KeyBase (Malware Family)

KeyBase

aka: Kibex

KeyBase is a .NET credential stealer and keylogger that first emerged in February 2015. It often incorporates Nirsoft tools such as MailPassView and WebBrowserPassView for additional credential grabbing.

References

2018-02-15 ⋅ RSA ⋅ Ahmed Sonbol
Malspam delivers Keybase keylogger
KeyBase

2017-01-31 ⋅ SANS ISC InfoSec Forums ⋅ Johannes
Malicious Office files using fileless UAC bypass to drop KEYBASE malware
KeyBase

2016-07-01 ⋅ Virus Bulletin ⋅ Gabor Szappanos
New Keylogger on the Block
KeyBase

2016-02-25 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White
KeyBase Threat Grows Despite Public Takedown: A Picture is Worth a Thousand Words
KeyBase

2016-01-28 ⋅ VoidSec ⋅ Paolo Stagno
Keybase
KeyBase

2015-10-12 ⋅ th3l4b ⋅ PuN1sh_3r
Keybase Logger/Clipboard/CredsStealer campaign
KeyBase

2015-06-04 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
KeyBase Keylogger Malware Family Exposed
KeyBase

Yara Rules

[TLP:WHITE] win_keybase_w0 (20190208 | Identifies KeyBase aka Kibex.)

rule win_keybase_w0 {
meta:
	description = "Identifies KeyBase aka Kibex."
	author = "@bartblaze"
	hash = "cafe2d12fb9252925fbd1acb9b7648d6"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.keybase"
    malpedia_version = "20190208"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"

strings:	
	$s1 = " End:]" ascii wide
	$s2 = "Keystrokes typed:" ascii wide
	$s3 = "Machine Time:" ascii wide
	$s4 = "Text:" ascii wide
	$s5 = "Time:" ascii wide
	$s6 = "Window title:" ascii wide
	
	$x1 = "&application=" ascii wide
	$x2 = "&clipboardtext=" ascii wide
	$x3 = "&keystrokestyped=" ascii wide
	$x4 = "&link=" ascii wide
	$x5 = "&username=" ascii wide
	$x6 = "&windowtitle=" ascii wide
	$x7 = "=drowssap&" ascii wide
	$x8 = "=emitenihcam&" ascii wide

condition:
	5 of ($s*) or 6 of ($x*) or (3 of ($s*) and 3 of ($x*) )
}

Download all Yara Rules

KeyBase Propose Change

References

Yara Rules

KeyBase