{
	"id": "3a105314-8a6a-4c00-9ea8-418ed8a9c313",
	"created_at": "2026-04-06T00:14:10.645823Z",
	"updated_at": "2026-04-10T03:24:44.508222Z",
	"deleted_at": null,
	"sha1_hash": "12fa2ed75f0d8e1a714f85f7a00e3ce07fb6feff",
	"title": "Kraken - The Deep Sea Lurker Part 2",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1786144,
	"plain_text": "Kraken - The Deep Sea Lurker Part 2\r\nBy 0xToxin\r\nPublished: 2023-05-26 · Archived: 2026-04-05 22:07:43 UTC\r\nIntroPermalink\r\nIn the second part of analyzing the “KrakenKeylogger”, I will be diving into some proactive “threat hunting” steps\r\nI’ve done during my research about the Kraken.\r\nIf you haven’t already read the first part of analyzing the Kraken, be sure to check it out here\r\nWith that saying let’s begin!\r\nWhat we have?Permalink\r\nLet’s start with what we currently have and how can we pivot with it:\r\nC2: thereccorp.com\r\nPayload fetching domain: masherofmasters.cyou\r\nBinary Name: KrakenStub\r\nThe hunting will be splitted into 4 part:\r\n1. thereccorp.com analysis\r\n2. masherofmasters.cyou analysis\r\n3. UnpackMe Yara Hunt\r\n4. OSINT research\r\nWe start off with our final C2 domain thereccorp.com , searching the domain in VirusTotal will respond us with\r\na solid 0/87 vendors detection:\r\ngoing to the relations tab and looking at the Communicating Files files we can see 22 files which all were\r\nflagged as malicious:\r\nhttps://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/\r\nPage 1 of 11\n\nall files are pretty recent (oldest one dated to 7th of May 23 ), this in fact helps us to understand that the\r\ncampaign is pretty new and keeps being distributed.\r\nSome files were already analyzed by various sandboxes and this helped me a lot by downloading the file from\r\nthose sandboxes reports (most Sandboxes I know allow downloading the examined sample). Let’s have a look at\r\ncouple samples that were actually flagged falsely\r\nRareCommodityHelper.exePermalink\r\nSha256: 8a6bebf08f6c223ed9821ee3b80e420060c66770402687f5c98555f9b0cd02a3\r\nVirusTotal\r\nMalwareBazaar\r\nLooking at the Vendor Threat Intelligence tab in the MalwareBazaar report we can see that 3 different family\r\nassociated with the sample.\r\nhttps://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/\r\nPage 2 of 11\n\nI’ve opened the report of JoeSandBox and simply searched for the string kraken and surprisingly look what\r\npopped up:\r\nWhy would AgentTesla malware will have KrakenStub named file during it’s execution?\r\nI took a look also UnpackMe report.\r\nLooking at the Unpacked binary that was flagged as masslogger we can see the ProductName ,\r\nFileDescription , OriginalFilename and InternalName share the same suspicious string we’re looking for:\r\nKrakenStub\r\nhttps://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/\r\nPage 3 of 11\n\nRareCommodityHelper.exePermalink\r\nSha256: 413ec94d35627af97c57c6482630e6b2bb299eebf164e187ea7df0a0eb80ecc6\r\nVirusTotal\r\nMalwareBazaar\r\nGoing with the same approach as before, I took a look at the report of the different vendors under MalwareBazaar\r\npage and found again 3 different families:\r\nhttps://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/\r\nPage 4 of 11\n\nI once again checked if our suspicious Kraken string can be found either in JoeSandbox or UnpackMe reports\r\nand guess what?\r\nhttps://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/\r\nPage 5 of 11\n\nKraken was found in both of them once again.\r\nAt this point I felt comfortable with my findings from the C2 IOC.\r\nLet’s move to the second domain we have.\r\nmasherofmasters.cyou AnalysisPermalink\r\nTypically when I encounter a domain I will investigate it in 3 main sources:\r\n1. VirusTotal\r\n2. URLscan\r\n3. URLhaus\r\nthose 3 are my go to sources for inital domain information gathering.\r\nVirusTotalPermalink\r\nLooking at the domain on VirusTotal can give us a lot of data, such as DNS records, JARM fingerprints, SSL\r\nCerts, WhoIS lookup and much more, but the interesting part that I look when doing a proactive hunt is the\r\nRelations tab , this tab can tell us which IP’s this domain was assigned to, if it has subdomains and which\r\nassociated files this domain had connection with:\r\nhttps://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/\r\nPage 6 of 11\n\nBased on the given list, we can see that 5 files were .lnk files, which correlated with our execution flow\r\nexplained in part 1. (from here you can take the files and see the execution flow when they’re detonated and\r\ncompare to your findings)\r\nURLscanPermalink\r\nUnfortunetlly at the time of investigation the domain was already terminated and no previous scans were made on\r\nURLscan so I couldn’t find nothing about it here…\r\nURLhausPermalink\r\nWhen I searched the domain in URLhaus I found about 12 hits:\r\nSome of the files are being flagged as MassLogger others were flagged as SnakeKeylogger and also\r\nAgentTesla , I investigated all the files and actually the ones that were marked as AgentTesla were indeed that\r\nmalware but the samples which were flagged as MassLogger and SnakeKeylogger were actually our beloved\r\nKraken …\r\nUnpackMe Yara HuntPermalink\r\nUnpackMe provides a unique service of proactive lookback on samples analyzed by the platform based on a given\r\nYara rule\r\nThe rule I’ve created was simply based on unique strings that I found in the sample:\r\nhttps://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/\r\nPage 7 of 11\n\nrule Win_KrakenStealer {\r\n meta:\r\n description = \"Win_KrakenStealer rules\"\r\n strings:\r\n$s1 = \"KrakenStub\" ascii wide\r\n$s2 = \"KrakenStub.exe\" ascii wide\r\n$s3 = \"Kraken_Keylogs_\" ascii wide\r\n$s4 = \"Kraken_Password_\" ascii wide\r\n$s5 = \"Kraken_Screenshot_\" ascii wide\r\n$s6 = \"Kraken_Clipboard_\" ascii wide\r\n$s7 = \"KrakenClipboardLog.txt\" ascii wide\r\n condition:\r\n uint16(0) == 0x5a4d and 5 of ($s*)\r\n}\r\nAnd here is the result of the hunt:\r\nIn a 12 weeks lookback there were 11 samples that fitted the given Yara Rule, 8 of them were marked as\r\nMassLogger , so I took a look at one of them\r\nhttps://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/\r\nPage 8 of 11\n\nand by simply looking at the File Version Information we can see that it’s 99% our Kraken , I downloaded\r\nthe sample and opened it in DnSpy and guess what?\r\nIt was our Kraken ! so we found about 11 samples that are flagged falsely.\r\nAnd with that our hunt for samples is done, from here you can pretty much correlate some IOC’s so see whether\r\nor not it’s the same threat actor.\r\nOSINT ResearchPermalink\r\nhttps://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/\r\nPage 9 of 11\n\nAt this part I wanted to try and find the origin of the malware, so I tried two things:\r\n1. Search engine dorking\r\n2. Underground forums\r\nSearch Engine DorkingPermalink\r\nI tried to search the term \"KrakenStub\" malware both in Google and DuckDuckGo, besides giving me 2 analysis\r\none of JoeSandbox and the second one of Vmray I couldn’t finding anything useful but it always good to try and\r\nsearch using search engines because you can’t really know what you can find…\r\nUnderground ForumsPermalink\r\nthere are several underground/hacking forums that you can find on the clean web without the needs going to TOR\r\nand pivoting around the darknet.\r\nOne of the most known hacking forums out there is HackForums , so I tried my luck and searched through the\r\nmarketplace forum for “Kraken” keywords, and after quite some time and found this thread :#1 KrakenKeylogger\r\n| 3 Senders | E-Mail Client \u0026 Browser Recovery | Perfect Features sold by a user named Krakenz :\r\nWhat a perfect hit!\r\nthat particular finding made my day, I knew that this is it, I’ve closed the circle and I can close this case and fully\r\nresolved.\r\nAfter I’ve published part 1 of analyzing the Kraken, @jw4lsec and me had a small conversation and he shared\r\nwith me that Windows Defender was flagging the sample I’ve shared during the investigation as a different\r\nmalware upon each different execution attempt:\r\nhttps://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/\r\nPage 10 of 11\n\nSummaryPermalink\r\nIn the 2nd part of analyzing the Kraken I’ve showed you my way of thinking and approach to the process of threat\r\nhunting, especially when your guts tells you that something here is not right. I hope that during those 2 parts of\r\nanalysis you’ve learned new things, feel free to PM me via any social media.\r\nSource: https://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/\r\nhttps://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/"
	],
	"report_names": [
		"KrakenKeylogger-pt2"
	],
	"threat_actors": [
		{
			"id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3",
			"created_at": "2022-10-25T16:07:23.80111Z",
			"updated_at": "2026-04-10T02:00:04.753677Z",
			"deleted_at": null,
			"main_name": "LookBack",
			"aliases": [
				"FlowingFrog",
				"LookBack",
				"LookingFrog",
				"TA410",
				"Witchetty"
			],
			"source_name": "ETDA:LookBack",
			"tools": [
				"FlowCloud",
				"GUP Proxy Tool",
				"SodomMain",
				"SodomMain RAT",
				"SodomNormal"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434450,
	"ts_updated_at": 1775791484,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/12fa2ed75f0d8e1a714f85f7a00e3ce07fb6feff.pdf",
		"text": "https://archive.orkl.eu/12fa2ed75f0d8e1a714f85f7a00e3ce07fb6feff.txt",
		"img": "https://archive.orkl.eu/12fa2ed75f0d8e1a714f85f7a00e3ce07fb6feff.jpg"
	}
}