Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Spy.KeyLogger

Trojan.Spy.KeyLogger

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 11,413
Threat Level: 80 % (High)
Infected Computers: 1,462
First Seen: July 24, 2009
Last Seen: April 4, 2026
OS(es) Affected: Windows

Aliases

12 security vendors flagged this file as malicious.

Antivirus Vendor Detection
Symantec Infostealer
Panda Trj/CI.A
NOD32 probably a variant of Win32/Spy.KeyLogger
McAfee-GW-Edition Trojan.SPY.KeyLogger.anp
McAfee Generic PWS.y
Ikarus Trojan-Spy.Win32.KeyLogger
F-Secure Trojan-Spy.Win32.KeyLogger.anp
BitDefender Trojan.Generic.368213
Avast Win32:Spyware-gen
Authentium W32/Trojan2.FFGA
AntiVir TR/SPY.KeyLogger.anp
a-squared Trojan-Spy.Win32.KeyLogger!IK

File System Details

Trojan.Spy.KeyLogger may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. yebuh.exe 2462eeadee48be417acae99fc404c837 0

Analysis Report

General information

Family Name: Trojan.Spy.KeyLogger
Signature status: No Signature

Known Samples

MD5: 497d068b8308af4170d79cda63e49989
SHA1: ad265e5ec6f487defe5d9ada3aa8ab050ca93b53
SHA256: 7325851B053951BC3CAFCCECB60B44D789FDF027E3FF77BAC3D94B157CAA10FD
File Size: 49.76 KB, 49757 bytes
MD5: a59d4cf91f3678fb55f10c7ff0521a59
SHA1: d42e8ad0b841e089b12d1c63e48b49c1bccdac6e
SHA256: 94B4667E4F276BF6C3241184A5695ADB17CEF284E3D51555E2D32C1287D39CA7
File Size: 1.77 MB, 1773536 bytes
MD5: 936a695da38e5163e59d58358c5e4527
SHA1: da97df9d52b5f0a2d26078e5d9169712795a5fee
SHA256: 72D9CF6DA020226497AA46544D1E0C24AA2148C73A78D29F4036B580CE85A047
File Size: 473.60 KB, 473600 bytes
MD5: 5b40bb5393edd323a72d0dd2c23d59ad
SHA1: 51563d35cb65737a5fab22273c47e13d4c4a0549
SHA256: 7CF256E5F41E6F3ADECB949029603E454385DEA2D3AC9E1569909399323FA613
File Size: 4.95 MB, 4951179 bytes
MD5: 60e3478849c622e8eb4411e8d8116005
SHA1: 4ef9543844bd600fae8280c403db598b7918564b
SHA256: 9287FC79691616519E7078ED6760E1C987D329464E05D1114793F509A80545D2
File Size: 35.84 KB, 35840 bytes
Show More
MD5: 89db02d7e3167fbbbe8c3cfe09c5ec3d
SHA1: afd4b5371ff360dc97df3b3b274cff42ce0ad156
SHA256: 46CCD0CA63B21D1B5DE393E333C53CA09704A1D51F16C9EE4CE8B8E23CD07632
File Size: 93.41 KB, 93412 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version 1.0.0.0
Comments
  • System Administrator Authentication Service
  • This installation was built with Inno Setup.
Company Name
  • GPTRONICS
  • Microsoft
File Description
  • GPSenha Setup
  • System Administrator Authentication Service
  • TTiger Keylogger Client
File Version
  • 6, 0, 0, 1
  • 1.0.0.0
Internal Name
  • SysAdmin
  • TTiger Keylogger Client.exe
Legal Copyright
  • Copyright (C) 2006
  • Copyright © 2016
Original Filename
  • SysAdmin.exe
  • TTiger Keylogger Client.exe
Product Name
  • GPSenha
  • System Administrator Authentication Service
  • TTiger Keylogger Client
Product Version
  • 6, 0, 0, 1
  • 2.0
  • 1.0.0.0

File Traits

  • .NET
  • 2+ executable sections
  • big overlay
  • CryptUnprotectData
  • HighEntropy
  • No CryptProtectData
  • No Version Info
  • Run
  • virut
  • x64
Show More
  • x86

Block Information

Total Blocks: 96
Potentially Malicious Blocks: 1
Whitelisted Blocks: 28
Unknown Blocks: 67

Visual Map

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 ? ? ? ? ? ? ? ? ? 0 ? ? 0 ? ? ? ? ? ? 0 ? ? ? ? 0 ? ? 0 ? ? ? 0 ? ? ? ? ? x ? 0 ? ? ? ? ? ? ? ? ? ? 0 0 ? ? 2 0 0 1 1 0 0 1 1 0 0 2 2 2 3 1 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Floxif.D
  • Kryptik.YRC
  • Macoute.A

Files Modified

File Attributes
c:\users\user\appdata\local\temp\ufs36d1.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\windows visual\windowssync.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::windows sync C:\Users\Ihvrgmra\AppData\Roaming\Windows Visual\WindowsSync.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey

Windows API Usage

Category API
User Data Access
  • GetComputerName
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserObjectInformation
  • OpenClipboard
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Encryption Used
  • BCryptOpenAlgorithmProvider
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
Network Winsock2
  • WSAConnect
  • WSASocket
  • WSAStartup
Network Winsock
  • closesocket
  • recv
  • send
  • setsockopt
Network Winhttp
  • WinHttpOpen
Network Info Queried
  • GetAdaptersAddresses
Syscall Use
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtWriteFile
  • UNKNOWN

Related Posts

Trending

Most Viewed

Loading...