{
	"id": "fead0a61-1dbd-40e5-827f-d53290a25554",
	"created_at": "2026-04-06T01:30:27.381455Z",
	"updated_at": "2026-04-10T03:21:50.542914Z",
	"deleted_at": null,
	"sha1_hash": "b4e7cd1536654fb60823a76bf675e759bd902aa7",
	"title": "Kematian Stealer forked from PowerShell Token Grabber",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1130402,
	"plain_text": "Kematian Stealer forked from PowerShell Token Grabber\r\nPublished: 2024-07-02 · Archived: 2026-04-06 00:06:38 UTC\r\nStealers are a widespread threat providing threat actors with access to a wealth of sensitive data which is then\r\nexfiltrated to them for further abuse. Kematian Stealer, a PowerShell based tool is one such sophisticated malware.\r\n Recently we came across a tweet about Kematian Stealer. It was a PowerShell based Token-Grabber.\r\nFigure 1: Execution_Flow\r\nBinary Analysis\r\nLet’s now analyse the malware in depth. The binary is a 64-bit portable executable and a loader file.\r\nThe loader written in C++ , contains an obfuscated script in its resource section. \r\nFigure 2: Resource-Blob\r\nThe malware extracts the “112E9CAC33494A35D3547F4B3DCD2FD5” blob in the resource section,  decrypts it,\r\nwhich is a batch file.\r\nhttps://labs.k7computing.com/index.php/kematian-stealer-forked-from-powershell-token-grabber/\r\nPage 1 of 10\n\nFigure 3: Decryption_Loop\r\nThe above loop is used to decrypt the blob that was mentioned earlier. It was likely RC4.\r\nFigure 4: Decrypted_Script\r\nAfter decrypting, it tries to run the bat file with elevated  privileges.\r\nFigure 5: Bat_File (am_admin)\r\nThe batch file containing the powershell_script is then executed.\r\nhttps://labs.k7computing.com/index.php/kematian-stealer-forked-from-powershell-token-grabber/\r\nPage 2 of 10\n\nOn execution, it checks if the script is running with admin privileges. If not, it prompts the user to run the script\r\nwith elevated privilege. If the script gets an elevated privilege, only then it moves on to the next function.\r\nFigure 6: Check_If_Admin\r\nAfter that it runs the task function used for persistence. It creates persistence via the Windows  Task Scheduler.\r\nFirst it creates a copy of the PowerShell script and places it in the %Appdata% folder with a filename percs.ps1.\r\nFigure 7: Task_Creation\r\nThe script checks whether the directory, file, and task already exist before creating them. This prevents conflicts\r\nthat would arise if multiple instances run simultaneously, potentially causing system instability or alerting the user\r\nof unusual behaviour.\r\nThen it moves on to the data collection function called Grub.\r\nData collection\r\nThe grub function contains the main stealer code that’s mainly focused on system configuration and network\r\nenvironment information.\r\nIt begins with obtaining the system’s public IP by invoking the web request “Invoke-Web Request -Uri\r\nhttps://api.ipify.org”, after obtaining the IP it stores it in a text file “ip.txt’ located in the users local application\r\ndata directory “%LOCALAPPDATA%\\Temp\\ip.txt”.\r\nFigure 8: IP_Stealer\r\nhttps://labs.k7computing.com/index.php/kematian-stealer-forked-from-powershell-token-grabber/\r\nPage 3 of 10\n\nIt then collects system information using the Windows command-line. PowerShell executes the Systeminfo.exe\r\nwhich retrieves the system information like OS Version, Host Name, System Model and more. After getting all the\r\ninformation it redirects the information to a text file named “system_info.txt” and stores it in the user’s\r\n“%LOCALAPPDATA%\\Temp\\ System_info.txt” location.\r\nFigure 9: System_Info_stealer\r\nAfter collecting System info and System Public IP, it starts to collect System UUID and Mac addresses using\r\nWMI. It extracts the UUID and Mac address value from the WMI and stores it a text file named “uuid.txt” and\r\n“mac.txt” in the “%LOCALAPPDATA%\\Temp\\uuid.txt” and “%LOCALAPPDATA%\\Temp\\mac.txt” location.\r\nFigure 10: UUID_stealer\r\nFigure 11: MAC_Stealer\r\nAfter collecting the UUID and Mac address it collects the info about the system’s current username and hostname\r\nby using the system environment variable.\r\nhttps://labs.k7computing.com/index.php/kematian-stealer-forked-from-powershell-token-grabber/\r\nPage 4 of 10\n\nFigure 12: User \u0026 Host\r\nAt last it collects the system netstat information by using the Windows command-line. The PowerShell script\r\nexecutes NETSTAT.exe and retrieves the network statistics, like active connections, listening ports with the\r\nassociated Process IDs.\r\nFigure 13: Netstat_Stealer\r\nAfter that the author constructs a detailed and formatted message to be sent to a Discord channel using a web\r\nhook. The script includes system information about the victim (IP, username, hostname, UUID, MAC address)\r\nformatted as fields and visual elements like colour, thumbnail, and footer to make the message more appealing and\r\nstructured. With this it sends the POST request to the specified Web Hook url that is mentioned within the JSON\r\npayload.\r\nhttps://labs.k7computing.com/index.php/kematian-stealer-forked-from-powershell-token-grabber/\r\nPage 5 of 10\n\nFigure 14: Discord_Structure\r\nThen it tries to terminate some Discord related process and also tries to remove some files if it exists, like Discord\r\nToken Protector etc. that could protect from malicious grabbers. To evade detection from security products, it\r\nchecks the presence of Discord token protector.exe and secure.dat. If these files are present in the Discord token\r\ndirectory, the malware removes them.\r\nFigure 15: Discord_Kill\r\nAfter that it checks if the particular directory exists or not, if it is available, it proceeds further else it creates a new\r\ndirectory “LOCALAPPDATA\\Temp\\percs”.\r\nhttps://labs.k7computing.com/index.php/kematian-stealer-forked-from-powershell-token-grabber/\r\nPage 6 of 10\n\nFigure 16: Downloading_Payload\r\nAfter creating a particular directory, it tries to download a payload called main.exe. But unfortunately it’s not\r\navailable in that particular web page; it redirects to the Kematian stealer GitHub page instead.\r\nFigure 17: Url_Redirection\r\nAt this stage of analysis, we understand that the stealer is a previous version of the Kematian stealer. Initially\r\nknown as PowerShell-Token-Grabber; it was built by author KDot227 and now changed to Somali-Devs. In their\r\nrecent updates they also mentioned about the author change in their source code and the GitHub page also\r\nredirects to the Kematian stealer GitHub page.\r\nWe got the main.exe from Virus total  which was a python based executable. While decompiling the python\r\nexecutable, we came to know that this is where the browser stealer code is present. It focuses mainly on browser\r\ncookies, passwords, history details and the desktop screenshot.\r\nFigure 18: Targeted_Browsers\r\nFigure 19: Desktop_Grabber\r\nhttps://labs.k7computing.com/index.php/kematian-stealer-forked-from-powershell-token-grabber/\r\nPage 7 of 10\n\nIt also targets Discord tokens; it tries to inject code into various discord clients to capture discord tokens, for that it\r\ntries to download JavaScript by the author KDot227 in the name of injection.js.\r\nDiscord\r\nDiscordCanary\r\nDiscordPTB\r\nDiscordDevelopment\r\nFigure 20: Discord_Injection\r\nData Exfiltration\r\nAfter collecting all the required data, it then moves all the collected data from the application data directory to the\r\nnewly created directory “LOCALAPPDATA\\Temp\\percs\\”. It also tries to search for browser cookies, passwords\r\nand get the desktop screengrab; it was unable to retrieve the same as  the webpage was not available. At last it\r\ncompresses all the text files and zip the particular data directory.\r\nFigure 21: Stolen_Data\r\nCurl.exe is used for transferring the data along with a Json payload which contains the name and content. Finally,\r\nthe grabber exfiltrates all the data to the Discord channel using a web hook.\r\nhttps://labs.k7computing.com/index.php/kematian-stealer-forked-from-powershell-token-grabber/\r\nPage 8 of 10\n\nFigure 22: Data_Compressing\r\nAfter exfiltrating all the data,  it clears all the traces including directories and collected data.\r\nFigure 23: Deleting_Traces\r\nWhen we compare this token grabber with the new version of Kematian stealer, many new features like Builder,\r\nEvasion and more have been added.\r\nNew Features\r\nGUI Builder\r\nAntiVirus Evasion\r\nAnti-Analysis/Extracts WiFi passwords\r\nWebcam \u0026 Desktop screenshot\r\nSession stealer (Messaging, Gaming, VPN clients, FTP client and more)\r\nAs we can see, threat actors are updating their malware to become more evasive. Compared to other stealers, this\r\nmainly focused on network related information which could be used for active reconnaissance. As the information\r\nstolen by the malware is sensitive, protecting yourself by investing in a reputable security product such as K7\r\nAntiVirus is therefore necessary in today’s world. We at K7 Labs provide detection for such kinds of stealers and\r\nall the latest threats. Users are advised to use a reliable security product such as “K7 Total Security” and keep it\r\nup-to-date to safeguard their devices.\r\nIoCs\r\nFile name Hash Detection name\r\nLoader 02F3B7596CFF59B0A04FD2B0676BC395 \r\nTrojan-Downloader (\r\n005a4e961 )\r\nhttps://labs.k7computing.com/index.php/kematian-stealer-forked-from-powershell-token-grabber/\r\nPage 9 of 10\n\n584A.bat D2EA85153D712CCE3EA2ABD1A593A028 \r\nTrojan-Downloader (\r\n005a4e921 )\r\nPowerShell.ps1 A3619B0A3EE7B7138CEFB9F7E896F168  Trojan ( 0001140e1 )\r\nMain.exe E06F672815B89458C03D297DB99E9F6B  Trojan ( 005ae5411 )\r\nInjection.js 1CBBFBC69BD8FA712B037EBE37E87709  Trojan ( 00597b5e1 )\r\nSource: https://labs.k7computing.com/index.php/kematian-stealer-forked-from-powershell-token-grabber/\r\nhttps://labs.k7computing.com/index.php/kematian-stealer-forked-from-powershell-token-grabber/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/kematian-stealer-forked-from-powershell-token-grabber/"
	],
	"report_names": [
		"kematian-stealer-forked-from-powershell-token-grabber"
	],
	"threat_actors": [],
	"ts_created_at": 1775439027,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b4e7cd1536654fb60823a76bf675e759bd902aa7.pdf",
		"text": "https://archive.orkl.eu/b4e7cd1536654fb60823a76bf675e759bd902aa7.txt",
		"img": "https://archive.orkl.eu/b4e7cd1536654fb60823a76bf675e759bd902aa7.jpg"
	}
}