SYMBOLCOMMON_NAMEaka. SYNONYMS
win.keybase (Back to overview)

KeyBase

aka: Kibex

KeyBase is a .NET credential stealer and keylogger that first emerged in February 2015. It often incorporates Nirsoft tools such as MailPassView and WebBrowserPassView for additional credential grabbing.

References
2018-02-15RSAAhmed Sonbol
Malspam delivers Keybase keylogger
KeyBase
2017-01-31SANS ISC InfoSec ForumsJohannes
Malicious Office files using fileless UAC bypass to drop KEYBASE malware
KeyBase
2016-07-01Virus BulletinGabor Szappanos
New Keylogger on the Block
KeyBase
2016-02-25Palo Alto Networks Unit 42Jeff White
KeyBase Threat Grows Despite Public Takedown: A Picture is Worth a Thousand Words
KeyBase
2016-01-28VoidSecPaolo Stagno
Keybase
KeyBase
2015-10-12th3l4bPuN1sh_3r
Keybase Logger/Clipboard/CredsStealer campaign
KeyBase
2015-06-04Palo Alto Networks Unit 42Unit42
KeyBase Keylogger Malware Family Exposed
KeyBase
Yara Rules
[TLP:WHITE] win_keybase_w0 (20190208 | Identifies KeyBase aka Kibex.)
rule win_keybase_w0 {
meta:
	description = "Identifies KeyBase aka Kibex."
	author = "@bartblaze"
	hash = "cafe2d12fb9252925fbd1acb9b7648d6"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.keybase"
    malpedia_version = "20190208"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"

strings:	
	$s1 = " End:]" ascii wide
	$s2 = "Keystrokes typed:" ascii wide
	$s3 = "Machine Time:" ascii wide
	$s4 = "Text:" ascii wide
	$s5 = "Time:" ascii wide
	$s6 = "Window title:" ascii wide
	
	$x1 = "&application=" ascii wide
	$x2 = "&clipboardtext=" ascii wide
	$x3 = "&keystrokestyped=" ascii wide
	$x4 = "&link=" ascii wide
	$x5 = "&username=" ascii wide
	$x6 = "&windowtitle=" ascii wide
	$x7 = "=drowssap&" ascii wide
	$x8 = "=emitenihcam&" ascii wide

condition:
	5 of ($s*) or 6 of ($x*) or (3 of ($s*) and 3 of ($x*) )
}
Download all Yara Rules