Recently, I stumbled on an odd Agent Tesla sample that downloaded a paste from pastebin.com. This is not a normal TTP for most actors who license Agent Tesla for use in their malicious campaigns. And to make things more interesting, the paste was the hexadecimal representation of the binary and obfuscated.
The original binary was a .NET PE file within an RAR email attachment. Inspecting the file with dnSpy, an easy to use debugger and assembly editor developed by 0xd4d, reveals that it is obfuscated. Lucky for us de4dot, another tool developed by 0xd4d, detects the obfuscation as DeepSea and is able to deobfuscate it for us.
Now that de4dot has cleaned up the DeepSea obfuscated .NET code, we can walk the program from the Entry Point and see where the paste is downloaded and how it is decoded. We quickly discover webClient being used to download the paste.
Further inspection of the code identifies the decoding method and key. The downloaded paste is converted to binary and XOR decoded with a 32-bit integer value of 25.
Knowing the XOR key is 25 and is 32 bits long, let’s see if we can decode this payload with python so that we can inspect it with dnSpy and see what it does.
Perfect, the paste has been converted into a .NET DLL file. Inspecting the DLL in dnSpy reveals the same functionality and unpacking techniques that has been reported by other researchers.
What caught my eye was a RunPe object in the DLL. RunPE is a process hallowing technique of injecting a malicious PE into a benign process and impersonating that process. At this point I became curious if other campaigns were using this paste or other pastes as a malware loader.
Lo and behold, this exact paste has been used by many campaigns in the past 30 days. And the malware payloads have included Loki, Agent Tesla, Formbook, and even HawkEye. And a second identical paste was found in a handful of campaigns this week.
Email attachment hashes