SYMBOLCOMMON_NAMEaka. SYNONYMS
win.keybase (Back to overview)

KeyBase

aka: Kibex

KeyBase is a .NET credential stealer and keylogger that first emerged in February 2015. It often incorporates Nirsoft tools such as MailPassView and WebBrowserPassView for additional credential grabbing.

References
2018-02-15RSAAhmed Sonbol
@online{sonbol:20180215:malspam:54c3cfe, author = {Ahmed Sonbol}, title = {{Malspam delivers Keybase keylogger}}, date = {2018-02-15}, organization = {RSA}, url = {https://community.rsa.com/community/products/netwitness/blog/2018/02/15/malspam-delivers-keybase-keylogger-2-11-2017}, language = {English}, urldate = {2019-10-12} } Malspam delivers Keybase keylogger
KeyBase
2017-01-31SANS ISC InfoSec ForumsJohannes
@online{johannes:20170131:malicious:ed4f2fb, author = {Johannes}, title = {{Malicious Office files using fileless UAC bypass to drop KEYBASE malware}}, date = {2017-01-31}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/}, language = {English}, urldate = {2020-01-08} } Malicious Office files using fileless UAC bypass to drop KEYBASE malware
KeyBase
2016-07Virus BulletinGabor Szappanos
@online{szappanos:201607:new:6574feb, author = {Gabor Szappanos}, title = {{New Keylogger on the Block}}, date = {2016-07}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/}, language = {English}, urldate = {2020-01-06} } New Keylogger on the Block
KeyBase
2016-02-25Palo Alto Networks Unit 42Jeff White
@online{white:20160225:keybase:676bd3f, author = {Jeff White}, title = {{KeyBase Threat Grows Despite Public Takedown: A Picture is Worth a Thousand Words}}, date = {2016-02-25}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/}, language = {English}, urldate = {2020-01-10} } KeyBase Threat Grows Despite Public Takedown: A Picture is Worth a Thousand Words
KeyBase
2016-01-28VoidSecPaolo Stagno
@online{stagno:20160128:keybase:9b30a21, author = {Paolo Stagno}, title = {{Keybase}}, date = {2016-01-28}, organization = {VoidSec}, url = {https://voidsec.com/keybase-en/}, language = {English}, urldate = {2019-08-08} } Keybase
KeyBase
2015-10-12th3l4bPuN1sh_3r
@online{pun1sh3r:20151012:keybase:38b6bd4, author = {PuN1sh_3r}, title = {{Keybase Logger/Clipboard/CredsStealer campaign}}, date = {2015-10-12}, organization = {th3l4b}, url = {https://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html}, language = {English}, urldate = {2019-12-10} } Keybase Logger/Clipboard/CredsStealer campaign
KeyBase
2015-06-04Palo Alto Networks Unit 42Unit42
@online{unit42:20150604:keybase:da43a0b, author = {Unit42}, title = {{KeyBase Keylogger Malware Family Exposed}}, date = {2015-06-04}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/}, language = {English}, urldate = {2019-10-23} } KeyBase Keylogger Malware Family Exposed
KeyBase
Yara Rules
[TLP:WHITE] win_keybase_w0 (20190208 | Identifies KeyBase aka Kibex.)
rule win_keybase_w0 {
meta:
	description = "Identifies KeyBase aka Kibex."
	author = "@bartblaze"
	hash = "cafe2d12fb9252925fbd1acb9b7648d6"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.keybase"
    malpedia_version = "20190208"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"

strings:	
	$s1 = " End:]" ascii wide
	$s2 = "Keystrokes typed:" ascii wide
	$s3 = "Machine Time:" ascii wide
	$s4 = "Text:" ascii wide
	$s5 = "Time:" ascii wide
	$s6 = "Window title:" ascii wide
	
	$x1 = "&application=" ascii wide
	$x2 = "&clipboardtext=" ascii wide
	$x3 = "&keystrokestyped=" ascii wide
	$x4 = "&link=" ascii wide
	$x5 = "&username=" ascii wide
	$x6 = "&windowtitle=" ascii wide
	$x7 = "=drowssap&" ascii wide
	$x8 = "=emitenihcam&" ascii wide

condition:
	5 of ($s*) or 6 of ($x*) or (3 of ($s*) and 3 of ($x*) )
}
Download all Yara Rules