Threat Research

DTPacker – a .NET Packer with a Curious Password | Proofpoint US

Securonix

Proofpoint details DTPacker, a two-stage .NET packer/downloader that uses Donald Trump-themed fixed keys to decrypt its second stage and deliver payloads such as Agent Tesla, Ave Maria, AsyncRAT, and FormBook. The campaigns blend varied encoding/obfuscation and decoy locations—including soccer club sites and Liverpool FC pages—delivering RATs and information stealers via phishing attachments and malicious downloads. #DTPacker #AgentTesla #AveMaria #AsyncRAT #FormBook #SnakeKeylogger #LiverpoolFC

Keypoints

  • DTPacker is a two-stage commodity .NET packer/downloader that decodes to a second-stage payload, often a RAT or information stealer, using fixed keys such as “trump2020” or “Trump2026”.
  • The second stage is typically a .NET resource or DLL that, once decoded, runs payloads like Agent Tesla, Ave Maria (Warzone RAT), AsyncRAT, or FormBook.
  • Campaigns frequently use phishing email with malicious attachments that download the packer, followed by embedded or downloaded payloads.
  • Proofpoint documents extensive obfuscation techniques (custom XOR decoding, decimal character codes, Unicode offsets, string arrays) to evade analysis and AV/sandboxing.
  • Decoy download locations include soccer-club-themed sites and Liverpool FC fan pages, where legitimate-looking pages conceal the actual payload links.
  • Multiple threat actors (TA2536, TA2715) and both APT and cybercrime groups have used DTPacker across numerous campaigns since 2020, affecting hundreds of customers across industries.

MITRE Techniques

  • [T1566.001] Phishing – Email used as initial infection vector; “The attachment is typically a malicious document or compressed executable that, when interacted with by a user, downloads the packer executable.”
  • [T1027] Obfuscated/Compressed Files and Information – The sample uses “multiple decoding methods” and fixed keys such as “trump2020” with a “custom XOR routine” to reveal payloads.
  • [T1105] Ingress Tool Transfer – Downloads the packer/executable from embedded or external resources during infection.
  • [T1036] Masquerading – Soccer club-themed and Liverpool FC–themed download locations act as decoys to conceal the real payloads.
  • [T1071.001] Web Protocols – C2/Download behavior observed via web domains and TLS SNI usage (e.g., “ahgwqrq.xyz in TLS SNI”).

Indicators of Compromise

  • [SHA256] 9d713d2254e529286ed3ac471e134169d2c7279b0eaf82eb9923cd46954d5d27 – DTPacker SHA256; Associated with Agent Tesla.
  • [SHA256] 512b2f1f4b659930900abcc8f51d175e88c81b0641b7450a6618b77848fa3b40 – DTPacker SHA256; Associated with Agent Tesla.
  • [SHA256] 285f4e79ae946ef179e45319caf11bf0c1cdaa376924b83bfbf82ed39361911b – DTPacker SHA256; Associated with Snake Keylogger.
  • [URL] https://hastebin.com/raw/azipitojuj – Payload download location reference.
  • [URL] https://hastebin.com/raw/urafehisiv – Payload download location reference.
  • [Domain] ahgwqrq.xyz – Domain used in TLS SNI as part of DTLoader infrastructure.
  • [Domain] LiverpoolFCfanclub.com (and variants) – Soccer club–themed decoy sites containing embedded payload links (e.g., /steven-gerrard-liverpool-future-dalglish–goal-*.html).
  • [IP] 193.239.147.103 – Base URL used for a payload download page (base/…).
  • [File] 9722D04C.jpg – Part of a Discord attachment hosting URL used as part of the payload chain.
  • [File] F526E587.jpg – Part of a Discord attachment hosting URL used as part of the payload chain.

Read more: https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1