Member-only story
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”.
Today, I analyse a HTA malware sample from vx-underground.
The demo for this analysis can be found on my YouTube.
File Identification and Identification of malicious indicators
The file is a HTML Application (HTA) file with embedded VB script (macro) with capability to reach out to ten (10) URLs to download files that will then be executed using environmental variables.
md5: 7E8CC3E57C7FBDE46E82BFF601790EF5
sha1: CA8A4B2EA37256B2014A64ABA2E85818857CD8A4
sha256: 18C55BF653816C7AD10210A04085658E6D7919AD041061387647BDDA9549917A
first-bytes-text: < ! D O C T Y P E h t m l > .. .. < h t m l > ..
file-size: 5664 (bytes)
Code Analysis
I opened the file in VS code to perform some static code analysis.
The script creates the following objects:
- Wscript.shell : It is a generic name for a powerful object that enables you to query and interact with various aspects of the Windows shell. You…
