Obfuscated batch file downloads open-source stealer straight from GitHub
0/64 detections on VirusTotal as of 03.07.2024
The VMRay Labs team has uncovered a heavily obfuscated malicious batch file that has managed to evade detection on VirusTotal, with no security vendors flagging it (0/64).
This batch file downloads an open-source stealer directly from GitHub, patches the C2 URL on-the-fly, and executes it. Additionally, it performs anti-tampering and anti-VM checks, making it a sophisticated threat.
No detections on VirusTotal
0 of 64
Heavy obfuscation: Uses SomalifuscatorV2
Â
Text editor confusion: Abuses UTF-16 Byte Order Marker
Â
Encoding: Uses ROT-24 encoding
Â
Anti-VM checks: Checks for VM (>4GB RAM) and employs anti-tampering methods
Â
Stealer download: Fetches open-source KematianStealer from GitHub, patches C2 on the fly
Â
Stealer behavior: Written in PowerShell, exfiltrates sensitive data, evades monitoring, maintains persistence
Ready to stress-test your malware sandbox? Join us for a no-fluff, all-demo webinar that shows you real techniques to evaluate and optimize your sandboxing solution!