Unpacking what's packed: DotRunPeX analysis
Tags
| cmtmf-attack-pattern: | Code Injection |
| country: | Poland |
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Code Injection - T1540 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Python - T1059.006 Server - T1583.004 Server - T1584.004 Tool - T1588.002 |
Common Information
| Type | Value |
|---|---|
| UUID | 39bbdacf-28e7-47cb-aa86-b82bc0bfedb2 |
| Fingerprint | 26150992a90747b6 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Sept. 18, 2023, midnight |
| Added to db | Aug. 31, 2024, 1:37 a.m. |
| Last updated | Nov. 17, 2024, 6:55 p.m. |
| Headline | Social media |
| Title | Unpacking what's packed: DotRunPeX analysis |
| Detected Hints/Tags/Attributes | 57/4/14 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://cert.pl/en/posts/2023/09/unpacking-whats-packed-dotrunpex/ |
URL Provider
| Details | Provider | Source level domain |
|---|---|---|
| Details | cert.pl | cert.pl |
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 81 | ✔ | CERT Polska | https://cert.pl/en/rss.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 149 | system.security |
|
| Details | File | 1 | zamowienie.rar |
|
| Details | File | 14 | order.rar |
|
| Details | File | 1 | zamowienie.exe |
|
| Details | File | 13 | dnlib.dot |
|
| Details | File | 1 | operand.ini |
|
| Details | File | 26 | key.txt |
|
| Details | File | 1122 | svchost.exe |
|
| Details | sha256 | 1 | 0638cb06ec16ea6cabffdffb8fa29608f8daee68886fb617495a96d0dcdf83e5 |
|
| Details | sha256 | 1 | 743d2d7eca252cf2b19c0355d645018de71cd4c3443592ebbccbb839192230bd |
|
| Details | sha256 | 1 | 6f7e6f123333920e6a59cf6585d19dae2236f42b27b24557d0e1d0e675f52e7e |
|
| Details | sha256 | 1 | 521e9d3bc1517804c3e2b651fc5e64742dcd88d780578b06f57fbdff4f48174d |
|
| Details | Yara rule | 1 | rule certpl_dotrunpex_stage1 {
meta:
description = "Stage1 packer of dotrunpex samples"
author = "msm"
date = "2023-09-02"
strings:
$aes = "CreateAesInstance"
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule certpl_dotrunpex {
meta:
description = "Dotrunpex sample"
author = "msm"
date = "2023-09-02"
strings:
$fish = "Fish" wide
$koivm = "KoiVM.Runtime--test"
$runpexstub = "RunpeX.Stub.Framework" wide
condition:
2 of them
} |