Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

KrakenKeylogger

95
Global rank
121 infographic chevron month
Month rank
116 infographic chevron week
Week rank
0
IOCs

Kraken is a trojan malware with infostealing capabilities that was first spotted in May of 2023. The malware can perform a wide range of malicious activities, including logging users’ keystrokes. The data then can be sent to the attacker using several protocols. The operators behind the Kraken stealer usually distribute it via phishing emails.

Trojan
Type
Unknown
Origin
1 May, 2023
First seen
2 September, 2024
Last seen
Also known as
Kraken
Kraken Stealer

How to analyze KrakenKeylogger with ANY.RUN

Type
Unknown
Origin
1 May, 2023
First seen
2 September, 2024
Last seen

IOCs

Domains
kraken.nswardh.com
psqt2tb4vi3gh4t3fz5bq5owirnto2wdkle5fexfvyksa5erdapfiqid.onion
masherofmasters.cyou
vyprotb.com
onemgat.net
pnispsal.com
mpzohtore.com
pdpocatk.com
smmyuhxlt.cc
yhzjehi.com
URLs
http://ww38.blasze.tk/CN18R3
http://blasze.tk/CN18R3
Last Seen at

Recent blog posts

post image
Access and Use ANY.RUN’s TI Feeds via MISP
watchers 265
comments 0
post image
Analysis of Nova: A Snake Keylogger Fork
watchers 1404
comments 0
post image
Manufacturing Companies Targeted with New Lum...
watchers 1839
comments 0

What is Kraken malware?

Kraken, also known as Kraken Keylogger, is a malware written in .NET (VB) that focuses on exfiltrating sensitive information from the browsers and email clients installed on the compromised system. Some security solutions may mistakenly label it as SnakeKeylogger or MassKeylogger.

Kraken attacks are usually carried out in several stages, starting from a malicious attachment delivered to a victim’s inbox. Although not as widespread as other stealer malware, such as RedLine, Kraken poses a significant threat to users worldwide. However, there is still no information on who created Kraken malware.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Kraken Keylogger malicious software

KrakenKeylogger usually steals:

  • User information: KrakenKeylogger can capture passwords, usernames, and other authentication details from various applications and websites.
  • Screenshots: The malware usually records screenshots once it finishes stealing data from browsers and FTP clients.
  • Keystrokes:The malicious program can also perform keylogging, keeping track of everything typed by the user.

According to the threat analyst 0xToxin’s article, a typical attack involving KrakenKeylogger starts with a spam email, containing a malicious attachment, usually a .zip. Inside the archive, users may find an .lnk that kickstarts the infection process. Once launched, it executes a PowerShell script, which eventually leads to the download of a .NET loader. The loader then deploys a .dll that ultimately drops Kraken on the system.

KrakenKeylogger makes use of code obfuscation and encryption. The malware is also equipped with evasion mechanisms that allow it to circumvent security solutions.

Execution process of Kraken attacks

Analyzing a sample of Kraken in the ANY.RUN sandbox can help us study the entire execution chain of the malware step by step.

Kraken follows a typical execution chain for this type of malware. The main payload initiates various child processes to carry out multiple actions. In our case, the primary process, Sipariş_28.08.023.exe, initiates the Task Scheduler to perform task scheduling to establish its presence within the infected system.

Additionally, it injects into RegSvcs.exe and launches it to facilitate the primary malicious activity, which includes the theft of credentials from web browsers, personal data, and connection to the C2 server.

As some samples may be geotargeted, we can employ a set of features such as "Locale (OS Language)" and "Residential proxy" to enhance our understanding and countermeasures against the malware.

KrakenKeylogger process tree shown in ANY.RUN KrakenKeylogger`s process tree demonstrated in ANY.RUN

Distribution methods of the KrakenKeylogger malware

Phishing emails constitute the primary method of distributing Kraken. Victims usually receive seemingly legitimate messages that employ social engineering to trick them into downloading and opening malicious files attached to these emails. In most cases, criminals choose to address users on behalf of government agencies, as well as businesses.

Conclusion

KrakenKeylogger is a relatively unexplored threat, and the scale of its operation remains unknown. This highlights the need for individuals and organizations to practice proper measures to make sure that they stay protected against attacks. One of the key components of a comprehensive cybersecurity strategy is early detection of any malicious content received via email.

To this end, ANY.RUN can be used, as it allows you to conduct advanced analysis of any suspicious file or link and receive insights on whether it is harmful or not in seconds. The service provides thorough threat reports that contain all the essential information such as indicators of compromise (IOCs), needed for proper prevention and incident response.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More