morphHTA icon indicating copy to clipboard operation
morphHTA copied to clipboard

Published 20 hours ago verified publisher icon vysecurity

Unable to morph - traceback error

Open pranavperfect opened this issue 6 years ago • 6 comments

Using default generated powershell HTA from Cobalt Strike 3.14 (Release May 4, 2019). Getting the following error:

Screenshot from 2019-08-13 11-51-40

pranavperfect avatar Aug 13 '19 15:08 pranavperfect

May depend on the type of launch method. I’ll revisit shortly.

On Tue, 13 Aug 2019 at 23:56, Pranav Sharma [email protected] wrote:

Using default generated powershell HTA from Cobalt Strike 3.14 (Release May 4, 2019). Getting the following error:

[image: Screenshot from 2019-08-13 11-51-40] https://user-images.githubusercontent.com/20574960/62956644-4f670480-bdc1-11e9-99ec-c3d9d4a3d66d.png

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/vysecurity/morphHTA/issues/3?email_source=notifications&email_token=AA3N7UU6YGK23WWRCWP2S4LQELKRFA5CNFSM4ILMJBCKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HE72SGA, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3N7URT3R4K5FLL2EB7M73QELKRFANCNFSM4ILMJBCA .

vysecurity avatar Aug 14 '19 01:08 vysecurity

Hello, I also tried it a few times to morph a evil.hta generated with Cobalt Strike 3.14. Is there already any solution? THX

VirtualAlllocEx avatar Sep 08 '19 20:09 VirtualAlllocEx

It still works IMO?

vysecurity avatar Oct 14 '19 07:10 vysecurity

It still works IMO?

Nope ~ I got the same problem here

RubyistCTRLDYT avatar Dec 29 '19 13:12 RubyistCTRLDYT

Any update on this issue? Thx for help :)

chef42 avatar May 25 '20 09:05 chef42

The solution to this is in the evil.hta, you must include .exe to the end of powershell within the hta.

Pascal-0x90 avatar Aug 11 '20 16:08 Pascal-0x90