevation forced to Administrator -- consistent with Silver Fox APT's documented playbook of weaponizing legitimate software. Sample 2 is a custom-built loader masquerading as Windows Management Service (wmisvc.exe) with hash-based API resolution through a single resolver function, ECC cryptographic key material, and 5.33 MB of encrypted configuration data. Both are PE32+ x86-64 binaries targeting modern 64-bit Windows, a departure from Emotet's historical 32-bit lineage. Neither sample yields C2 infrastructure through static analysis -- both employ multi-layer encryption that demands dynamic execution for config extraction.
The Mislabeling Problem
When multiple AV engines tag a sample as "Emotet" and "SilverFox" simultaneously, most analysts treat the labels as ground truth and move on. We did the opposite. Starting from two samples that appeared on MalwareBazaar with overlapping Emotet/SilverFox/Heodo detection tags, we performed independent static analysis and found something the signatures missed entirely: these are two unrelated malware families, built by different developers, compiled nearly a year apart, using fundamentally different architectures, and almost certainly operating in separate campaigns.
The implications matter. If your threat intelligence platform is correlating these samples into a single cluster, your detection logic is polluted. If your SOC is triaging them as "more Emotet," they are missing a Silver Fox APT intrusion hiding behind a familiar label.
Attack Chains
Two distinct infection paths emerge from the analysis:
Silver Fox Path (Sample 1)
Social Engineering --> Trojanized Arma 3 Server Download
--> UAC Elevation (requireAdministrator manifest)
--> Legitimate Arma 3 execution + malicious code injection
--> Encrypted C2 Communication (Botan RSA/AES-256)
The victim believes they are downloading an Arma 3 dedicated server binary. The 30.55 MB file size is not padding or sandbox evasion -- it is the real Arma 3 server with malicious modifications woven into the legitimate code sections. No overlay data. No appended payload. The trojanization is surgical.
Emotet-like Loader Path (Sample 2)
Delivery (unknown vector) --> wmisvc.exe execution
--> Anti-debug gate (IsDebuggerPresent)
--> System fingerprinting (COMPUTERNAME, ProductName, screen metrics)
--> Hash-based API resolution (7 hashes via XOR obfuscation)
--> ECC key initialization
--> Config decryption (two blobs: 150 + 144 DWORD entries)
--> C2 communication (ws2_32: socket, connect, recv)
--> Payload delivery
Sample 1: The Trojanized Arma 3 Server (Silver Fox APT)
File Details
| Property | Value |
|---|---|
| SHA-256 | 66406a9f58f42fb6f7d1e31e3aee159641ca5e257521dc325e49ccaec4aeba22 |
| MD5 | bc633b52efd493bf6be65099fcd89fbb |
| Size | 32,033,792 bytes (30.55 MB) |
| Type | PE32+ executable (GUI) x86-64, 7 sections |
| Compile Timestamp | 2025-06-24 11:12:40 UTC |
| Linker | 14.43 (MSVC 2022) |
| Entry Point | 0x01553FDC (93.2% through .text section) |
| Export DLL Name | Arma3Retail_Server_x64.exe |
| Claimed Identity | Arma 3 v2.20.0.152984, Bohemia Interactive |
How to Spot the Trojanization
Five indicators separate the trojanized binary from the legitimate Arma 3 server:
1. ASLR deliberately disabled. The DLL Characteristics field is 0x8120 -- the DYNAMIC_BASE flag (0x0040) has been intentionally stripped. Every legitimate modern binary enables ASLR. Removing it guarantees deterministic memory layout, which the attacker needs for reliable exploitation of injected code paths. This is a deliberate, targeted modification.
2. UAC elevation to Administrator. The application manifest requests requireAdministrator execution level. The legitimate Arma 3 server uses asInvoker. This single change ensures the trojanized binary runs with full administrative privileges from the moment the victim double-clicks it.
3. Entry point at 93.2% through .text. The EP sits at 0x01553FDC within a 24 MB code section. While large binaries can have late entry points, this extreme position suggests the original entry was patched to redirect through appended malicious code before reaching the legitimate Arma 3 initialization.
4. Security-critical API imports. Beyond what a game server needs, the binary imports:
ADVAPI32.dll: CryptAcquireContextA, CryptEncrypt, CryptGenRandom,
CryptVerifySignatureA, CryptImportKey, RegCreateKeyA,
RegSetValueExA, AdjustTokenPrivileges, DuplicateTokenEx,
OpenThreadToken, LookupPrivilegeValueA
KERNEL32.dll: LoadLibraryA, GetProcAddress, CreateThread,
IsDebuggerPresent, VirtualAlloc, VirtualFree, SuspendThread
DNSAPI.dll: DnsQuery_W
WINTRUST.dll: WinVerifyTrust
Token manipulation, privilege adjustment, crypto operations, and DNS queries go well beyond dedicated game server requirements.
5. Legitimate binary shell fully intact. The trojanization preserves all 4,154 exported functions, including BattlEye anti-cheat callbacks, Steam Workshop integration, Botan crypto library, Bohemia telemetry endpoints, and the full Arma 3 mission scripting engine. The binary functions as a real game server -- it just also does other things.
Section Layout
| Section | Virtual Size | Raw Size | Entropy | Notes |
|---|---|---|---|---|
| .text | 24.0 MB | 24.0 MB | 6.45 | Code -- legitimate + injected |
| .rdata | 5.3 MB | 5.3 MB | 5.74 | Read-only data |
| .data | 1008 KB | 572 KB | 3.82 | Low entropy -- no encrypted blob |
| .pdata | 1.1 MB | 1.1 MB | 6.85 | Exception handling |
| _RDATA | 79 KB | 79 KB | 5.49 | Additional read-only data |
| .rsrc | 508 KB | 508 KB | 5.63 | PNG icons, version info |
| .reloc | 347 KB | 347 KB | 5.46 | Relocation data |
The .data entropy of 3.82 is notable -- unlike Sample 2, there is no massive encrypted configuration blob. The malicious payload is integrated directly into the code and data sections of the legitimate binary, not bolted on as an encrypted appendix.
Silver Fox Attribution
Confidence: MEDIUM-HIGH
Silver Fox APT has a documented pattern of trojanizing legitimate software to deliver ValleyRAT and Winos 4.0 payloads. Previous targets include Google Chrome, Microsoft Teams, medical imaging software, and gaming applications via the CleverSoar installer. The Arma 3 game server represents a new trojanization target but fits their expanding attack surface. The PE32+ x86-64 architecture matches Silver Fox's recent shift from 32-bit to 64-bit payloads.
Sample 2: The Custom Loader Wearing Microsoft's Skin
File Details
| Property | Value |
|---|---|
| SHA-256 | 5726b610b8df672e55f1368d32327b9c93fbe4734c3ded8307a4b4d3b927b9b1 |
| MD5 | 0ad99d6ee05634ef71fa11020accffe6 |
| Size | 10,880,512 bytes (10.38 MB) |
| Type | PE32+ executable (GUI) x86-64, 5 sections |
| Compile Timestamp | 2024-07-18 13:11:14 UTC |
| Linker | 14.29 (MSVC 2019) |
| Entry Point | 0x002DE1C0 |
| Claimed Identity | Windows Management Service (wmisvc.exe) v10.0.20874.1104, Microsoft Corporation |
This sample impersonates a Windows system component with fabricated version information that looks convincing at a glance. The version number 10.0.20874.1104 follows Microsoft's versioning convention, but no legitimate wmisvc.exe exists as a standalone Windows binary.
Anti-Analysis Arsenal
The loader deploys five layers of anti-analysis:
Hash-based API resolution. Only 9 DLLs with 39 functions appear in the import table -- a skeleton. The real API surface is resolved dynamically at runtime through a single resolver function at 0x002DE845. Seven unique API hashes have been identified:
| Hash | Location | Assessed Purpose |
|---|---|---|
0x1478F484 | 0x002E0B5D | Network/crypto API |
0x38791528 | 0x002E0DFB | Process manipulation |
0x537F795B | 0x002E0E5D | Memory allocation |
0x7E0DB2F3 | 0x002E0E86 | Thread creation |
0x0A32B6B9 | 0x002DF655 | File/registry operation |
0xC11AD5C5 | 0x002DF983 | HTTP communication |
0xF76951A4 | 0x002DF941 | Encryption primitive |
Each hash is obfuscated using XOR pairs to prevent direct signature matching. For example: 0xDFB47666 ^ 0xCBCC82E2 = 0x1478F484.
Encrypted configuration. The .data section consumes 5.33 MB at entropy 6.22 -- nearly the entire operational configuration, including C2 addresses, is locked behind encryption that cannot be broken without executing the binary.
Anti-debug gating. IsDebuggerPresent is called early in the entry point, and execution diverges entirely if a debugger is detected. This is not a check-and-continue pattern -- it is a hard gate.
Zero plaintext strings. No URLs, IPs, file paths, or operational strings exist in cleartext. Everything is encrypted at rest.
Fake version metadata. The binary claims to be a Microsoft component, which helps it blend into process listings and survive cursory triage.
The 6-Phase Boot Sequence
The entry point implements a structured initialization that reveals the loader's operational design:
- System init (0x2DE1D6) -- tick count, debug detection, module handles
- Anti-debug gate (0x2DE1FA) --
IsDebuggerPresentcheck, hard exit if true - API resolution (0x2E1044) -- loads user32, advapi32, gdi32; resolves APIs by hash
- Fingerprinting (0x2E1718) -- queries COMPUTERNAME, ProductName, screen resolution via GetSystemMetrics/GetDeviceCaps/GetDesktopWindow/CreateCompatibleDC
- Config decryption (0x2DEB2D to 0x2DFC25) -- loads ECC key, decrypts two config blobs (150 and 144 entries)
- Main loop (0x2DFF41) -- CPUID check, network init, C2 communication
ECC Key Material
An ECC public key was recovered at RVA 0x0050C524:
X (32 bytes): 11db1665668134ef19ec8e00036299a2d733830f146e112c22141ee895b66107
Y (20 bytes): f292295d1834953f53b541ab9fc3835df6cb7c71
The 20-byte Y coordinate is unusual. Standard P-256 (secp256r1) uses 32-byte coordinates. This could indicate a compressed key, a P-192 (secp192r1) key, key truncation for obfuscation, or a non-standard curve implementation. If this is P-192, it diverges from known Emotet epochs, which have historically used P-256 or RSA for C2 authentication -- another data point suggesting this may not be Emotet at all, or represents a previously undocumented fork.
Encrypted Configuration Structure
Two config blobs are loaded during Phase 5:
- Blob 1 at 0x50D160: 150 DWORD entries (encrypted C2/string table)
- Blob 2 at 0x7B7160: 144 DWORD entries (secondary config/string table)
Static configuration parameters from .rdata at 0x2E22F8 include counts of 150 and 144 for the two blobs, plus two additional parameters (199 and 50) whose purpose is unknown without dynamic analysis. The encryption layers prevent any static extraction of network indicators.
Why These Samples Are Not Related
Six lines of evidence argue against a shared campaign:
| Dimension | Sample 1 (Arma 3 Trojan) | Sample 2 (wmisvc.exe Loader) |
|---|---|---|
| Compiler | MSVC 2022 (14.43) | MSVC 2019 (14.29) |
| Compile Date | 2025-06-24 | 2024-07-18 |
| Architecture | Trojanized legitimate binary | Purpose-built loader |
| Anti-Analysis | Steganographic embedding in legit code | Full encryption + API hashing |
| Crypto | Botan library (RSA/AES-256/HMAC) | Custom ECC implementation |
| ASLR | Deliberately disabled | Enabled |
| Exports | 4,154 (legitimate Arma 3) | 0 |
| High-entropy .data | No (3.82) | Yes (6.22) |
The compilation dates are 11 months apart. The development toolchains differ by two MSVC major versions. The anti-analysis philosophies are polar opposites: Sample 1 hides in plain sight inside a legitimate 30 MB binary, while Sample 2 encrypts everything and exposes nothing.
The shared Emotet/SilverFox detection tags likely result from AV signature overlap -- both families trigger generic loader heuristics that get bucketed under Emotet labels. There may also be shared delivery infrastructure (spam campaigns distributing both), but the malware itself shares no code, no crypto, and no operational design patterns.
MITRE ATT&CK Mapping
Sample 1 -- Silver Fox Trojanized Binary
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Initial Access | Supply Chain Compromise: Software Supply Chain | T1195.002 | Trojanized Arma 3 game server binary |
| Execution | User Execution: Malicious File | T1204.002 | Victim runs trojanized game server executable |
| Persistence | Boot or Logon Autostart: Registry Run Keys | T1547.001 | RegCreateKeyA, RegSetValueExA imports |
| Privilege Escalation | Abuse Elevation Control: Bypass UAC | T1548.002 | Manifest requests requireAdministrator |
| Defense Evasion | Masquerading: Match Legitimate Name | T1036.005 | Disguised as legitimate Arma 3 binary |
| Defense Evasion | Impair Defenses | T1562 | ASLR deliberately disabled |
| Defense Evasion | Subvert Trust Controls: Code Signing | T1553.002 | WinVerifyTrust import for cert validation |
| Discovery | Debugger Evasion | T1622 | IsDebuggerPresent |
| Discovery | System Information Discovery | T1082 | GetUserNameW, GetAdaptersInfo |
| Command and Control | Encrypted Channel | T1573 | Botan RSA/AES-256/HMAC crypto |
| Command and Control | Application Layer Protocol: Web | T1071.001 | libcurl HTTP client embedded |
Sample 2 -- Emotet-like Loader
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Defense Evasion | Masquerading: Match Legitimate Name | T1036.005 | Disguised as wmisvc.exe (Microsoft) |
| Defense Evasion | Obfuscated Files or Information | T1027 | Hash-based API resolution, encrypted config |
| Defense Evasion | Indicator Removal | T1070 | No plaintext strings or indicators |
| Discovery | Debugger Evasion | T1622 | IsDebuggerPresent as hard execution gate |
| Discovery | System Information Discovery | T1082 | COMPUTERNAME, ProductName, screen metrics |
| Discovery | Process Discovery | T1057 | GetCurrentProcessId |
| Credential Access | Credentials from Password Stores | T1555 | CryptUnprotectData, CryptProtectData imports |
| Command and Control | Encrypted Channel | T1573 | ECC key exchange + encrypted config |
| Command and Control | Non-Standard Port | T1571 | C2 ports encrypted, likely non-standard |
| Command and Control | Application Layer Protocol | T1071 | ws2_32 socket/connect/recv for C2 |
Indicators of Compromise
File Indicators
Sample 1 -- Silver Fox Trojanized Arma 3
SHA256: 66406a9f58f42fb6f7d1e31e3aee159641ca5e257521dc325e49ccaec4aeba22
MD5: bc633b52efd493bf6be65099fcd89fbb
Size: 32033792 bytes (30.55 MB)
Compile: 2025-06-24T11:12:40Z
Linker: 14.43 (MSVC 2022)
Export: Arma3Retail_Server_x64.exe
Sample 2 -- Emotet-like Loader
SHA256: 5726b610b8df672e55f1368d32327b9c93fbe4734c3ded8307a4b4d3b927b9b1
MD5: 0ad99d6ee05634ef71fa11020accffe6
Size: 10880512 bytes (10.38 MB)
Compile: 2024-07-18T13:11:14Z
Linker: 14.29 (MSVC 2019)
Fake: wmisvc.exe / Windows Management Service / Microsoft Corporation / 10.0.20874.1104
Behavioral Indicators
# Sample 1 -- Silver Fox
Manifest: requestedExecutionLevel level="requireAdministrator"
DLL Characteristics: 0x8120 (ASLR DISABLED -- missing 0x0040 flag)
Export DLL name: Arma3Retail_Server_x64.exe
# Sample 2 -- Loader
ECC Public Key X: 11db1665668134ef19ec8e00036299a2d733830f146e112c22141ee895b66107
API Hash Resolver: RVA 0x002DE845
API Hashes: 0x1478F484, 0x38791528, 0x537F795B, 0x7E0DB2F3, 0x0A32B6B9, 0xC11AD5C5, 0xF76951A4
Registry Query: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
Environment Variable: COMPUTERNAME
Fake Version: wmisvc.exe v10.0.20874.1104
Network Indicators
No plaintext C2 infrastructure could be extracted from either sample. Both use encrypted configurations requiring dynamic execution (sandbox or emulation) for network indicator extraction.
Detection Opportunities
YARA Rules
rule SilverFox_Trojanized_Arma3 {
meta:
description = "Silver Fox APT trojanized Arma 3 server binary with ASLR stripped"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
severity = "HIGH"
hash = "66406a9f58f42fb6f7d1e31e3aee159641ca5e257521dc325e49ccaec4aeba22"
strings:
$export = "Arma3Retail_Server_x64.exe" ascii
$manifest_admin = "requireAdministrator" ascii
$bohemia = "Bohemia Interactive" wide
$arma_version = "2.20.0.152984" wide
$botan_rsa = "Botan::RSA_Private_Operation" ascii
$battleye = "(BattlEye: " ascii
condition:
uint16(0) == 0x5A4D and
$export and
$manifest_admin and
($bohemia or $arma_version) and
($botan_rsa or $battleye) and
// ASLR disabled: DLL Characteristics missing 0x0040 flag
not (uint16(uint32(0x3C) + 0x5E + 4) & 0x0040 == 0x0040)
}
rule Emotet_Like_Loader_WMISvc {
meta:
description = "Emotet-like loader disguised as Windows Management Service"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
severity = "HIGH"
hash = "5726b610b8df672e55f1368d32327b9c93fbe4734c3ded8307a4b4d3b927b9b1"
strings:
$fake_name = "wmisvc.exe" wide
$fake_desc = "Windows Management Service" wide
$fake_company = "Microsoft Corporation" wide
$fake_ver = "10.0.20874.1104" wide
// API hash XOR pattern: MOV EDX, imm32; XOR EDX, imm32
$hash_pattern = { BA ?? ?? ?? ?? 81 F2 ?? ?? ?? ?? E8 }
// ECC key material (first 16 bytes of X coordinate)
$ecc_key = { 11 DB 16 65 66 81 34 EF 19 EC 8E 00 03 62 99 A2 }
// Registry fingerprinting
$reg_key = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" wide
condition:
uint16(0) == 0x5A4D and
3 of ($fake_*) and
($hash_pattern or $ecc_key) and
$reg_key
}
rule Emotet_API_Hash_Resolution_Pattern {
meta:
description = "Generic detection for XOR-obfuscated API hash resolution (Emotet-style)"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
strings:
// MOV EDX, hash_part1; XOR EDX, hash_part2; CALL resolver; TEST RAX, RAX
$pattern1 = { BA ?? ?? ?? ?? 81 F2 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 85 C0 }
// MOV EDX, hash_part1; XOR EDX, hash_part2; CALL resolver; MOV [reg], RAX
$pattern2 = { BA ?? ?? ?? ?? 81 F2 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 }
condition:
uint16(0) == 0x5A4D and
(#pattern1 + #pattern2) >= 4
}
Hunting Queries
Sigma -- Arma 3 Server with ASLR Disabled (Silver Fox)
title: Trojanized Arma 3 Server Binary Execution
status: experimental
description: Detects execution of Arma 3 server binary requesting admin elevation (Silver Fox indicator)
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\Arma3Retail_Server_x64.exe'
- '\arma3server_x64.exe'
IntegrityLevel: 'High'
condition: selection
falsepositives:
- Legitimate game server administrators manually running with elevation
level: high
Sigma -- Fake wmisvc.exe Process
title: Suspicious wmisvc.exe Outside System32
status: experimental
description: Detects wmisvc.exe running from non-standard paths (Emotet-like loader indicator)
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\wmisvc.exe'
filter:
Image|startswith: 'C:\Windows\System32\'
condition: selection and not filter
falsepositives:
- Custom management tools using the same filename
level: critical
KQL -- Endpoint Sweep
// Hunt for fake wmisvc.exe with version 10.0.20874.1104
DeviceFileEvents
| where FileName =~ "wmisvc.exe"
| where FolderPath !startswith "C:\\Windows\\System32"
| project Timestamp, DeviceName, FolderPath, SHA256, FileSize
| where FileSize between (10000000 .. 11000000)
// Hunt for Arma 3 binaries with admin manifest
DeviceProcessEvents
| where FileName has_any ("Arma3Retail_Server", "arma3server")
| where ProcessIntegrityLevel == "High"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
Recommended Immediate Actions
- Block both file hashes at endpoint and email gateway
- Search for
wmisvc.exeprocesses not located in%SystemRoot%\System32\ - Alert on Arma 3 server binaries running with High integrity level
- Search for registry queries to
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductNamefrom non-system processes - Deploy YARA rules to endpoint detection and sandbox infrastructure
- Submit both samples to sandbox (ANY.RUN, Hybrid Analysis, CAPE) for dynamic C2 extraction
- Cross-reference ECC key material (
0x11db1665...) against known Emotet epoch key databases - Monitor for additional Silver Fox trojanized game binaries -- other Bohemia titles (DayZ, Vigor) and popular dedicated server binaries are likely targets
Published by Breakglass Intelligence. Investigation conducted 2026-03-09. 2 samples analyzed. 2 distinct families identified behind shared AV labels. 0 C2 IPs extractable without dynamic execution. Classification: TLP:CLEAR