Obfuscated batch file downloads open-source stealer straight from GitHub

0/64 detections on VirusTotal
as of 03.07.2024

The VMRay Labs team has uncovered a heavily obfuscated malicious batch file that has managed to evade detection on VirusTotal, with no security vendors flagging it (0/64). 

This batch file downloads an open-source stealer directly from GitHub, patches the C2 URL on-the-fly, and executes it. Additionally, it performs anti-tampering and anti-VM checks, making it a sophisticated threat.

No detections on VirusTotal

0 of 64

Heavy obfuscation: Uses SomalifuscatorV2

 

Text editor confusion: Abuses UTF-16 Byte Order Marker

 

Encoding: Uses ROT-24 encoding

 

Anti-VM checks: Checks for VM (>4GB RAM) and employs anti-tampering methods

 

Stealer download: Fetches open-source KematianStealer from GitHub, patches C2 on the fly

 

Stealer behavior: Written in PowerShell, exfiltrates sensitive data, evades monitoring, maintains persistence

Dive deeper into the report

See why we think this is malicious in plain language.

See the whole path of the sample’s execution

Map the malicious activities on the MITRE ATT&CK Framework

Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams

Download the IOCs and artifacts to have a clear picture of the threat.

Download the files that the malware downloads, drops or modifies.

Explore how you can use these insights

Days
Hours
Minutes
Seconds

Ready to stress-test your malware sandbox? Join us for a no-fluff, all-demo webinar that shows you real techniques to evaluate and optimize your sandboxing solution!