Cofense Logo - Email Security Solutions

It’s okay to eat paste, right?

Share Now


Recently, I stumbled on an odd Agent Tesla sample that downloaded a paste from This is not a normal TTP for most actors who license Agent Tesla for use in their malicious campaigns. And to make things more interesting, the paste was the hexadecimal representation of the binary and obfuscated.

Cofense - Email Security Awareness Training The paste converted to binary

Figure 1 – The paste converted to binary

The original binary was a .NET PE file within an RAR email attachment. Inspecting the file with dnSpy, an easy to use debugger and assembly editor developed by 0xd4d, reveals that it is obfuscated. Lucky for us de4dot, another tool developed by 0xd4d, detects the obfuscation as DeepSea and is able to deobfuscate it for us.

de4dot detects the obfuscation as DeepSea

Figure 2 – de4dot detects the obfuscation as DeepSea

Now that de4dot has cleaned up the DeepSea obfuscated .NET code, we can walk the program from the Entry Point and see where the paste is downloaded and how it is decoded. We quickly discover webClient being used to download the paste.

The .NET assembly using webClient to download the paste

Figure 3 – The .NET assembly using webClient to download the paste

Further inspection of the code identifies the decoding method and key. The downloaded paste is converted to binary and XOR decoded with a 32-bit integer value of 25.

The paste is XOR encoded

Figure 4 – The paste is XOR encoded

Knowing the XOR key is 25 and is 32 bits long, let’s see if we can decode this payload with python so that we can inspect it with dnSpy and see what it does.

Python code to XOR decode the paste

Figure 5 – Python code to XOR decode the paste

Perfect, the paste has been converted into a .NET DLL file. Inspecting the DLL in dnSpy reveals the same functionality and unpacking techniques that has been reported by other researchers.

What caught my eye was a RunPe object in the DLL. RunPE is a process hallowing technique of injecting a malicious PE into a benign process and impersonating that process. At this point I became curious if other campaigns were using this paste or other pastes as a malware loader.

Lo and behold, this exact paste has been used by many campaigns in the past 30 days. And the malware payloads have included Loki, Agent Tesla, Formbook, and even HawkEye. And a second identical paste was found in a handful of campaigns this week.



Email attachment hashes

Sample Email

Sample Email

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.