{
	"id": "2b11ca1e-6e56-4861-b00a-3b42d0312866",
	"created_at": "2026-04-06T00:06:38.739951Z",
	"updated_at": "2026-04-10T03:33:18.807235Z",
	"deleted_at": null,
	"sha1_hash": "a1caca471ee734f2229de1e69b4c7b64697b6379",
	"title": "DTPacker – a .NET Packer with a Curious Password | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9289437,
	"plain_text": "DTPacker – a .NET Packer with a Curious Password | Proofpoint US\r\nBy January 24, 2022 Proofpoint Staff\r\nPublished: 2022-01-21 · Archived: 2026-04-05 14:35:02 UTC\r\nKey Findings \r\nProofpoint identified a malware packer which researchers have dubbed DTPacker. \r\nThe payload decoding uses a fixed password containing former U.S. president Donald Trump’s name.  \r\nFor several weeks the downloader variant used Liverpool Football Club themed download locations. \r\nThe malware is typically used to pack remote access trojans that can be used to steal information and load follow-on\r\npayloads such as ransomware.  \r\nOverview \r\nIn a previous blog Commodity .NET Packers use Embedded Images to Hide Payloads, we described the \"CyaX\" and\r\n\"Hectobmp\" families of .NET packers. \r\nIn this blog, we describe a two-stage commodity .NET packer or downloader which although seeing considerable variety in\r\nthe first stage, uses a second stage with a fixed password as part of the decoding. The main difference between a packer and\r\na downloader is the location of the payload data which is embedded in the former and downloaded in the latter. DTPacker\r\nuses both forms. It is unusual for a piece of malware to be both a packer and downloader.    \r\nProofpoint has observed DTPacker distributing multiple remote access trojans (RATs) and information stealers including\r\nAgent Tesla, Ave Maria, AsyncRAT, and FormBook. The malware uses multiple obfuscation techniques to evade antivirus,\r\nsandboxing, and analysis. It is likely distributed on underground forums. Proofpoint has observed DTPacker associated\r\nwith dozens of campaigns and multiple threat actors including TA2536 and TA2715 since 2020. Proofpoint has observed\r\nDTPacker used by both advanced persistent threat (APT) and cybercrime threat actors. Identified campaigns included\r\nthousands of messages and impacted hundreds of customers in multiple industries. \r\nAttack Path Example \r\nIn many observed campaigns, email is used as an initial infection vector. The attachment is typically a malicious document\r\nor compressed executable that, when interacted with by a user, downloads the packer executable. The malware decodes an\r\nembedded or downloaded resource to a DLL which contains the malware payload, and then executes the malware.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 1 of 17\n\nFigure 1: DTPacker attack path example. \r\nCustom XOR Decoding \r\nProofpoint observed multiple decoding methods and two Donald Trump-themed fixed keys, thus the name “DT”Packer.\r\nMany packers and loaders are built in two stages of functionality. Earlier versions of DTPacker used a custom XOR routine\r\nto decode the malicious content in both stages. The first stage of DTPacker decodes an embedded or downloaded resource\r\nto an intermediate stage (usually a DLL), then the second stage extracts and executes the payload from that DLL. \r\nThe custom XOR routine, in addition to XORing with the key, subtracts the next data value and is implemented in this\r\nPython script (on Github) decoder-xor-sub.py. \r\nFor a Windows Portable Executable, there are significant sequences of null bytes, and consequently, XORing the ciphertext\r\nwith itself shifted by 1 byte reveals the key at locations corresponding to those null bytes. \r\nFor example, in this sample (SHA256\r\n512b2f1f4b659930900abcc8f51d175e88c81b0641b7450a6618b77848fa3b40): \r\nThe intermediate stage is stored in a .NET resource encoded with the custom XOR routine and key \"P\" (in ASCII not\r\nUnicode UTF-16 this time). \r\nThe .NET resource XORed with itself shifted by one byte reveals the password \"P\": \r\nDecoding with key \"P\" gives the second stage executable: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 2 of 17\n\nThe second stage contains a .NET resource (named \"00112266\"): \r\nXORed with itself shifted by one byte gives: \r\nwhich gives a key of \"trump2020\" in Unicode UTF-16. The threat actors used this key consistently for a year and is the\r\nreason for the packer’s name. \r\nDecoding with the “trump2020” key gives the final payload: \r\nIn this case, the payload was Agent Tesla, a common information stealer. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 3 of 17\n\nVaried First Stage Encoding \r\nIn this downloader sample (SHA256\r\n9d713d2254e529286ed3ac471e134169d2c7279b0eaf82eb9923cd46954d5d27) the Download URLs are stored as strings\r\nobfuscated with junk Unicode characters \r\nIn this case, the decompiled code looks like: \r\nand removing the Unicode characters gives: \r\nThe downloads are glued together and contain base64-encoded strings: \r\nThese decode to: \r\nwhich after XORing with byte 0x02 gives: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 4 of 17\n\nThis is a second stage executable containing a \"00112266\" resource encoded with the \"trump2020\" key as before, which\r\nthen decodes to Agent Tesla. \r\nDecimal Character Codes \r\nOne recurrent theme in this family of packers is the use of decimal character codes with digits substituted with other\r\ncharacters. \r\nFor example, this sample (SHA256\r\n285f4e79ae946ef179e45319caf11bf0c1cdaa376924b83bfbf82ed39361911b) is a packer with the second stage embedded in\r\nthe .NET Strings table: \r\nwhich are comma-separated decimal ASCII character codes with digits 0-9 replaced by \"!@#$%[X]\u0026*()\" where \"[X]\"\r\nrepresents Unicode character 0x8ac2; reversing this gives us: \r\nThis decodes to an intermediate PE containing the \"00112266\" resource with key \"trump2020\" which decodes to Ave\r\nMaria, also known as Warzone RAT.  \r\nThis sample (SHA256\r\n1312912d725d45bcd1b63922ec9a84abca7a8c9c669c13efbd03472c764be056 is similar to the above, but with the second\r\nstage stored in the User Strings table: \r\nwith digits 0-9 replaced by \"zxcasdwqru\" (partially matching the first three letters on rows of a QWERTY keyboard). This\r\ndecodes to AsyncRAT. \r\nAnother sample (SHA256\r\nba0f9be7cf006404bcfab6b6adbad0cef7281c3792490903632a4010d8a74f42) is a loader with download string obfuscated in\r\na similar way to Sample 1, which deobfuscates to (defanged): \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 5 of 17\n\nhxxps://ahgwqrq[.]xyz/getrandombase64.php?\r\nget=E2E813E9694BE43CAD964C0453632F91@@@hxxps://ahgwqrq[.]xyz/getrandombase64.php?\r\nget=63DC49E5D8F5F50F8838551347009928@@@hxxps://ahgwqrq[.]xyz/getrandombase64.php?\r\nget=D13B96F0619AC39B44A32D3E0A260C89@@@hxxps://ahgwqrq[.]xyz/getrandombase64.php?\r\nget=85530E49BB23CD9DBD8461A2FC5D18A2 \r\nThe downloads are obfuscated in a similar in the above samples, with digits 0-9 replaced by the letters A-J: \r\nThe download decodes to the usual second stage which in turn decodes to Agent Tesla. \r\nString Obfuscation using Large Character Code Offsets \r\nThis sample (SHA256 5d555eddfc23183dd821432fd2a4a04a543c8c1907b636440eb6e7d21829576c) is a loader with\r\nstrings obfuscated as Unicode strings followed by an integer to subtract from their character codes, e.g. \r\nwhich decodes to:\r\nThe downloads are again ASCII character codes with digits 0-9 replaced by the letters \"PxfnVCKsAi\". \r\nThis time, however, there is no intermediate step with the custom XOR routine and \"trump2020\" key, and the payload is\r\nAgent Tesla. \r\nSoccer Club-Themed Payload Locations \r\nFrom March 2021, Proofpoint observed samples using websites for soccer clubs and their fans being used as download\r\nlocations. These websites appear to have been decoys, with the actual payload locations embedded in the list. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 6 of 17\n\nFor example, in this sample (SHA256 b53558a85b8bb10ce70cb0592a81e540683d459b9d8666b7927c105f1141a189),\r\ndecompiled code looks like: \r\nwhich when deobfuscated is: \r\nThe payload was Snake Keylogger in this case. \r\nLater samples used Liverpool Football Club-themed download locations.  \r\nIn this sample (SHA256\r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 7 of 17\n\n9cc817f0205da4bde1d938e1817aa98fe4f4a5dcbcaffbe8b45041e24c105aa0), the download locations are obfuscated with\r\njunk Unicode sequences and string assembly: \r\nwhich after removing the non-ASCII characters is: \r\nleading to download locations (defanged): \r\nhxxp://liverpoolofcfanclub[.]com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1FE8F2E05D5035C0446552639B8336B8.html \r\nhxxp://liverpoolofcfanclub[.]com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EC7D4835EC6F56BD999A943FEDF8D489.html \r\nhxxp://liverpoolofcfanclub[.]com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-DE7C2CE9F7D38544A851414C40C46A3F.html \r\nwhich amidst innocent-looking pages that appear to be taken from liverpool.com, includes the next stage as ASCII-character codes with digits 0-9 replaced by \"GIucvPNTOs\": \r\nFinally, the usual \"00112266\" resource, encoded with the \"trump2020\" key, has the final payload, Agent Tesla. \r\nLater samples varied the domain name but kept very similar paths and the same innocent-looking page. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 8 of 17\n\nFigure: DTPacker used Liverpool FC themed download locations for the final payload. The sites masqueraded as legitimate\r\nLiverpool FC and fan-related websites.  \r\nString Obfuscation using Obfuscated Character Code Arrays \r\nThis sample (SHA256 281cdbf590c22cd684700dcde609d6be48ddf3e4d988d48e65d9c688ce76f7af) uses obfuscated .NET\r\ncode to store important strings as arrays of ASCII character codes:   \r\n[0] : qHWXhtvYuc \r\n[1] : Append \r\n[2] : hxxp://mmwrlridbhmibnr[.]ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-40505C0917C3E190B486745F4941F177.html \r\n[3] : \u003cmeta name=\"keywords\" content=\"([\\w\\d ]*)\"\u003e \r\n[4] : UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106\r\nSafari/537.36 OPR/38.0.2220.41 \r\n[5] : GetType \r\n[6] : Assembly \r\n[7] : ToArray \r\n[8] : Load \r\n[9] : EntryPoint \r\n[10] : Invoke \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 9 of 17\n\n[11] : LoginForm \r\nFor the URL string, we have (when decompiled in ILSpy): \r\nIn each block of four assignments, the first three are junk and overwritten by the next. \r\nThis appears to be done in the underlying MSIL (intermediate language) code: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 10 of 17\n\nThe obfuscating instructions are not actually in the shortest form as would be expected from a normal compiler. E.g. \r\n(05) 2000000000 : ldc.i4 0x0 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 11 of 17\n\ncould have been achieved with \r\n(01) 16 : ldc.i4.0  \r\nas it is in the instruction performing the final assignment. \r\nThe final payload in this case was Agent Tesla. \r\nThis Python script (on Github) decoder-dup-array-strings.py will output deobfuscated strings from a .NET binary using this\r\ntechnique. \r\n“Trump2026” Variant with Straight XOR \r\nBeginning in August 2021, Proofpoint observed samples where the second stage is no longer using the custom XOR routine\r\nand fixed key \"trump2020\", but instead is using straight XOR with fixed ASCII key \"Trump2026\". \r\nIn this sample (SHA256 a564eb282800ed662b1c55ae65fbba86b6feca00a2e15ebb36a61fc53ac47c3a), the intermediate\r\nstage is stored as ASCII character codes in the \"Strings\" table: \r\nThe payload is stored from offset 0x250 in the intermediate stage: \r\nwhich, after XORing with key \"Trump2026\" gives: \r\nThis payload was Agent Tesla. \r\nThis sample (SHA256 affea9c276ded88eea1e39ac39fb19373c4b62d4251fb1d06f37a05e35dfa463), is a downloader with\r\nthe download URLs stored in the clear in User Strings (defanged):  \r\nhxxps://cdn.discordapp[.]com/attachments/893177342426509335/897124528768032848/9722D04C.jpg \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 12 of 17\n\nhxxps://cdn.discordapp[.]com/attachments/893177342426509335/897124531213336656/F526E587.jpg \r\nThe downloads are ASCII character codes: \r\nwhich when glued together and decoded give the intermediate stage containing:  \r\nWhen decoded with XOR key \"Trump2026,\" the final payload is FormBook. \r\nCyaX Packer using Same Modified XOR Routine \r\nFrom November 2021, Proofpoint observed CyaX-packer using a very similar second stage to that of DTPacker with the\r\n\"trump2020\" key. \r\nThis time, however, the keys are randomly generated, ASCII, mixed case alphabetic, and 8-14 characters long, rather than\r\nUTF-16-encoded \"trump2020\". \r\nIn this sample (SHA2564053206d66d627d145d9da8d8e208d08c85755036a5393ccc6e8afd6117df864), the intermediate\r\nstage contains a .NET resource file \"18Ocjj4dc4\" starting: \r\njCcPzKq+9JLar8eO2ILnqfrkj8Wj64Lqo7XsiMaV85jStPyV/bTiu9+RwqTPheOrwqrjteyIxpXzmNK0/BV9NGItKqrrjTJvPFOC\r\n... \r\nwhich after base64-decoding gives: \r\nXORing this with itself shifted by one byte gives: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 13 of 17\n\nand then using the modified XOR routine with key \"dNSfkJfHihIVY\" gives: \r\nwhich, after fixing the first byte, is Agent Tesla. \r\nThis would suggest a common source for the second stage of both the \"trump2020\" version of DTPacker and the latest\r\nsecond stage of CyaX. It is possible there is a resource overlap between DTPacker and CyaX, such as both authors paying\r\nfor the same DLL encoder, but Proofpoint cannot confirm this. \r\nConclusion \r\nDTPacker’s use as both a packer and downloader and its variation in delivery and obfuscation whilst keeping two such\r\nunique keys as part of its decoding is very unusual. \r\nIt is unknown why the malware author specifically referred to Donald Trump in the malware’s fixed passwords, as it is not\r\nused to specifically target politicians or political organizations and would not be seen by the intended victims. Proofpoint\r\nassesses this malware will continue to be used by multiple threat actors.  \r\nNetwork IDS Rules: \r\nProofpoint Emerging Threats includes multiple detections for this malware. \r\n2031127 - ET MALWARE DTLoader Binary Request \r\n2031128 - ET MALWARE DTLoader Encoded Binary - Server Response \r\n2031129 - ET MALWARE DTLoader Domain (ahgwqrq .xyz in TLS SNI) \r\n2033356 - ET MALWARE DTLoader Binary Request M2 \r\n2844913 - ETPRO MALWARE Haskell Downloader/DTLoader CnC Activity \r\n2846706 - ETPRO MALWARE DTLoader Variant Activity \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 14 of 17\n\n2847389 - ETPRO MALWARE DTLoader CnC Activity \r\n2847503 - ETPRO MALWARE DTLoader Variant Activity \r\n2847916 - ETPRO MALWARE DTLoader Obfuscated HTML Payload Inbound \r\n2847940 - ETPRO MALWARE DTLoader Activity \r\n2850461 - ETPRO MALWARE DTLoader Retrieving Encoded Payload \r\nSample Indicators of Compromise \r\nIndicator  Description \r\nAssociated\r\nMalware \r\n9d713d2254e529286ed3ac471e134169d2c7279b0eaf82eb9923cd46954d5d27 \r\nDTPacker\r\nSHA256 \r\nAgent\r\nTesla \r\nhxxps://hastebin[.]com/raw/azipitojuj \r\nhxxps://hastebin[.]com/raw/urafehisiv \r\nPayload\r\nDownload\r\nLocation \r\nAgent\r\nTesla \r\n285f4e79ae946ef179e45319caf11bf0c1cdaa376924b83bfbf82ed39361911b \r\nDTPacker\r\nSHA256 \r\nAve Maria\r\nRAT \r\n512b2f1f4b659930900abcc8f51d175e88c81b0641b7450a6618b77848fa3b40 \r\nDTPacker\r\nSHA256 \r\nAgent\r\nTesla \r\n1312912d725d45bcd1b63922ec9a84abca7a8c9c669c13efbd03472c764be056 \r\nDTPacker\r\nSHA256 \r\nAsyncRAT \r\nba0f9be7cf006404bcfab6b6adbad0cef7281c3792490903632a4010d8a74f42 \r\nDTPacker\r\nSHA256 \r\nAgent\r\nTesla \r\nhxxps://ahgwqrq[.]xyz/getrandombase64.php?\r\nget=E2E813E9694BE43CAD964C0453632F91 \r\nhxxps://ahgwqrq[.]xyz/getrandombase64.php?\r\nget=63DC49E5D8F5F50F8838551347009928 \r\nhxxps://ahgwqrq[.]xyz/getrandombase64.php?\r\nget=D13B96F0619AC39B44A32D3E0A260C89 \r\nPayload\r\nDownload\r\nLocation \r\nAgent\r\nTesla \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 15 of 17\n\nhxxps://ahgwqrq[.]xyz/getrandombase64.php?\r\nget=85530E49BB23CD9DBD8461A2FC5D18A2 \r\n5d555eddfc23183dd821432fd2a4a04a543c8c1907b636440eb6e7d21829576c \r\nDTPacker\r\nSHA256 \r\nAgent\r\nTesla \r\nhxxp://193.239.147[.]103/base/264712C97B662289D6644F926525A252.html \r\nPayload\r\nDownload\r\nLocation \r\nAgent\r\nTesla \r\nb53558a85b8bb10ce70cb0592a81e540683d459b9d8666b7927c105f1141a189 \r\nDTPacker\r\nSHA256 \r\nSnake\r\nKeylogger \r\nhxxp://osndjdjjjdjshgaggdkf[.]com/base/377A23697621555ED2123D80005200D7.html \r\nhxxp://osndjdjjjdjshgaggdkf[.]com/base/650D6251494D3B160CBC93685F2FA1E4.html \r\nhxxp://osndjdjjjdjshgaggdkf[.]com/base/2A812C716BD7EB40F36227E584D97524.html \r\nPayload\r\nDownload\r\nLocation \r\nSnake\r\nKeylogger \r\n9cc817f0205da4bde1d938e1817aa98fe4f4a5dcbcaffbe8b45041e24c105aa0 \r\nDTPacker\r\nSHA256 \r\nAgent\r\nTesla \r\nhxxp://liverpoolofcfanclub[.]com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1FE8F2E05D5035C0446552639B8336B8.htm \r\nhxxp://liverpoolofcfanclub[.]com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EC7D4835EC6F56BD999A943FEDF8D489.html \r\nhxxp://liverpoolofcfanclub[.]com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-DE7C2CE9F7D38544A851414C40C46A3F.html \r\nPayload\r\nDownload\r\nLocation \r\nAgent\r\nTesla \r\n281cdbf590c22cd684700dcde609d6be48ddf3e4d988d48e65d9c688ce76f7af \r\nDTPacker\r\nSHA256 \r\nAgent\r\nTesla \r\nhxxp://mmwrlridbhmibnr[.]ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-40505C0917C3E190B486745F4941F177.html \r\nDTPacker\r\nDownload\r\nURL \r\nAgent\r\nTesla \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 16 of 17\n\na564eb282800ed662b1c55ae65fbba86b6feca00a2e15ebb36a61fc53ac47c3a \r\nDTPacker\r\nSHA256 \r\nAgent\r\nTesla \r\naffea9c276ded88eea1e39ac39fb19373c4b62d4251fb1d06f37a05e35dfa463 \r\nDTPacker\r\nSHA256 \r\nFormBook \r\nhxxps://cdn.discordapp[.]com/attachments/ \r\n893177342426509335/897124528768032848/9722D04C.jpg \r\nhxxps://cdn.discordapp[.]com/attachments/ \r\n893177342426509335/897124531213336656/F526E587.jpg \r\nDTPacker\r\nDownload\r\nURL \r\nFormBook \r\n4053206d66d627d145d9da8d8e208d08c85755036a5393ccc6e8afd6117df864 \r\nDTPacker\r\nSHA256 \r\nAgent\r\nTesla \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nhttps://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1"
	],
	"report_names": [
		"dtpacker-net-packer-curious-password-1"
	],
	"threat_actors": [
		{
			"id": "d2dad33f-6218-477c-9388-3d5228d7562f",
			"created_at": "2023-02-15T02:01:49.573579Z",
			"updated_at": "2026-04-10T02:00:03.352638Z",
			"deleted_at": null,
			"main_name": "TA2536",
			"aliases": [],
			"source_name": "MISPGALAXY:TA2536",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433998,
	"ts_updated_at": 1775791998,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a1caca471ee734f2229de1e69b4c7b64697b6379.pdf",
		"text": "https://archive.orkl.eu/a1caca471ee734f2229de1e69b4c7b64697b6379.txt",
		"img": "https://archive.orkl.eu/a1caca471ee734f2229de1e69b4c7b64697b6379.jpg"
	}
}