0/64 detections on VirusTotal
as of 03.07.2024
The VMRay Labs team has uncovered a heavily obfuscated malicious batch file that has managed to evade detection on VirusTotal, with no security vendors flagging it (0/64).
This batch file downloads an open-source stealer directly from GitHub, patches the C2 URL on-the-fly, and executes it. Additionally, it performs anti-tampering and anti-VM checks, making it a sophisticated threat.
No detections on VirusTotal
0 of 64
Heavy obfuscation: Uses SomalifuscatorV2
Â
Text editor confusion: Abuses UTF-16 Byte Order Marker
Â
Encoding: Uses ROT-24 encoding
Â
Anti-VM checks: Checks for VM (>4GB RAM) and employs anti-tampering methods
Â
Stealer download: Fetches open-source KematianStealer from GitHub, patches C2 on the fly
Â
Stealer behavior: Written in PowerShell, exfiltrates sensitive data, evades monitoring, maintains persistence
See why we think this is malicious in plain language.
See the whole path of the sample’s execution
Map the malicious activities on the MITRE ATT&CK Framework
Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams
Download the IOCs and artifacts to have a clear picture of the threat.
Download the files that the malware downloads, drops or modifies.
Explore how you can use these insights
