BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

KrakenKeylogger

71
Global rank
72 infographic chevron month
Month rank
77 infographic chevron week
Week rank
16
IOCs

Kraken is a trojan malware with infostealing capabilities that was first spotted in May of 2023. The malware can perform a wide range of malicious activities, including logging users’ keystrokes. The data then can be sent to the attacker using several protocols. The operators behind the Kraken stealer usually distribute it via phishing emails.

Trojan
Type
Unknown
Origin
1 May, 2023
First seen
29 January, 2024
Last seen
Also known as
Kraken
Kraken Stealer

How to analyze KrakenKeylogger with ANY.RUN

Type
Unknown
Origin
1 May, 2023
First seen
29 January, 2024
Last seen

IOCs

Hashes
7357f1dc4cc6b7ed24845f6a68defaf560af51e19f9cf31ffc2c008eb539dd39
7e0ee0e707db426eaf25bd0924631db969bb03dd9b13addffbcc33311a3b9aa7
069395ba2c278a8d5fe946e6414c3b028d04e906a166055c0d88c8ef6baebacf
b639e26a0f0354515870ee167ae46fdd9698c2f0d405ad8838e2e024eb282e39
564154a2e3647318ca40a5ffa68d06b1bd40b606cae1d15985e3d15097b512cd
8a6aa9e5d58784428d0b1641e99f024438b20747993039e16b8d262f3f5fd347
080731d99756d9edf59e6d72931b6e1ea342ffa8fd937b5fcefe7d22eb165fe3
4c2f188c6f7658df23a065fb7341744cf68eb1bc4124840956a81da87968030a
e1372f8aa31ebbe3ab60d07036ae829a19e3f837b698f38e3469ac3d5f2c4f50
0b6cd05bee398bac0000e9d7032713ae2de6b85fe1455d6847578e9c5462391f
c24c12afb99023a67597cb238e5767f1d410e3a18a3239384179e440f671ba3f
e92d56612dc90ee84e96acb77d7b9183d8a16843ee0c401cc685442b95780c78
f274cd1d4caf4d3acb888fc435ca2ae3261a4c0634f34e43fd5d46bf8a7059f7
6c4a1f74de712ee096140aba680c37ed6b7cce8c412f1e2defaee84a556c163a
URLs
http://ww38.blasze.tk/CN18R3
http://blasze.tk/CN18R3
Last Seen at

Recent blog posts

post image
DCRat: Step-by-Step Analysis in ANY.RUN
watchers 867
comments 0
post image
Analyzing Linux Malware in ANY.RUN: 3 exampl...
watchers 333
comments 0
post image
What is Crypto Malware: Definition and Analys...
watchers 315
comments 0

What is Kraken malware?

Kraken, also known as Kraken Keylogger, is a malware written in .NET (VB) that focuses on exfiltrating sensitive information from the browsers and email clients installed on the compromised system. Some security solutions may mistakenly label it as SnakeKeylogger or MassKeylogger.

Kraken attacks are usually carried out in several stages, starting from a malicious attachment delivered to a victim’s inbox. Although not as widespread as other stealer malware, such as RedLine, Kraken poses a significant threat to users worldwide. However, there is still no information on who created Kraken malware.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Kraken Keylogger malicious software

KrakenKeylogger usually steals:

  • User information: KrakenKeylogger can capture passwords, usernames, and other authentication details from various applications and websites.
  • Screenshots: The malware usually records screenshots once it finishes stealing data from browsers and FTP clients.
  • Keystrokes:The malicious program can also perform keylogging, keeping track of everything typed by the user.

According to the threat analyst 0xToxin’s article, a typical attack involving KrakenKeylogger starts with a spam email, containing a malicious attachment, usually a .zip. Inside the archive, users may find an .lnk that kickstarts the infection process. Once launched, it executes a PowerShell script, which eventually leads to the download of a .NET loader. The loader then deploys a .dll that ultimately drops Kraken on the system.

KrakenKeylogger makes use of code obfuscation and encryption. The malware is also equipped with evasion mechanisms that allow it to circumvent security solutions.

Execution process of Kraken attacks

Analyzing a sample of Kraken in the ANY.RUN sandbox can help us study the entire execution chain of the malware step by step.

Kraken follows a typical execution chain for this type of malware. The main payload initiates various child processes to carry out multiple actions. In our case, the primary process, Sipariş_28.08.023.exe, initiates the Task Scheduler to perform task scheduling to establish its presence within the infected system.

Additionally, it injects into RegSvcs.exe and launches it to facilitate the primary malicious activity, which includes the theft of credentials from web browsers, personal data, and connection to the C2 server.

As some samples may be geotargeted, we can employ a set of features such as "Locale (OS Language)" and "Residential proxy" to enhance our understanding and countermeasures against the malware.

KrakenKeylogger process tree shown in ANY.RUN KrakenKeylogger`s process tree demonstrated in ANY.RUN

Distribution methods of the KrakenKeylogger malware

Phishing emails constitute the primary method of distributing Kraken. Victims usually receive seemingly legitimate messages that employ social engineering to trick them into downloading and opening malicious files attached to these emails. In most cases, criminals choose to address users on behalf of government agencies, as well as businesses.

Conclusion

KrakenKeylogger is a relatively unexplored threat, and the scale of its operation remains unknown. This highlights the need for individuals and organizations to practice proper measures to make sure that they stay protected against attacks. One of the key components of a comprehensive cybersecurity strategy is early detection of any malicious content received via email.

To this end, ANY.RUN can be used, as it allows you to conduct advanced analysis of any suspicious file or link and receive insights on whether it is harmful or not in seconds. The service provides thorough threat reports that contain all the essential information such as indicators of compromise (IOCs), needed for proper prevention and incident response.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy