Malware Analysis ZPAQ to .NET downloader to Injector DLL unpacking

upnorth

Level 68
Thread author
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458

A phishing attempt with an unusual archive format named ZPAQ leads to an interesting malware downloader. We debloat the sample and decrypt the downloaded .wav file with binary refinery. It turns out to be an injection DLL. We use powershell to execute it and deal with its obfuscation. Although the injector fails, we unpack the payload.

00:00 Intro
01:27 Original article
02:33 Unpacking ZPAQ and debloating
05:35 Downloader analysis
09:14 Malware course
09:40 Decrypting the .wav file
11:49 injector analysis
16:38 String decryption with PowerShell
21:23 Unpacking the payload
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top