Uncovering APT29 tool: Trojan PolyGlot Duke — (unpacking)
Unpacking, Static and Dynamic Analysis of PolyGlot Duke.
In this blog, i will be unpacking , static and dynamic analysis of trojan “PolyGlot Duke” from APT29. For this blog we only focus on Unpacking.
Unpacking
File Information
It’s a 64-bit malware. Which is basically a packed.

Unpacking using x64dbg:

Setting Up Breakpoints for unpacking while debugging:
Some for the process injection and some for the self injection.
….:- VirtualAlloc
…..:- VirtualProtect
…..:- ResumeThread
…..:- CreateProcessInternalW
…..:- WriteProcessMemory
Hitting Breakpoints
Firstly the breakpoint hits at the EntryPoint.

Running the debugger again , hits at the VirtualAlloc.

Following several hits at VirtualAlloc and returns hits , debugger hits at the VirtualProtect and it’s return hits.





Now something hits differ in debugger VirtualProtect.

Hitting the run , x64dbg hits at the return.

Again x64dbg hitting at the VirtualProtect at next run and it’s return.

Now scrolling a bit in window right to hexdump window you will found “PE” string mentioned

Now following it in the hexdump and scrolling of bit up we will get MZ (magic header) header. As we get the MZ header we will follow it in the Memory Map.

Highlighted line in the memory map is the executable for us to analyse. Right click ,dump and save it.

Checking up for proper executable
Opening up the dumped file in the PE Studio.




Fixing Raw and Base Address in PE Bear
Replace all the raw and base addresses with the Virtual Address and Virtual Size respectively.


Now fixed file information.




Sample from Report:
From Abuse[.]ch:
Packed Sample:
Unpacked Sample: