{
	"id": "8c807d55-fb6c-4f5e-bd9b-82c143e7e688",
	"created_at": "2026-04-06T00:18:06.888351Z",
	"updated_at": "2026-04-10T13:12:19.552499Z",
	"deleted_at": null,
	"sha1_hash": "2f858eaf7d796a08da2b42edc92361dfa1197add",
	"title": "Malware Analysis — Cobalt Strike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4235072,
	"plain_text": "Malware Analysis — Cobalt Strike\r\nBy 0xMrMagnezi\r\nPublished: 2024-02-29 · Archived: 2026-04-05 13:54:07 UTC\r\nCobalt Strike is a versatile tool for Red Team operations and penetration testing. However, threat actors also use it\r\nfor malicious activities like establishing covert communication, conducting post-exploitation tasks, moving\r\nlaterally across networks, crafting and delivering weaponized payloads, and executing social engineering attacks.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-cobalt-strike-92ef02b35ae0\r\nPage 1 of 7\n\nFigure 1: Malware Bazaar sample\r\nAfter downloading and extracting the zip file, two sections were observed in the BAT file. The first section\r\ncontained two chunks of Base64-encoded code, as shown in Figure 2. It was suspected that these might be a\r\nBase64-encoded file, but decoding them did not yield any results. The second section appeared to utilize a simple\r\nreplace obfuscation, as shown in Figure 3.\r\nPress enter or click to view image in full size\r\nFigure 2: First section of the original BAT file\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-cobalt-strike-92ef02b35ae0\r\nPage 2 of 7\n\nFigure 3: Marking what looked like replacing “CxVtt” with NULL\r\nThe second section contained additional instances of the replace function. Consequently, the cleaning process was\r\ncontinued using it. This part of the code seemed to decrypt something using AES encryption and decompress it\r\nusing Gzip, as illustrated in Figure 4.\r\nPress enter or click to view image in full size\r\nFigure 4: After Cleaning of the 2nd part\r\nIt was decided to attempt using CyberChef to decrypt what was suspected to be another dropped file.\r\nSubsequently, it was confirmed that the suspicion was correct, and the dropped files were successfully extracted,\r\nas illustrated in Figure 5.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-cobalt-strike-92ef02b35ae0\r\nPage 3 of 7\n\nPress enter or click to view image in full size\r\nFigure 5: Using the AES Key+IV and Gunzip on the Base64 code , which resulted an EXE file\r\nThe extracted files were both written in .NET, allowing for debugging in DNSPY. During debugging, additional\r\nmemory manipulation was observed, leading to the suspicion that there might be another hidden file.\r\nPress enter or click to view image in full size\r\nFigure 6: Embedding Resource\r\nObserving the array in memory confirmed my suspicion. It was observed that the memory started with the header\r\n“1F 8B,” indicating a Gzip file as shown in Figure 7.\r\nhttps://medium.com/@b.magnezi/malware-analysis-cobalt-strike-92ef02b35ae0\r\nPage 4 of 7\n\nPress enter or click to view image in full size\r\nFigure 7: Finding the embedded file inside the memory\r\nFor the last time I used CyberChef to Decompress as shown in Figure 8.\r\nPress enter or click to view image in full size\r\nFigure 8: Extracting embedded EXE file\r\nAt that point, a decision was made to execute the file and gather some artifacts and IOCs. As shown below, an\r\nEXE embedded in the running process was successfully dumped.\r\nPress enter or click to view image in full size\r\nFigure 9: Dumping EXE from running process\r\nThe network traffic was encrypted, so the combination of inetsim + Fiddler was used to follow the requests\r\nwithout the risk of being infected.\r\nhttps://medium.com/@b.magnezi/malware-analysis-cobalt-strike-92ef02b35ae0\r\nPage 5 of 7\n\nGet 0xMrMagnezi’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nInetsim is an open-source tool for simulating internet services like HTTP, DNS, and FTP. It helps observe\r\nmalware behavior without connecting to real servers, reducing infection risks.\r\nFiddler is a web debugging proxy tool that logs and modifies HTTP/HTTPS traffic. It decrypts HTTPS traffic with\r\na root certificate.\r\nUsing inetsim with Fiddler allows to safely intercept and analyze encrypted network traffic, gaining insights into\r\nmalware communication and payloads without risking infection.\r\nPress enter or click to view image in full size\r\nFigure 10: Analyzing network traffic using the combination of Fiddler + inetsim\r\nIOCs:\r\norigin.bat — 4d1a54992dc1883a86069182e55bccf4\r\nout1.exe — c58f43348436a19ca37a676b477a137f\r\nout2.exe — 8d8fe14374cb94fe10070d9591fea3bb\r\n4000.exe — 30d2256f99c9dc5e6846838f655fae34\r\npickilish[.]com\r\nIn conclusion, a sample linked to Cobalt Strike was dissected. The process involved decoding Base64-encoded\r\nsections and unraveling obfuscation. AES encryption and Gzip compression were used to conceal and deploy\r\nmalicious payloads. Tools like CyberChef and DNSPY were instrumental in extracting and examining the dropped\r\nfiles. Further investigation uncovered hidden files embedded in memory confirming the sophisticated nature of the\r\nmalware. This comprehensive analysis demonstrates the complexity and stealth of threats associated with Cobalt\r\nhttps://medium.com/@b.magnezi/malware-analysis-cobalt-strike-92ef02b35ae0\r\nPage 6 of 7\n\nStrike, emphasizing the importance of robust cybersecurity measures to detect and mitigate such threats\r\neffectively.\r\nSource: https://medium.com/@b.magnezi/malware-analysis-cobalt-strike-92ef02b35ae0\r\nhttps://medium.com/@b.magnezi/malware-analysis-cobalt-strike-92ef02b35ae0\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@b.magnezi/malware-analysis-cobalt-strike-92ef02b35ae0"
	],
	"report_names": [
		"malware-analysis-cobalt-strike-92ef02b35ae0"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434686,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f858eaf7d796a08da2b42edc92361dfa1197add.pdf",
		"text": "https://archive.orkl.eu/2f858eaf7d796a08da2b42edc92361dfa1197add.txt",
		"img": "https://archive.orkl.eu/2f858eaf7d796a08da2b42edc92361dfa1197add.jpg"
	}
}