{"id":22956724,"url":"https://github.com/vysecurity/morphhta","last_synced_at":"2025-04-04T23:09:07.356Z","repository":{"id":40342859,"uuid":"83034695","full_name":"vysecurity/morphHTA","owner":"vysecurity","description":"morphHTA - Morphing Cobalt Strike's evil.HTA","archived":false,"fork":false,"pushed_at":"2023-04-14T19:15:57.000Z","size":2041,"stargazers_count":520,"open_issues_count":3,"forks_count":129,"subscribers_count":26,"default_branch":"master","last_synced_at":"2025-03-28T22:13:39.136Z","etag":null,"topics":["application","cobalt","evil","hta","html","malware","strike"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vysecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["vysecurity"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":null}},"created_at":"2017-02-24T11:27:00.000Z","updated_at":"2025-03-23T06:50:56.000Z","dependencies_parsed_at":"2025-01-18T22:38:45.937Z","dependency_job_id":"86e2a553-f622-4566-b4e6-ca6d7508a025","html_url":"https://github.com/vysecurity/morphHTA","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vysecurity%2FmorphHTA","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vysecurity%2FmorphHTA/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vysecurity%2FmorphHTA/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vysecurity%2FmorphHTA/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vysecurity","download_url":"https://codeload.github.com/vysecurity/morphHTA/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247261612,"owners_count":20910108,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["application","cobalt","evil","hta","html","malware","strike"],"created_at":"2024-12-14T17:05:38.660Z","updated_at":"2025-04-04T23:09:07.337Z","avatar_url":"https://github.com/vysecurity.png","language":"Python","funding_links":["https://github.com/sponsors/vysecurity"],"categories":[],"sub_categories":[],"readme":"Disclaimer\n==========\nAs usual, this code and tool should not be used for malicious purposes.\n\nWritten by Vincent Yiu of MDSec Consulting's ActiveBreach team. Modification of code is allowed with credits to author.\n\nExplorer and SWBemLocator COM Moniker research is by @enigma0x3\n\nmorphHTA\n========\n\n\u003cimg src=\"example.png\"\u003e\n\n\u003cb\u003eUsage\u003c/b\u003e: \n```\nusage: morph-hta.py [-h] [--in \u003cinput_file\u003e] [--out \u003coutput_file\u003e]\n [--maxstrlen \u003cdefault: 1000\u003e] [--maxvarlen \u003cdefault: 40\u003e]\n [--maxnumsplit \u003cdefault: 10\u003e]\n\noptional arguments:\n -h, --help show this help message and exit\n --in \u003cinput_file\u003e File to input Cobalt Strike PowerShell HTA\n --out \u003coutput_file\u003e File to output the morphed HTA to\n --maxstrlen \u003cdefault: 1000\u003e\n Max length of randomly generated strings\n --maxvarlen \u003cdefault: 40\u003e\n Max length of randomly generated variable names\n --maxnumsplit \u003cdefault: 10\u003e\n Max number of times values should be split in chr\n obfuscation\n```\n\n\n\nExamples:\n=========\n```\n/morphHTA# python morph-hta.py\n███╗ ███╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ██╗ ██╗████████╗ █████╗\n████╗ ████║██╔═══██╗██╔══██╗██╔══██╗██║ ██║ ██║ ██║╚══██╔══╝██╔══██╗\n██╔████╔██║██║ ██║██████╔╝██████╔╝███████║█████╗███████║ ██║ ███████║\n██║╚██╔╝██║██║ ██║██╔══██╗██╔═══╝ ██╔══██║╚════╝██╔══██║ ██║ ██╔══██║\n██║ ╚═╝ ██║╚██████╔╝██║ ██║██║ ██║ ██║ ██║ ██║ ██║ ██║ ██║\n╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝\n\nMorphing Evil.HTA from Cobalt Strike\nAuthor: Vincent Yiu (@vysec, @vysecurity)\n\n\n[*] morphHTA initiated\n[+] Writing payload to morph.hta\n[+] Payload written\n```\n\n\n\u003cb\u003eMax variable name length and randomly generated string length reduced to reduce overall size of HTA output:\u003c/b\u003e\n\n`/morphHTA# python morph-hta.py --maxstrlen 4 --maxvarlen 4`\n\n\n\u003cb\u003eMax split in chr() obfuscation, this reduces the number of additions we do to reduce length:\u003c/b\u003e\n\n`/morphHTA# python morph-hta.py --maxnumsplit 4`\n\n\n\u003cb\u003eChange input file and output files:\u003c/b\u003e\n\n`/morphHTA# python morph-hta.py --in advert.hta --out advert-morph.hta`\n\n\nVideo how to\n============\nhttps://www.youtube.com/watch?v=X4S2aQ4o_jA\n\n\nVirusTotal Example \n==================\n\n\u003cb\u003e\u003ci\u003eI suggest not uploading to VT\u003c/i\u003e\u003c/b\u003e:\n\n\u003cimg src=\"virustotal.png\"\u003e\n\n\n\n\nExample of Obfuscated HTA content\n=================================\n\u003cimg src=\"exampleobf.png\"\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvysecurity%2Fmorphhta","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvysecurity%2Fmorphhta","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvysecurity%2Fmorphhta/lists"}