KEMATIAN STEALER SAMPLE

    Friday, August 23, 2024 In: Threat Research Print

    Date: 08/23/2024

    Severity: High

    Summary

    In July 2024, Kematian Stealer was initially identified as a "PowerShell-based Token Grabber. Kematian Stealer is under active development and is available as an open-source tool on GitHub. A Kematian Stealer C2 server control panel was operational at https://64.52.80.191:8080/ in July 2024. Earlier today, we detected a Kematian Stealer sample submitted to VirusTotal.

    Indicators of Compromise (IOC) List

    Domains\Urls

    https://64.52.80.191:8080/

    https://anonsharing.com/file/299cef131201faea/hack.exe

    https://github.com/43a1723/

    https://github.com/43a1723/test/raw/main/extras/hacklife/main.bin

    https://github.com/43a1723/test/releases/download/autobuild/download.bat

    https://github.com/pirate-devs/kematian

    https://raw.githubusercontent.com/43a1723/test/main/download.ps1

    anonsharing.com

    IP Address 

    64.52.80.191

    Hash

    4f1745dc20453c92c7025b8ffb40e2789070b604624f09117f8b3406fb6c46de

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls

    userdomainname like "https://64.52.80.191:8080/" or url like "https://64.52.80.191:8080/" or userdomainname like "https://github.com/43a1723/" or url like "https://github.com/43a1723/" or userdomainname like "anonsharing.com" or url like "anonsharing.com" or userdomainname like "https://github.com/43a1723/test/releases/download/autobuild/download.bat" or url like "https://github.com/43a1723/test/releases/download/autobuild/download.bat" or userdomainname like "https://github.com/43a1723/test/raw/main/extras/hacklife/main.bin" or url like "https://github.com/43a1723/test/raw/main/extras/hacklife/main.bin" or userdomainname like "https://anonsharing.com/file/299cef131201faea/hack.exe" or url like "https://anonsharing.com/file/299cef131201faea/hack.exe"

    IP Address

    dstipaddress IN ("64.52.80.191") or ipaddress IN ("64.52.80.191") or publicipaddress IN ("64.52.80.191") or srcipaddress IN ("64.52.80.191")

    Hash 

    sha256hash IN ("4f1745dc20453c92c7025b8ffb40e2789070b604624f09117f8b3406fb6c46de")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-08-21-Kematian-Stealer-info.txt 

     

     


    Tags

    MalwareExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.