Threat Research

Stealer Forked from PowerShell Token Grabber: Efficient Death

K7computing

Kematian Stealer is a PowerShell-based token-grabber that loads a decryption routine to extract a script from its resources, then implements persistence, data collection, and exfiltration via Discord. This article documents its evolution from the PowerShell Token Grabber to a more capable, evasion-prone variant with browser and Discord-token targeting. #KematianStealer #PowerShell #Discord #KDot227 #SomaliDevs #K7Labs

Keypoints

  • The sample is a 64-bit loader that decrypts a resource blob containing a batch file, then executes a PowerShell script.
  • The loader uses a RC4-like loop to decrypt the blob and run commands with elevated privileges.
  • Persistence is achieved via the Windows Task Scheduler, with a copy of the PowerShell script stored in AppData.
  • Data collection focuses on system configuration and network environment, including public IP, system info, UUID, MAC, user/host, and netstat data.
  • Exfiltration leverages Discord webhooks, formatting a structured message with victim details before sending data.
  • Defenses are evaded by removing Discord token protection tools and securing certain files if present.
  • New features include GUI builder, anti-virus evasion, WiFi password extraction, webcam/desktop capture, and session stealing across apps.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – ‘The loader written in C++ , contains an obfuscated script in its resource section.’
  • [T1059.001] PowerShell – ‘The batch file containing the powershell_script is then executed.’
  • [T1548] Abuse Elevation: Privilege – ‘After decrypting, it tries to run the bat file with elevated privileges.’
  • [T1053.005] Windows: Scheduled Task – ‘persistence via the Windows Task Scheduler.’
  • [T1105] Ingress Tool Transfer – ‘it tries to download a payload called main.exe.’
  • [T1560] Archive Collected Data – ‘compresses all the text files and zip the particular data directory.’
  • [T1082] System Information Discovery – ‘collects OS Version, Host Name, System Model and more.’
  • [T1016.001] IP Address Discovery – ‘obtaining the system’s public IP by invoking the web request … https://api.ipify.org.’
  • [T1047] Windows Management Instrumentation – ‘UUID and Mac addresses using WMI.’
  • [T1033] System Owner/User Discovery – ‘current username and hostname by using the system environment variable.’
  • [T1049] System Network Connections Discovery – ‘NETSTAT.exe and retrieves the network statistics, like active connections, listening ports with the associated Process IDs.’
  • [T1113] Screen Capture – ‘Desktop screenshot.’
  • [T1055] Process Injection – ‘inject into various discord clients to capture discord tokens, … injection.js.’
  • [T1555.003] Credentials from Web Browsers – ‘browser cookies, passwords, history’.
  • [T1567.002] Exfiltration to Web Service – ‘Discord webhook’ (structured Discord data posting).
  • [T1562.001] Impair Defenses – ‘removing Discord token protector.exe and secure.dat.’

Indicators of Compromise

  • [File name] IoCs – Loader, 584A.bat, PowerShell.ps1, Main.exe, Injection.js
  • [Hash] IoCs – 02F3B7596CFF59B0A04FD2B0676BC395, D2EA85153D712CCE3EA2ABD1A593A028, A3619B0A3EE7B7138CEFB9F7E896F168, E06F672815B89458C03D297DB99E9F6B, 1CBBFBC69BD8FA712B037EBE37E87709
  • [URL] IP Discovery – https://api.ipify.org

Read more: https://labs.k7computing.com/index.php/kematian-stealer-forked-from-powershell-token-grabber/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint