{
	"id": "a0bb3f87-4002-438e-928a-424cc6a7c194",
	"created_at": "2026-04-10T03:22:10.154567Z",
	"updated_at": "2026-04-10T03:22:16.603039Z",
	"deleted_at": null,
	"sha1_hash": "d64589f6808cc3a0dd74d798f1343587452f1502",
	"title": "Cobalt Strike Malware Analysis With CyberChef and Emulation - .HTA Loader Example",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4457636,
	"plain_text": "Cobalt Strike Malware Analysis With CyberChef and Emulation -\r\n.HTA Loader Example\r\nBy Matthew\r\nPublished: 2023-10-20 · Archived: 2026-04-10 02:46:33 UTC\r\nIn this post. we will demonstrate a process for decoding a simple .hta loader used to load cobalt strike shellcode.\r\nWe will perform initial analysis using a text editor, and use CyberChef to extract embedded shellcode. From here\r\nwe will validate the shellcode using an emulator (SpeakEasy) and perform some basic analysis using Ghidra.\r\nHash: 2c683d112d528b63dfaa7ee0140eebc4960fe4fad6292c9456f2fbb4d2364680\r\nMalware Bazaar Link:\r\nAnalysis\r\nAnalysis can begin by downloading the zip file into a safe virtual machine and unzipping it with the password\r\ninfected\r\nThis will reveal a .hta file. A .hta file is essentially an html file with an embedded script. Our aim is to locate\r\nand analyse the embedded script.\r\nSince .hta is a text-based format, we can go straight to opening the file inside of a text editor.\r\nAnalysis with a Text Editor\r\nOpening the file inside of a text editor will reveal a small piece of obfuscated code followed by a large base64\r\nblob.\r\nhttps://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/\r\nPage 1 of 9\n\nFor the purposes of this blog, we don't need to decode the initial pieces as it's safe to assume that it just executes a\r\nPowerShell command containing the base64 blob.\r\nWe can tell this by the presence of a PowerShell command and a broken-up wscript.shell . Which is commonly\r\nused to execute commands from javascript.\r\nUsing the theory that the initial script just executes the base64 blob, we can go straight to decoding the base64.\r\nIf the base64 blob does not decode, we can always return to the initial pieces to investigate further.\r\nDecoding the Base64\r\nWe can proceed by highlighting the entire base64 blob and copying it into cyberchef, from here we can attempt to\r\ndecode it.\r\nCopying the base64 content into CyberChef, we can see plaintext with null bytes in-between the characters.\r\nThis generally indicates utf-16 encoding, which is very simple to remove with \"decode text\" or \"remove null\r\nbytes\"\r\nhttps://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/\r\nPage 2 of 9\n\nBy adding a \"remove null bytes\" into the recipe, we can obtain the decoded content which looks like a PowerShell\r\nscript.\r\nThe use of \"decode text\" and \"utf-16\" would also have worked fine.\r\nhttps://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/\r\nPage 3 of 9\n\nEither of these options will result in a decoded powershell script, which we can highlight and copy into a new text\r\neditor window.\r\nAnalysis of The PowerShell Script\r\nWith the PowerShell script now placed into a text editor, we can go ahead and scan for keywords or anything that\r\nmay indicate where we can go next.\r\nFor me, there are two primary things that stand out. That is the large blob of hex bytes in the middle of the script,\r\nas well as numerous references to api's that can be used to allocate (VirtualAlloc), write (memset) and execute\r\n(CreateThread) something in memory.\r\nhttps://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/\r\nPage 4 of 9\n\nThere are a few small things at the bottom of the script but these aren't as important. The script sleeps\r\nfor 60 seconds and appears to attempt to switch to a 64 bit version of Powershell if the initial script\r\nfails.\r\nFor now, let's go on the assumption that the hex bytes contain something that is going to be executed.\r\nDecoding The Hex Bytes Using CyberChef\r\nTo analyse the hex bytes, we can copy them out and try to decode them using CyberChef.\r\nWe can do that by copying out the following bytes and moving them to CyberChef.\r\nOnce copied, the bytes can be decoded with a simple \"from hex\" operation. In this case the commas , and 0x\r\nwere automatically recognized.\r\nhttps://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/\r\nPage 5 of 9\n\nWe can also see that the although the content was \"decoded\", it still doesn't look good. It looks like a blob of junk\r\nthat failed to decode.\r\nValidating ShellCode With CyberChef\r\nAt this point, we need to validate our assumption that the decoded content is shellcode. At first glance it looks like\r\na blob of junk.\r\nOne common way is to look for plaintext values (ip's, API names) inside of shellcode, but this won't\r\nhelp us here. We'll need to do additional analysis\r\nhttps://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/\r\nPage 6 of 9\n\nUsing CyberChef, we can validate our theory that the content is shellcode by attempting to disassemble the bytes.\r\nTo do this, we need to convert the values to hex and then use the Disassemble x86 operation of CyberChef.\r\nHere we can see that the bytes have successfully disassembled, we can primarily tell this since there are.\r\nno glaring red sections indicating a failed disassembly\r\nCLD - (Clear Direction) - Which is common first command executed by shellcode.\r\nThere are some other indicators like an early call operation and a ror 0D operation which are common to\r\nCobalt Strike shellcode. These are patterns that are strange but become easily recognizable after you've seen a few\r\nshellcode examples.\r\nFor now, we can assume with higher confidence that the data is shellcode and do further validation by attempting\r\nto execute it.\r\nAt this point you could continue to analyse the disassembled bytes for signs of something \"interesting\",\r\nbut this is generally difficult and requires some familiarity with x86 instructions. It is often much easier\r\nto try and execute the code. Especially for larger shellcode samples.\r\nValidating ShellCode By Executing Inside an Emulator\r\nTo further validate that the data is shellcode and attempt to determine its functionality, we can save it to a file and\r\ntry to run it inside an emulator or debugger.\r\nIn this case, we will be using the SpeakEasy tool from FireEye. You can read about SpeakEasy here and\r\nDownload it from GitHub\r\nBefore running SpeakEasy, we can first download the raw bytes of our suspected shellcode. (make sure to remove\r\nthe to hex and disassemble x86 operations)\r\nhttps://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/\r\nPage 7 of 9\n\nYou can name the file anything you like, we have named it shellcode.bin .\r\nFrom here, a command prompt can be opened at the SpeakEasy tool executed with the following commands.\r\n-t - Target file to emulate\r\n-r - Tells SpeakEasy that the file is shellcode\r\n-a x86 - Tells SpeakEasy to assume x86 instructions. (This will almost always be x86 or x64 . If\r\neither fails, try the other one)\r\nHitting enter, SpeakEasy is successfully able to emulate the code. We can see that numerous API calls were made\r\nin an attempt to download something from 51.79.49[.]174:443\r\nConclusion\r\nhttps://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/\r\nPage 8 of 9\n\nAt this point, it would be safe to assume that the primary purpose of the entire script and shellcode is to act as a\r\ndownloader.\r\nAt this point, we would investigate connections to that IP address and identify if anything was successfully\r\ndownloaded and executed. You could also investigate any recent malware alerts for Cobalt Strike, or perform\r\nsome hunting on the initial execution of .hta (mshta.exe parent process) to powershell.exe (child process).\r\nSign up for Embee Research\r\nMalware Analysis Insights\r\nNo spam. Unsubscribe anytime.\r\nSource: https://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/\r\nhttps://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/"
	],
	"report_names": [
		"malware-analysis-decoding-a-simple-hta-loader"
	],
	"threat_actors": [],
	"ts_created_at": 1775791330,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d64589f6808cc3a0dd74d798f1343587452f1502.pdf",
		"text": "https://archive.orkl.eu/d64589f6808cc3a0dd74d798f1343587452f1502.txt",
		"img": "https://archive.orkl.eu/d64589f6808cc3a0dd74d798f1343587452f1502.jpg"
	}
}