Obfuscated batch file downloads open-source stealer straight from GitHub

0/64 detections on VirusTotal
as of 03.07.2024

The VMRay Labs team has uncovered a heavily obfuscated malicious batch file that has managed to evade detection on VirusTotal, with no security vendors flagging it (0/64). 

This batch file downloads an open-source stealer directly from GitHub, patches the C2 URL on-the-fly, and executes it. Additionally, it performs anti-tampering and anti-VM checks, making it a sophisticated threat.

No detections on VirusTotal

0 of 64

Heavy obfuscation: Uses SomalifuscatorV2


Text editor confusion: Abuses UTF-16 Byte Order Marker


Encoding: Uses ROT-24 encoding


Anti-VM checks: Checks for VM (>4GB RAM) and employs anti-tampering methods


Stealer download: Fetches open-source KematianStealer from GitHub, patches C2 on the fly


Stealer behavior: Written in PowerShell, exfiltrates sensitive data, evades monitoring, maintains persistence

Dive deeper into the report

See why we think this is malicious in plain language.

See the whole path of the sample’s execution

Map the malicious activities on the MITRE ATT&CK Framework

Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams

Download the IOCs and artifacts to have a clear picture of the threat.

Download the files that the malware downloads, drops or modifies.

Explore how you can use these insights