{
	"id": "1fd61dd6-927f-4c22-986a-b5f2cdb1243e",
	"created_at": "2026-04-06T00:13:35.175253Z",
	"updated_at": "2026-04-10T03:20:22.321101Z",
	"deleted_at": null,
	"sha1_hash": "bfe1b8233b454139f91e6332de0b608cceb73cb0",
	"title": "The KLRD Keylogger",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 230032,
	"plain_text": "The KLRD Keylogger\r\nPublished: 2016-11-28 · Archived: 2026-04-05 16:26:42 UTC\r\nSymantec released a report in the beginning of October that talks about Odinaff, which is a new piece of malware\r\nused in campaigns targeting financial institutions. In the report, Symantec posts several of the auxiliary tools used\r\nin the campaign and many of the associated droppers. Booz Allen Intelligence Analysts wanted to take a closer\r\nlook at some of these binaries and post some analysis so that network defenders can better understand how these\r\ntools work. In some cases the simple advice of “Install AV” is enough, but all too often is insufficient when\r\nlooking at small targeted utilities.\r\nAt the time of this writing, a little under 40% of AV engines are detecting the keylogger utility (21/56 on\r\nVirustotal.com).\r\nFollowing the naming convention of klrd.exe, the output file of the logged keystrokes is named klrd.log (which is\r\nstored in the C:\\Windows\\Temp\\ directory). The keylogger has no exfil capability, so one unnerving aspect of\r\nwriting to a local log is that the attacker has access to the host via some other means. If a tool like this is\r\ndiscovered on your network, you need to check the compromised host for malicious lateral connections or\r\nbackdoor connections.\r\nThe malware is also compiled with a build path of:\r\nd:\\Programming\\C++\\projects\\klr\\bin\\klrd.pdb\r\nKeylogging\r\nThis program is very straightforward in its execution. The first thing that it does is start the keylogging thread.\r\nhttps://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html\r\nPage 1 of 4\n\nThe thread obtains a handle to the current process by calling GetModuleHandleA\r\nThen it does some quick error checking to make sure that it could obtain a handle. If it fails, it tosses an error and\r\ntries to call LoadLibraryA on it. If both fail, the keylogger exits.\r\nAssuming success, the keylogger sets a hook by calling SetWindowsHookEx. The hook procedure is followed\r\nnext.\r\nFollowing _KeyEvent@12 in a debugger, the hook procedure performs some simple bounds checking on an\r\nobtained key and then tries to obtain the current window’s (foreground window) text and the thread process.\r\nIf this information cannot be obtained, the output log contains error messages of “Can’t get window text” and\r\n“Can’t get thread id”.\r\nA small lookup table is provided to check the keystroke against known control characters\r\nhttps://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html\r\nPage 2 of 4\n\nAnd if the key is not in the lookup table (switch table), the default case occurs and it is converted to Ascii and\r\nwritten to the log file. This switch statement is very similar to the MSDN provided code for using keyboard input.\r\n case WM_CHAR:\r\n switch (wParam)\r\n {\r\n case 0x08:\r\n // Process a backspace.\r\n break;\r\n case 0x0A:\r\n // Process a linefeed.\r\n break;\r\n case 0x1B:\r\n // Process an escape.\r\n break;\r\n case 0x09:\r\n // Process a tab\r\n break;\r\n case 0x0D:\r\n // Process a carriage return.\r\n break;\r\n default:\r\nhttps://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html\r\nPage 3 of 4\n\n// Process displayable characters.\r\n break;\r\n }\r\nThe method for writing the log file is interesting because rather than keeping a handle open to the file and just\r\nwriting to it whenever possible, the function gets a handle each time and opens it to write each individual\r\ncharacter.\r\nThe path and name for the log file is hard-coded as C:\\Windows\\Temp\\klrd.log\r\nAt this point a majority of the keylogger is documented. Running it provides an output log that looks like the\r\nfollowing.\r\nWhile not the most sophisticated keylogger, its basic functionality is effective and allows the binary to be only 5kb\r\nin size, all while avoiding detection from over 60% of AV engines.\r\nSource: https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html\r\nhttps://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html"
	],
	"report_names": [
		"the-klrd-keylogger.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434415,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bfe1b8233b454139f91e6332de0b608cceb73cb0.pdf",
		"text": "https://archive.orkl.eu/bfe1b8233b454139f91e6332de0b608cceb73cb0.txt",
		"img": "https://archive.orkl.eu/bfe1b8233b454139f91e6332de0b608cceb73cb0.jpg"
	}
}