Malware Analysis - ZPAQ to .NET downloader to Injector DLL unpacking
A phishing attempt with an unusual archive format named ZPAQ leads to an interesting malware downloader. We debloat the sample and decrypt the downloaded .wav file with binary refinery. It turns out to be an injection DLL. We use powershell to execute it and deal with its obfuscation. Although the injector fails, we unpack the payload.
Tools: zpaq, DnSpy, IlSpy, binary refinery, PortexAnalyzer, HxD
Malware course:
ZPAQ article:
ZPAQ sample:
.WAV file:
Twitter:
00:00 Intro
01:27 Original article
02:33 Unpacking ZPAQ and debloating
05:35 Downloader analysis
09:14 Malware course
09:40 Decrypting the .wav file
11:49 injector analysis
16:38 String decryption with PowerShell
21:23 Unpacking the payload
3 weeks ago 00:57:39 1
3 weeks ago 00:15:34 1
3 weeks ago 00:08:28 3
4 weeks ago 00:08:32 5
4 weeks ago 00:34:11 1
1 month ago 00:01:15 1
2 months ago 00:39:13 1
2 months ago 02:34:41 1
2 months ago 00:07:36 1
2 months ago 00:05:30 1
2 months ago 00:34:03 1
3 months ago 00:08:03 1
3 months ago 00:13:11 1
3 months ago 00:40:05 1
3 months ago 00:27:09 1
3 months ago 02:09:07 7
4 months ago 00:43:08 1
4 months ago 00:10:31 1
5 months ago 00:17:49 1
5 months ago 00:29:39 1
5 months ago 00:29:39 1
6 months ago 00:16:18 1
6 months ago 00:28:07 1
6 months ago 00:19:24 1
