0/64 detections on VirusTotal
as of 03.07.2024
The VMRay Labs team has uncovered a heavily obfuscated malicious batch file that has managed to evade detection on VirusTotal, with no security vendors flagging it (0/64).
This batch file downloads an open-source stealer directly from GitHub, patches the C2 URL on-the-fly, and executes it. Additionally, it performs anti-tampering and anti-VM checks, making it a sophisticated threat.
No detections on VirusTotal
0 of 64
Heavy obfuscation: Uses SomalifuscatorV2
Text editor confusion: Abuses UTF-16 Byte Order Marker
Encoding: Uses ROT-24 encoding
Anti-VM checks: Checks for VM (>4GB RAM) and employs anti-tampering methods
Stealer download: Fetches open-source KematianStealer from GitHub, patches C2 on the fly
Stealer behavior: Written in PowerShell, exfiltrates sensitive data, evades monitoring, maintains persistence
See why we think this is malicious in plain language.
See the whole path of the sample’s execution
Map the malicious activities on the MITRE ATT&CK Framework
Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams
Download the IOCs and artifacts to have a clear picture of the threat.
Download the files that the malware downloads, drops or modifies.
Explore how you can use these insights
join VMRay for two powerhouse webinars designed to sharpen your threat detection and response capabilities — featuring a special joint session with Red Canary:
Live session's over. Watch the on-demand video to learn how VMRay and Red Canary combine forces to deliver faster, smarter threat detection!
Learn how to cut phishing triage time with automated detonation and deep analysis — quickly uncover threats while improving response accuracy!
