A phishing attempt with an unusual archive format named ZPAQ leads to an interesting malware downloader. We debloat the sample and decrypt the downloaded .wav file with binary refinery. It turns out to be an injection DLL. We use powershell to execute it and deal with its obfuscation. Although the injector fails, we unpack the payload.
00:00 Intro
01:27 Original article
02:33 Unpacking ZPAQ and debloating
05:35 Downloader analysis
09:14 Malware course
09:40 Decrypting the .wav file
11:49 injector analysis
16:38 String decryption with PowerShell
21:23 Unpacking the payload
