Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Spy.KeyLogger

Trojan.Spy.KeyLogger

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 9,558
Threat Level: 80 % (High)
Infected Computers: 1,450
First Seen: July 24, 2009
Last Seen: January 1, 2026
OS(es) Affected: Windows

Aliases

12 security vendors flagged this file as malicious.

Antivirus Vendor Detection
Symantec Infostealer
Panda Trj/CI.A
NOD32 probably a variant of Win32/Spy.KeyLogger
McAfee-GW-Edition Trojan.SPY.KeyLogger.anp
McAfee Generic PWS.y
Ikarus Trojan-Spy.Win32.KeyLogger
F-Secure Trojan-Spy.Win32.KeyLogger.anp
BitDefender Trojan.Generic.368213
Avast Win32:Spyware-gen
Authentium W32/Trojan2.FFGA
AntiVir TR/SPY.KeyLogger.anp
a-squared Trojan-Spy.Win32.KeyLogger!IK

File System Details

Trojan.Spy.KeyLogger may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. yebuh.exe 2462eeadee48be417acae99fc404c837 0

Analysis Report

General information

Family Name: Trojan.Spy.KeyLogger
Signature status: No Signature

Known Samples

MD5: 497d068b8308af4170d79cda63e49989
SHA1: ad265e5ec6f487defe5d9ada3aa8ab050ca93b53
SHA256: 7325851B053951BC3CAFCCECB60B44D789FDF027E3FF77BAC3D94B157CAA10FD
File Size: 49.76 KB, 49757 bytes
MD5: a59d4cf91f3678fb55f10c7ff0521a59
SHA1: d42e8ad0b841e089b12d1c63e48b49c1bccdac6e
SHA256: 94B4667E4F276BF6C3241184A5695ADB17CEF284E3D51555E2D32C1287D39CA7
File Size: 1.77 MB, 1773536 bytes
MD5: 936a695da38e5163e59d58358c5e4527
SHA1: da97df9d52b5f0a2d26078e5d9169712795a5fee
SHA256: 72D9CF6DA020226497AA46544D1E0C24AA2148C73A78D29F4036B580CE85A047
File Size: 473.60 KB, 473600 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version 1.0.0.0
File Description TTiger Keylogger Client
File Version 1.0.0.0
Internal Name TTiger Keylogger Client.exe
Legal Copyright Copyright © 2016
Original Filename TTiger Keylogger Client.exe
Product Name TTiger Keylogger Client
Product Version 1.0.0.0

File Traits

  • .NET
  • 2+ executable sections
  • big overlay
  • CryptUnprotectData
  • HighEntropy
  • No CryptProtectData
  • No Version Info
  • Run
  • virut
  • x86

Block Information

Total Blocks: 330
Potentially Malicious Blocks: 165
Whitelisted Blocks: 165
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 x x x x 0 0 x x x x x 0 0 0 x x x x x x x x x x x x x x 0 0 x x x x x x x x x x x x x x x x 0 x x x x x x x 0 x x x x x x x x x x x x x x x x x x x x x x x x x x 0 x x x x x x x 0 x x x x 0 x x x x x x x x x x 0 0 0 0 x x 0 x 0 x x x x x x 0 x x x x x x x x x x x x x x x x x x x x 0 x x x 0 x x x x x x x x x x 0 x x x x x x x x x x x x x x x x x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Floxif.D
  • Kryptik.YRC
  • Macoute.A

Files Modified

File Attributes
c:\users\user\appdata\local\temp\ufs36d1.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\windows visual\windowssync.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::windows sync C:\Users\Ihvrgmra\AppData\Roaming\Windows Visual\WindowsSync.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey

Windows API Usage

Category API
User Data Access
  • GetComputerName
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserObjectInformation
  • OpenClipboard
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Encryption Used
  • BCryptOpenAlgorithmProvider
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
Network Winsock2
  • WSAConnect
  • WSASocket
  • WSAStartup
Network Winsock
  • closesocket
  • recv
  • send
  • setsockopt
Network Winhttp
  • WinHttpOpen
Network Info Queried
  • GetAdaptersAddresses

Related Posts

Trending

Most Viewed

Loading...