Dynamically unpacking using x64-dbg

Introduction
In this blog, i will be uncovering up techniques that can be used for unpacking trojan “Polyglot Duke” developed by APT29 ( The Dukes / Cozy Bear) attributed as Russia’s Foreign Intelligence Service (SVR).
Information Gathering
Let first look up the file in the PE Studio. It’s 64-bit loader of PolyglotDuke.

Setting up environment for Unpacking
Firstly uncheck the System Breakpoint from Setting by going into Options-> Preferences in x64-dbg.

Next thing that needs to be done is setting the breakpoints in the binary.


In the command palette, type “bp” { breakpoint API }.

In this case , it will be as
bp VirtualAlloc
bp VirtualProtect .

Unpacking
Hit “Run” after setting breakpoints in binary.

On running debugger, it hits at the first breakpoint “VirtualAlloc” as there is no presence of “MZ” header so soon after “”VirtualAlloc” is being hit , hit the

return button in debugger after following RAX register in hexdump.


And as again when you hit the “Run” in debugger it hits “VirtualAlloc” for two more times & then it hits “VirtualProtect”.

Now, as if see in the bottom right of the debugger , you will see the presence of “MZ” header. Then following it in the hexdump. And as you clearly see the unpacked payload in the hexdump.

Now follow it in the memory map & dumping unpacked payload from there on disk.

Loading payload in PE-Bear for fixing PE structure, now by going in the Section Hdrs replace the Raw Addr. of PE with Virtual Addr.


Finally replace the dumped address location of payload in x64-dbg to base address in PE-Bear.

Now you can save unpacked payload of PolyglotDuke.

Confirming payload.

IoCs
Loader:-
MD5: 078cfd29c9fa461247c0246f3a8a46af
SHA1: 1b9b2b2fe0594ff75dc808fa39f7a09d4de50746
SHA256: 0c39fce5bd32b4f91a1df4f6321c2f01c017195659c7e95a235ef71ca2865aa9.
Payload:-
MD5: 341d1de6c5f364b28baea6708797f48a
SHA1: 53479f1604fa702d4ff9c258ae2d75029e616ff0
SHA256: 7e6d37f23857b4b7f3b7324fa4966ae69acf95a43115ff6ee07d85cf06a2a4c7
References
https://bazaar.abuse.ch/sample/0c39fce5bd32b4f91a1df4f6321c2f01c017195659c7e95a235ef71ca2865aa9/
Thanks for reading. And your precious time for my research blog.
Article Link: https://0xthreatintel.medium.com/unpacking-of-apt29-polyglotduke-6b3544ccd637?source=rss-4844031faab4------2