KeyBase Keylogger

Posted: June 11, 2015

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	8/10
Infected PCs:	810

First Seen:	June 15, 2015
Last Seen:	January 15, 2024
OS(es) Affected:	Windows

The KeyBase Keylogger is a spyware product rented for use by third parties, who may employ the KeyBase Keylogger to attack targets at their discretion. Current campaigns using the KeyBase Keylogger have been connected to civilian industrial sectors, as well as to many first world countries. Despite its relatively simple code, the KeyBase Keylogger still is rated as a significant privacy and security risk, and malware analysts would discourage any efforts at deleting the KeyBase Keylogger without proper anti-malware protection.

The KeyBase Keylogger: Every Con-Artist's New Base of Keylogging Operations

One of the most significant functions in any spyware program is the ability to record and collect typed information, an act known as keylogging. Many threat projects focus on this feature above all else, although some, like the KeyBase Keylogger, also include a handful of other features. In their analysis of the KeyBase Keylogger, malware experts found most of its features to focus on user-friendliness for its administrators. Simultaneously, the KeyBase Keylogger's developer neglects basic, exploitable security loopholes that other PC security companies have used to examine this threat.

The KeyBase Keylogger includes many of the standard features of any keylogger-based spyware, such as:

The KeyBase Keylogger may record typed data, as well as data saved in the Clipboard (for example, via Copy and Paste actions). This data may be uploaded automatically to any of dozens of third parties-controlled C&C servers. The titles of open windows also may be monitored, which allows third parties to determine which program is related to the text input.
The KeyBase Keylogger may achieve a persistent state on the infected PC by moving itself to the Windows Startup folder or modifying the Registry. In the former case, its file name is hardcoded as 'Important.exe,' which could allow victims to identify it.
Like most modern keyloggers, the KeyBase Keylogger also may include a screen capture function for collecting visual data.
PCs infected by the KeyBase Keylogger also may be in danger of being infected by further PC threats. The KeyBase Keylogger includes functions for downloading and launching other files, including, potentially, installers for threats.

The KeyBase Keylogger is rented out to other third parties for relatively cheap prices, driving its popularity in the threat market. As a result, malware analysts have seen operations for the KeyBase Keylogger around the globe.

Breaking a Third-Party's Key to Your Computer

Current KeyBase Keylogger campaigns are attacking institutions in countries ranging from the United States to Japan and Australia, along with most of Europe. Malware analysts often see such attacks distributing themselves via e-mail messages, which also is true of recent the KeyBase Keylogger campaigns. Potential victims may identify common tactics, such as fake bank tracking slips or shipping invoices, that request the opening of mislabeled file attachments.

Since the KeyBase Keylogger launches automatically and commences collecting information without any overt symptoms, PC users shouldn't anticipate being able to identify the KeyBase Keylogger on sight. General anti-malware and anti-spyware products should be able to detect the KeyBase Keylogger, which uses limited means of obfuscating its threatening activities. PC users that are removing the KeyBase Keylogger infections also should prepare themselves for taking any other steps needed to block any future exploitation of transferred information, such as having their accounts hacked with collected passwords.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%APPDATA%\program.exe

File name: program.exe
Size: 29.69 KB (29696 bytes)
MD5: 63f9f25465353db0187216144ff92f4a
Detection count: 28
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: July 30, 2016

%SYSTEMDRIVE%\Users\<username>\Desktop\New folder (2)\8302c5b1f396623ca191c4e92de9b33a715199e269294f21a87a2138379d8b1b.exe\file.exe

File name: file.exe
Size: 373.24 KB (373248 bytes)
MD5: bdadcd9c35687b9913ddd7533f4f47cd
Detection count: 23
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\Desktop\New folder (2)\8302c5b1f396623ca191c4e92de9b33a715199e269294f21a87a2138379d8b1b.exe
Group: Malware file
Last Updated: June 26, 2020

More files

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%APPDATA%\program.exe