{
	"id": "b376f35f-0eae-4568-938b-c78bee0849ba",
	"created_at": "2026-04-06T00:14:08.36446Z",
	"updated_at": "2026-04-10T13:13:01.952914Z",
	"deleted_at": null,
	"sha1_hash": "60e5c7b8f167210637f0582463db3ad2f5e737e7",
	"title": "Advanced CyberChef Tips: AsyncRAT Loader | Huntress",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 16731033,
	"plain_text": "Advanced CyberChef Tips: AsyncRAT Loader | Huntress\r\nArchived: 2026-04-05 12:56:29 UTC\r\nThe Huntress SOC team encountered and investigated an infection involving a malicious malware loader on a\r\nHuntress-protected host. This investigation was initiated via persistence monitoring, which triggered on a\r\nsuspicious visual basic (.vbs) script persisting via a scheduled task. \r\nIf you would like to follow along, here is a link to the malware sample.\r\n(If you do choose to follow along, make sure you do so inside of a safe virtual machine and not on your host\r\ncomputer)\r\nLet's Get Started\r\nThe initial investigation was for a persistent .vbs file residing inside of a user's startup directory. There are few\r\nlegitimate reasons for a .vbs file to be persistent, so we immediately obtained the file for further analysis and\r\ninvestigation. \r\nGiven that .vbs is text-based, we transferred the file into an analysis Virtual Machine and opened it using a text\r\neditor. Upon realizing the script was obfuscated,  we transferred the contents into CyberChef. \r\nAnalysing the File\r\nThe obfuscated contents of the script can be seen below. \r\nThere are numerous forms of obfuscation used - (Chr(45), StrReverse, Replace, etc.)\r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 1 of 21\n\nWe simplified the script using a syntax highlighter set to \"vbscript\".\r\nSyntax highlighting is a simple and effective means to improve the readability of an obfuscated script, prior to\r\ndoing any form of manipulation or analysis.\r\nTip: Leaving the language as “auto-detect” will work, but we have found that highlighting is significantly quicker\r\nif specified manually. This also solves the occasional issue where Cyberchef incorrectly identifies the language of\r\nan obfuscated script.\r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 2 of 21\n\nObfuscation 1: Decimal Encoded Values\r\nDelving into the first few lines of output, there are numerous numerical values scattered around. Each numerical\r\nvalue is contained within a “chr” function. \r\nA quick Google reveals that \"chr\" is a built-in visual basic function that converts decimal values into their\r\nplaintext/ascii representation.\r\nYou can find a reference to the chr function here and here. You can also find a full list of decimal values and their\r\nASCII equivalents here. \r\nHere are the  “chr” obfuscated values in their original obfuscated form.\r\nThese numerical values can be crudely decoded using CyberChef, by manually copying out each value and\r\napplying \"From Decimal\".\r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 3 of 21\n\nManually copying the values is simple and will work most of the time, but it is time-consuming for a large script\r\nand requires an analyst to manually copy the results back into the original script. \r\nWe'll now show how to automate this process using CyberChef.\r\nObfuscation 1: Automating the From Decimal Using CyberChef\r\nTo automate the decimal decoding, the ThreatOps team utilized some regex and advanced CyberChef tactics. \r\nAt a high level, this consisted of:\r\nDeveloping a regex that would find decimal encoded values  (locate the encoded data)\r\nConverting this regex into a subsection (this tells CyberChef to act ONLY on the encoded data)\r\nExtracting decimal values (Remove the \"chr\" and any surrounding data)\r\nDecoding the results (Perform the \"From Decimal\" decoding)\r\nRemoving surrounding junk (Cleaning up any remaining junk)\r\nRestoring the script back to “normal” \r\nSo let’s see that in action.\r\nWe first implemented a regex pattern to automatically highlight and extract “chr” encoded values from the original\r\nscript.\r\nAs a means of testing our initial regex, we utilized the  “Regular Expression” and “Highlight Matches” option in\r\nCyberChef.\r\nThis allowed the effectiveness of our regex to be observed in real-time.\r\nIf anything didn’t match as intended, we could easily adjust the Regex and the highlighting would update\r\naccordingly. \r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 4 of 21\n\nThe “Highlight Matches” provides similar functionality to the popular regex testing site regex101. \r\nA visual representation of the regex can be seen here - courtesy of regexper.com. \r\n(Regexper.com is an excellent site for visually learning and testing regex)\r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 5 of 21\n\nThe regex  successfully matched the “chr” and encoded numerical values, so we then converted it into a\r\n“subsection”. \r\nA subsection takes a regex as input, and forces all future operations to match only on values that match the regex.\r\nThe process of \"converting to a subsection\", is just copy-and-pasting the regex from \"Regular Expression\" to\r\n\"Subsection\".\r\nWhat is a subsection?\r\nA TLDR: A subsection is a feature of CyberChef that forces all future operations to apply only to values that\r\nmatch a provided regex. (Eg the highlighted values from previous screenshots)\r\nA subsection is an effective way to “hone in” on particular content or values, allowing bulk operations without\r\nmangling the entire script.\r\nThis was useful to avoid accidentally decoding numerical values which are unrelated to the “chr” functions and\r\nencoding. \r\nTo hone in on our values, we replaced our previous regex with a subsection. (Making sure to keep the regex the\r\nsame)\r\nAt first glance this isn't exciting - but the true power arrives when the recipe is expanded.\r\nFor example, the “chr” can now be easily removed, leaving only the brackets () and decimal values. \r\nBy applying the subsection before the find/replace, we can use the \"chr\" as a marker to hone in on specific values.\r\nWe could skip the subsection and go straight to find/replace, but this may result in accidentally acting on other\r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 6 of 21\n\nnumerical values that are unrelated to our current decoding.\r\nA second regex can now be applied, this will extract only the numerical values our previous regex.\r\nIn the below screenshot - note how “chr(45)” becomes “45” and “chr(110)” becomes “110” and so on. \r\nHoning in on those results, we can see that the “chr” and “()” have been removed. This leaves only the\r\nintegers/numerical values, as well as the “\u0026 used for string concatenation. (We’ll deal with these later.)\r\nA “from decimal” can then be added, which will convert those numerical values back into ASCII.\r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 7 of 21\n\nClose up, it’s still a bit messy, but we’ll deal with that in a moment. \r\nFor now, we can observe that the “chr” operations have been replaced with their ASCII equivalents. (Although the\r\nThe String concatenations make this hard to read)\r\nIn order to clean up for good, we needed to do two things.\r\nFirst, we would need to undo our subsection. This would allow us to remove the “\u0026” operations that were not\r\nincluded in our initial regex. \r\nThis can be done with a “merge” operation. (Essentially an “Undo” button for subsections)\r\nWe then utilised a Find/Replace to remove the quote “” and “\u0026” junk. \r\nThe recipe then looked like this. The most complex piece is the `\u0026?”\u0026?\\+?` regex.\r\nThis looks for any quotes that are preceded or followed by a \u0026 character. The (?) specifies that the “\u0026” is\r\noptional. \r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 8 of 21\n\nA visual representation of the regex, courtesy of regexper.com.\r\nWe then had a nice decoded value and no remaining “chr” operations in our script.\r\nIf you’re confident with your regex, you could incorporate the previous two into one.\r\nThis ultimately leaves something like this. Which is conceptually the same, but slightly cleaner than the original\r\nrecipe we had before, at the cost of a slightly more complex regex. \r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 9 of 21\n\nFor a deeper explanation of the regex used, we highly recommend regexper.com and regex101.com.\r\n If you’re completely new to regex, we also strongly recommend regexone.com.\r\nObfuscation 1: Conclusion\r\nTLDR - Defeating Decimal Encoding: \r\nUse regex to locate the encoded values (locate the chr)\r\nUse a subsection to ‘act’ on the encoded values (Hone in on the chr)\r\nUse Find/Replace to remove surrounding junk (remove the chr)\r\nPerform the decoding (from decimal)\r\nIf necessary, remove any additional junk (remove the string concatenation)\r\nMake it pretty with a syntax highlighter\r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 10 of 21\n\nObfuscation 2: Reversed Strings\r\nFurther analysis determined that there were reversed strings scattered throughout the code. This is typically used\r\nto evade simple string-based detection and analysis.\r\nThis would likely evade YARA signatures that scan for suspicious strings in files that have been saved to disk.\r\nBelow we can see the reversed content.\r\nThis encoding is simple and is literally just reversing the content of a string.\r\nWe could perform this operation manually in CyberChef, but like before, we knew it would take a while to deal\r\nwith all of the reversed values. \r\nThe full StrReverse specification is here. \r\nWe decided to do these operations in bulk using CyberChef.\r\nOur approach…\r\nUtilise regex to locate the “reversed” values\r\nUse Find/Replace or regex to remove surrounding junk (The StrReverse function name in this case)\r\nPerform the decoding (Utilising “Reverse” + “by Character”)\r\nRestore the original state (Utilise a merge to undo the subsection)\r\nFirst, we developed the regex to locate only the reversed values.\r\nWe used the same method as before, utilising “regular expression” and “highlight matches” until the highlight\r\nmatched exactly what we needed. \r\n(We all have our own regex styles, you can use any regex which successfully highlights the content that you are\r\ninterested in).\r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 11 of 21\n\nAn overview of the regex, courtesy of regexper.com\r\nThis basically says\r\nGrab any occurrence of “StrReverse(“ including the opening parenthesis\r\nGrab everything that is not a double quote\r\nGrab the ending double quote and closing parenthesis. \r\nWe then converted the regex into a subsection and followed a similar methodology to before. \r\nSubsection - Extract the “general” content of interest (in this case, “StrReverse” and any following quoted\r\ncontent)\r\nRegular Expression - Extract the “exact” content of interest (Extract only the content in quotes)\r\nReverse + By Character - Perform the reverse operation. \r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 12 of 21\n\nWe then observed that the “StrReverse” operations were removed and cleaned. \r\nWith a before and after of an offending line.\r\nObfuscation 3: Replace\r\nBuilding on our last result, we could now see numerous “replace” operations scattered throughout the code.\r\nWe followed the same process as before. \r\nUse regex to “locate” the “encoded” values\r\nUse a subsection to “act” on the encoded values\r\nPerform the decoding\r\nRestore the script to a clean state\r\nWe utilised regex to locate our values of interest.\r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 13 of 21\n\nThis essentially grabs “Replace” followed by the next three values contained in double quotes. \r\nAfter confirming that our regex worked as intended, we converted the regex into a subsection and applied a\r\nregister.\r\nA register would allow us to extract values from the script and store them in “registers”, which are the CyberChef\r\nequivalent of variables. This would allow us to better implement the string replace operation.\r\nIn order to apply a register, we applied the same regex as before, but added parentheses around the values that we\r\nwanted to store as variables.\r\nThis concept is also known as a “capture group” if you’re already familiar with regex.\r\n(You can find a short tutorial on capture groups on regexone.com)\r\nWe briefly shortened the malware script to better demonstrate this concept. See how the various values in the\r\n“replace” operation are now stored as variables $R0, $R1, $R2 etc. \r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 14 of 21\n\nAnother graphical explanation courtesy of regexper.com. \r\nWe had successfully extracted values of interest using registers. Which we then applied to a find/replace\r\noperation.\r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 15 of 21\n\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 16 of 21\n\nThis operation was able to convert this original line into the following.\r\n(Again, the malware script has been shortened to demonstrate the concept)\r\nWe then restored the full malware script and were able to obtain the following decoded content. Noting that the\r\nReplace operations were now removed.\r\nThe completed recipe can be seen in the screenshot below.\r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 17 of 21\n\n(Note the optional addition of find/replace to turn backslashes into hyphens. The initial extracted backslashes were\r\ncausing issues with the find/replace operation, this isn't necessary to do but it results in a slightly cleaner output)\r\nObfuscation 4: String Concatenation\r\nWe then had one final obfuscation remaining. It is arguably the simplest so far and ironically the only one that\r\ncould not be resolved via CyberChef. \r\nThroughout the code are concatenated strings that the malware previously stored in variables.\r\nAn attempt was made to resolve this using subsections and registers, but ultimately we could not find a solution.\r\nWe then found a workaround that wasn’t CyberChef, but technically didn’t involve leaving the CyberChef\r\nwindow so it was close enough. \r\nHere is the script with the original string concatenations \"\u0026\"\r\nWe then replaced the visual basic string concatenations (\u0026) with a javascript equivalent  (+)\r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 18 of 21\n\nThe firefox developer console to dynamically concatenate the strings.\r\nThe concatenated strings can be seen below. This reveals the ultimate intention and purpose of the script, which\r\nwas to utilize Powershell to execute a second payload (a batch script) stored on the machine. \r\nFor the sake of readability and completeness, we manually replaced the last decoded values, leaving this as the\r\nfinal state of the script.\r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 19 of 21\n\nBefore and After Pics\r\nHere you can see a full before and after of our CyberChef Decoding. \r\nHere you can see a full before/after, with the string concatenations and assigments manually removed. \r\nConclusion\r\nAt this point, we considered the script to be fully decoded and proceeded to analyze the remaining .bat script. This\r\n.bat script was itself obfuscated, and unravelled itself into another (unsurprisingly) obfuscated PowerShell script.\r\nThis PowerShell script contained a loader for AsyncRat malware. \r\nIf you’re interested in seeing some additional analysis of the remaining payloads, we highly recommend the\r\nfollowing posts.\r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 20 of 21\n\nMatthew Brennan - @embee_research https://twitter.com/embee_research/status/1589453390450683905?\r\ns=20\r\nMichael Elford - @Maverick_011\r\nhttps://hcksyd.medium.com/asyncrat-analysing-the-three-stages-of-execution-378b343216bf\r\nSource: https://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nhttps://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader"
	],
	"report_names": [
		"advanced-cyberchef-tips-asyncrat-loader"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434448,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/60e5c7b8f167210637f0582463db3ad2f5e737e7.pdf",
		"text": "https://archive.orkl.eu/60e5c7b8f167210637f0582463db3ad2f5e737e7.txt",
		"img": "https://archive.orkl.eu/60e5c7b8f167210637f0582463db3ad2f5e737e7.jpg"
	}
}