Live Stream VOD: SmokeLoader Analysis Part 2 - Import Hashing and Stage 3 (Patreon)

This is the second  part of our SmokeLoader analysis.  We finish cleaning up the obfuscation in Stage 2 and locate the API hashing algorithm, we also locate the encrypted Stage 3 payloads but there is a problem... something just isn't right with our analysis and we aren't able to resolve the API hashes, or decrypt Stage 3!

This is also a very slow paced stream... not to give too much away for the next stream but we miss something very obvious in this stream that ends up being the cause of all our problems! Though most of the magic happens in the next stream this one is still has some neat stuff like how to identify the hashing algorithm, and how we found the Stage 3 payloads. 

Samples

• Packed parent cef4f5f561b5c481c67e0a9a3dd751d18d696b61c7a5dab5ebb29535093741b4
• Unpacked SmokeLoader 041a05dd902a55029449bf412cedbe59a593f8d4e67d4ae37cf7a928c92f22ca

Notes

SmokeLoader Triage