Malware Analysis - ZPAQ to .NET downloader to Injector DLL unpacking
1.2 هزار بار بازدید -
9 ماه پیش
-
A phishing attempt with an
A phishing attempt with an unusual archive format named ZPAQ leads to an interesting malware downloader. We debloat the sample and decrypt the downloaded .wav file with binary refinery. It turns out to be an injection DLL. We use powershell to execute it and deal with its obfuscation. Although the injector fails, we unpack the payload.
Tools: zpaq, DnSpy, IlSpy, binary refinery, PortexAnalyzer, HxD, SystemInformer
Malware course: https://www.udemy.com/course/windows-...
ZPAQ article: https://isc.sans.edu/diary/rss/30366
ZPAQ sample: https://malshare.com/sample.php?actio...
.WAV file: https://malshare.com/sample.php?actio...
Twitter: Twitter: struppigel
00:00 Intro
01:27 Original article
02:33 Unpacking ZPAQ and debloating
05:35 Downloader analysis
09:14 Malware course
09:40 Decrypting the .wav file
11:49 injector analysis
16:38 String decryption with PowerShell
21:23 Unpacking the payload
#powershell #deobfuscation #unpacking #injection #stringdecryption #zpaq #debloat #malware #malwareanalysis #reverseengineering
Tools: zpaq, DnSpy, IlSpy, binary refinery, PortexAnalyzer, HxD, SystemInformer
Malware course: https://www.udemy.com/course/windows-...
ZPAQ article: https://isc.sans.edu/diary/rss/30366
ZPAQ sample: https://malshare.com/sample.php?actio...
.WAV file: https://malshare.com/sample.php?actio...
Twitter: Twitter: struppigel
00:00 Intro
01:27 Original article
02:33 Unpacking ZPAQ and debloating
05:35 Downloader analysis
09:14 Malware course
09:40 Decrypting the .wav file
11:49 injector analysis
16:38 String decryption with PowerShell
21:23 Unpacking the payload
#powershell #deobfuscation #unpacking #injection #stringdecryption #zpaq #debloat #malware #malwareanalysis #reverseengineering
9 ماه پیش
در تاریخ 1402/08/14 منتشر شده
است.
1,216
بـار بازدید شده