Threat Research

Unpacking what’s packed: DotRunPeX analysis

Securonix

Polish CERT analyzed a malspam campaign targeting Polish users that delivered a .NET-based dropper which decrypts and unpacks the AgentTesla payload. The campaign uses a sophisticated DotRunpex/RunpeX packing chain with CryptoObfuscator and KoiVM, and researchers built automation to extract the final payload. #AgentTesla #dotRunpex

Keypoints

  • The phishing email contained information about an order and asked for confirmation, carrying an attachment zamowienie.rar with zamowienie.exe inside.
  • The first sample is a simple .NET WPF dropper; the payload is encrypted with AES in ECB mode, so decryption is trivial.
  • The unpacking workflow uses dnlib-based tooling to locate the decryption routine and extract the key, with unpacking script around 50 lines of code.
  • The dropper is followed by a heavy packer (DotRunpex) that relies on CryptoObfuscator 1.0 and KoiVM, making vanilla unpackers ineffective.
  • Researchers leveraged dynamic instrumentation, including a custom dbglib framework, to trigger AES decryption and extract the embedded payload.
  • The final payload is AgentTesla, with a substantial portion of samples in this family; researchers also authored Yara rules to detect DotRunpex-packed samples.

MITRE Techniques

  • [T1566.001] Phishing – The campaign used a professional-looking email with an attachment to deliver the dropper. ‘The phishing email contained information about some order, and asked for a confirmation. Of course it also had an attachment called zamowienie.rar (order.rar in Polish), with a zamowienie.exe file inside.’
  • [T1078] Valid Accounts – ‘Initial email was sent from a legitimate employee account of a Polish company (using stolen credentials).’
  • [T1027] Obfuscated/Decoded Files – The sample uses heavy obfuscation via CryptoObfuscator and KoiVM; ‘All the names are changed to random Cyrillic characters… the tool is called CryptoObfuscator 1.0 according to embedded attributes, with KoiVM under the hood.’
  • [T1055] Process Injection – The packer DotRunpex uses RunPE (RunpeX.Stub.Framework) to facilitate payload execution within a host process. ‘The tool is called DotRunpeX, or, according to the embedded product name, RunpeX.Stub.Framework.’

Indicators of Compromise

  • [File Hashes] Hashes associated with the campaign – 0638cb06ec16ea6cabffdffb8fa29608f8daee68886fb617495a96d0dcdf83e5, 743d2d7eca252cf2b19c0355d645018de71cd4c3443592ebbccbb839192230bd, and 2 more hashes
  • [File Names] Filenames observed in artifacts – zamowienie.rar, zamowienie.exe, and 2 more names (DONALDTRUMP, payload)

Read more: https://cert.pl/en/posts/2023/09/unpacking-whats-packed-dotrunpex/