Keypoints
- The keylogger installs low-level global hooks (WH_KEYBOARD_LL and WH_MOUSE_LL) to record keystrokes and mouse events, and also captures clipboard contents.
- Captured data is written into a password-protected ZIP stored as %TEMP%/DT_0004.tmp which contains a04.log; the archive password is Pass@w0rd#384.
- Analysts observed anti-analysis measures including extensive junk code and an encrypted payload that is decrypted in memory and executed without a PE header.
- Persistence is achieved by modifying the default value under SoftwareMicrosoftWindowsCurrentVersionRun to launch the malware on logon.
- Hybrid Analysis reported detailed API usage (SetWindowsHookEx, ReadFile, RegCreateKeyExW, RegSetValueExW, ToUnicode, CallNextHookEx) and extracted files and strings indicative of keylogger activity.
MITRE Techniques
- [T1056.001] Input Capture: Keylogging – Uses SetWindowsHookEx with WH_KEYBOARD_LL and WH_MOUSE_LL to intercept input (‘the malware sets a global Windows hook to intercept keystrokes and mouse events’)
- [T1547.001] Registry Run Keys/Startup Folder – Achieves persistence by modifying the “(Default)” value under the Run registry key (‘the malicious process modifies the “(Default)” value found under the Run registry key in order to achieve persistence on the machine’)
- [T1027] Obfuscated Files or Information – Employs junk code to obscure execution flow and hinder analysis (‘adding a lot of junk code … to obscure the program’s execution flow and make malware analysis more difficult’)
- [T1620] Reflective Code Loading – Decrypts a payload in place, removes the PE header and redirects execution into the decrypted memory region (‘The content is decrypted and an executable is revealed … The PE file header is removed, and the rest of the content is copied to a new memory area’)
- [T1115] Clipboard Data – Steals clipboard contents using OpenClipboard and GetClipboardData (‘The keylogger also steals data from the clipboard. It uses the OpenClipboard and GetClipboardData methods’)
- [T1560] Archive Collected Data – Writes logs into a password-protected ZIP archive created in %TEMP% (‘the sample creates an archive called “DT_0004.tmp” in the “%TEMP%” directory … the file is a password protected archive that extracts a04.log’)
Indicators of Compromise
- [SHA-256] sample hash – d71f478b1d5b8e489f5daafda99ad203de356095278c216a421694517826b79a
- [File path / file name] log archive and extracted log – %TEMP%/DT_0004.tmp, a04.log
- [Password] archive password – Pass@w0rd#384
- [Analysis URL] Hybrid Analysis report – https://hybrid-analysis.com/sample/d71f478b1d5b8e489f5daafda99ad203de356095278c216a421694517826b79a/6706745c8c354c83e10ee636
A Hybrid Analysis report details a recently disclosed keylogger attributed to the North Korean actor Andariel that targets U.S. organizations. The malware installs low-level keyboard and mouse hooks (WH_KEYBOARD_LL and WH_MOUSE_LL), captures clipboard contents, and records events with timestamps; these logs are written byte-by-byte into a ZIP archive (DT_0004.tmp) in the temporary folder that contains a04.log and is protected with the password Pass@w0rd#384.
Beyond simple logging, the sample employs anti-analysis techniques: developers added extensive junk code to obfuscate control flow, and a custom encrypted payload is embedded within the binary. The payload is read with ReadFile, decrypted in memory, its PE header removed, and execution is redirected into the decrypted region — allowing in-memory execution. The binary also suppresses error dialogs via SetErrorMode to avoid revealing failures during execution.
For persistence, the malware modifies the “(Default)” value under SoftwareMicrosoftWindowsCurrentVersionRun using RegCreateKeyExW and RegSetValueExW so it launches on logon. Hybrid Analysis surfaced the API calls, suspicious strings, and the new file creation in %TEMP%, providing threat hunters with concrete indicators (hash, file name, archive password) and a structured view of the keylogger’s capabilities and impact.
Read more: https://hybrid-analysis.blogspot.com/2024/11/recent-keylogger-attributed-to-north.html