Keybase Malware

I have recently analysed a sample of what appears to be a newer version of Keybase

Having been delivered as an executable inside a zip, the malware has the usual key logging capabilities as most trojans, utilising native API calls to hook keyboard processes and using HTTP to upload images of the desktop, the victims in this instance are being uploaded to a server which isn't as tightly managed as usual.

Here is the web panel 

Panel

Here are the uploaded screenshots, appended with date and times.

Uploads

Here are some screenshots of applications in use on the victims machines.

Skype

Someone about to do some online banking, which will capture keystrokes as well as the capability to take screenshots.

Banking

Someone placing an order for some materials via Outlook.com

Materials

We can see encoded in the HTTP stream the inclusions of specific keywords including, notepad which i launched and keystrokes included in the request to the C&C uploading the screenshots.

Traffic