daniel-milemarker
commented
8 months ago I am experiencing this same detection as of this morning.
Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 2/21/24
Scan Time: 2:13 AM
Log File: 8719b252-d099-11ee-b77b-a8a1595a23ba.json
-Software Information-
Version: 4.6.8.311
Components Version: 1.0.2259
Update Package Version: 1.0.81237
License: Premium
-System Information-
OS: Windows 10 (Build 19045.3930)
CPU: x64
File System: NTFS
User: System
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Scheduler
Result: Completed
Objects Scanned: 664442
Threats Detected: 1
Threats Quarantined: 0
Time Elapsed: 4 min, 34 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 0
(No malicious items detected)
Registry Value: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 1
Malware.AI.2555822905, C:\USERS\{username}\APPDATA\LOCAL\KEYBASE\KEYBASERQ.EXE, No Action By User, 1000000, -1739144391, 1.0.81237, 9B123F94809EA80F9856C339, dds, 02703331, F6334B9B77853A653BEE76F06E1A148B, 572E07C9977FCB6B8E15D67A8E4C7D30B016B6EB6668B570DE6208586A1CF8C7
Physical Sector: 0
(No malicious items detected)
WMI: 0
(No malicious items detected)
(end)
therevoman
gatesr494
vaportail
Malwarebytes www.malwarebytes.com
-Log Details- Protection Event Date: 2/21/24 Protection Event Time: 12:36 PM Log File: 0f94e3f8-d0a5-11ee-b3be-3c7c3fc35250.json
-Software Information- Version: 4.6.8.311 Components Version: 1.0.2259 Update Package Version: 1.0.81237 License: Premium
-System Information- OS: Windows 11 (Build 22631.3155) CPU: x64 File System: NTFS User: System
-Blocked Malware Details- File: 1 Malware.AI.2555822905, C:\Users\USER\AppData\Local\Keybase\keybaserq.exe, Quarantined, 1000000, 0, 1.0.81237, 9B123F94809EA80F9856C339, dds, 02703331, F6334B9B77853A653BEE76F06E1A148B, 572E07C9977FCB6B8E15D67A8E4C7D30B016B6EB6668B570DE6208586A1CF8C7
###########################
02/21/24 " 12:36:04.020" 6904750 0fe4 1a6c WARNING HttpConnection mb::common::net::HttpConnection::LogExceptionDetails "HttpConnection.cpp" 1791 "Exception details: text=Host not found: telemetry.malwarebytes.com" 02/21/24 " 12:36:04.020" 6904750 0fe4 1a6c WARNING TelemCtrlImpl TelemetryControllerImpl::SendTelemetryRecord "TelemetryControllerImplHelper.cpp" 2535 "Problem sending JSON data to DSE stream [malware] - server returned: -3" 02/21/24 " 12:36:04.046" 6904765 0fe4 0a70 INFO MwacControllerImpl mb::mwaccontrollerimpl::MwacControllerImpl::AddExclusion "mwaccontrollerimplhelper.cpp" 1948 "Successfully added exclusion of type=0, path=C:\Users\USER\AppData\Local\Keybase\Gui\Keybase.exe." 02/21/24 " 12:36:04.046" 6904765 0fe4 166c INFO MWACControllerCOM CMWACController::TelemetryDataCallbackV3 "mwaccontroller.cpp" 1905 "Successfully sent the block event data to telemetry server." 02/21/24 " 12:36:04.084" 6904812 0fe4 1a6c WARNING HttpConnection mb::common::net::HttpConnection::SendRequest "HttpConnection.cpp" 374 "HTTP POST - host not found" 02/21/24 " 12:36:04.084" 6904812 0fe4 1a6c WARNING HttpConnection mb::common::net::HttpConnection::LogExceptionDetails "HttpConnection.cpp" 1791 "Exception details: text=Host not found: telemetry.malwarebytes.com" 02/21/24 " 12:36:04.084" 6904812 0fe4 1a6c WARNING TelemCtrlImpl TelemetryControllerImpl::SendTelemetryRecord "TelemetryControllerImplHelper.cpp" 2535 "Problem sending JSON data to DSE stream [malware] - server returned: -3" 02/21/24 " 12:36:09.010" 6909734 0fe4 1a6c WARNING HttpConnection mb::common::net::HttpConnection::SendRequest "HttpConnection.cpp" 374 "HTTP POST - host not found" 02/21/24 " 12:36:09.010" 6909734 0fe4 1a6c WARNING HttpConnection mb::common::net::HttpConnection::LogExceptionDetails "HttpConnection.cpp" 1791 "Exception details: text=Host not found: telemetry.malwarebytes.com" 02/21/24 " 12:36:09.010" 6909734 0fe4 1a6c WARNING TelemCtrlImpl TelemetryControllerImpl::SendTelemetryRecord "TelemetryControllerImplHelper.cpp" 2535 "Problem sending JSON data to DSE stream [malware] - server returned: -3" 02/21/24 " 12:36:09.085" 6909814 3b1c 39d0 INFO MBAMChameleon ProcessNotify "procprot.c" 562 "Trusted process terminating. 0000000000003B1C (\Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\mbam.exe)" 02/21/24 " 12:36:12.263" 6912982 03e4 3988 WARNING MBAMProtection IsFileMarkedForDeletion "filter.c" 237 "FltQueryInformationFile failed with status 0xc0000002" 02/21/24 " 12:36:23.619" 6924343 0fe4 0f70 INFO CleanControllerImpl mb::cleanctlrimpl::whitelist::RulesWhiteLister::IsObjectWhiteListedEx "ruleswhitelister.cpp" 76 "Checking rules white listing for 'C:\Users\USER\AppData\Local\Keybase\keybaserq.exe'" 02/21/24 " 12:36:23.619" 6924343 0fe4 0f70 INFO CleanControllerImpl mb::cleanctlrimpl::whitelist::RulesWhiteLister::IsObjectWhiteListedEx "ruleswhitelister.cpp" 108 "Rules white listing has been disabled for 'C:\Users\USER\AppData\Local\Keybase\keybaserq.exe'" 02/21/24 " 12:36:23.632" 6924359 0fe4 0f70 INFO CleanControllerImpl mb::cleanctlrimpl::whitelist::HubbleCache::GetValueFromCache::::operator () "hubblecache.cpp" 273 "Found hash 'shuriken|572E07C9977FCB6B8E15D67A8E4C7D30B016B6EB6668B570DE6208586A1CF8C7' in Hubble cache, white list status = 'WhiteListed'"
02/21/24 " 12:36:23.632" 6924359 0fe4 0f70 INFO CleanControllerImpl mb::cleanctlrimpl::whitelist::WhiteListManager::LogWhiteListStatus "whitelistmanager.cpp" 302 "White list status: File 'C:\Users\USER\AppData\Local\Keybase\keybaserq.exe' F6334B9B77853A653BEE76F06E1A148B (shuriken) => Hubble:WhiteListed"
02/21/24 " 12:36:23.652" 6924375 0fe4 18d4 INFO DDSScanner DDSScanner::Scan "ddsscanner.cpp" 629 "=> Settings for Malware.AI.2555822905: C:\Users\USER\AppData\Local\Keybase\keybaserq.exe"
02/21/24 " 12:36:23.652" 6924375 0fe4 18d4 INFO DDSScanner DDSScanner::Scan "ddsscanner.cpp" 632 "MS=1 IM=0 IS=0 Status=5 IO=0 DG=0 MMI=0 MH1KMI=0 MHN1KMI=0"
02/21/24 " 12:36:23.652" 6924375 0fe4 18d4 INFO DDSScanner DDSScanner::Scan "ddsscanner.cpp" 648 "TN: Malware.AI.2555822905,Malware.Heuristic.2027"
02/21/24 " 12:36:23.652" 6924375 0fe4 18d4 INFO DDSScanner DDSScanner::Scan "ddsscanner.cpp" 664 "CM: 0,1"
02/21/24 " 12:36:23.666" 6924390 0fe4 1904 INFO RTPControllerImpl mb::rtpcontrollerimpl::RTPControllerImpl::DispositionObject "rtpcontrollerimplhelper.cpp" 3086 "File was classified as a threat, FilePath = [C:\Users\USER\AppData\Local\Keybase\keybaserq.exe]."
02/21/24 " 12:36:23.666" 6924390 0fe4 1904 INFO RTPControllerImpl mb::rtpcontrollerimpl::RTPControllerImpl::HasSuspiciousPath "rtpcontrollerimplhelper.cpp" 9252 "File matches path heuristic, C:\USERS\USER\APPDATA\LOCAL\KEYBASE\KEYBASERQ.EXE."
02/21/24 " 12:36:23.685" 6924406 0fe4 1904 INFO CleanControllerImpl mb::cleanctlrimpl::whitelist::RulesWhiteLister::IsObjectWhiteListedEx "ruleswhitelister.cpp" 76 "Checking rules white listing for 'C:\Users\USER\AppData\Local\Keybase\keybaserq.exe'"
02/21/24 " 12:36:24.454" 6925171 0fe4 1904 INFO CleanControllerImpl mb::cleanctlrimpl::whitelist::HubbleWhiteLister::AreFilesWhiteListed "hubblewhitelister.cpp" 526 "Response body from Hubble request: {""results"":[{""reclassify"":true,""sha256"":""572e07c9977fcb6b8e15d67a8e4c7d30b016b6eb6668b570de6208586a1cf8c7"",""md5"":""f6334b9b77853a653bee76f06e1a148b"",""classification"":""UNKNOWN"",""trust_always"":false,""trust_expires_at"":60,""send_file"":false}]}"
02/21/24 " 12:36:24.454" 6925171 0fe4 1904 INFO CleanControllerImpl mb::cleanctlrimpl::whitelist::WhiteListManager::LogWhiteListStatus "whitelistmanager.cpp" 302 "White list status: File 'C:\Users\USER\AppData\Local\Keybase\keybaserq.exe' F6334B9B77853A653BEE76F06E1A148B (dds) => None:Unknown"
02/21/24 " 12:36:24.455" 6925187 0fe4 1904 INFO RTPControllerImpl mb::rtpcontrollerimpl::RTPControllerImpl::DispositionObject "rtpcontrollerimplhelper.cpp" 3229 "AutoClean is true, blocking and quarantining file [C:\Users\USER\AppData\Local\Keybase\keybaserq.exe]."
02/21/24 " 12:36:24.487" 6925218 0fe4 1a8c INFO CleanControllerImpl Cleaner::Clean "cleaner.cpp" 60 "Start of clean, client '', detection results 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\RtpDetections\0f94e3f8-d0a5-11ee-b3be-3c7c3fc35250.json'"
02/21/24 " 12:36:24.526" 6925250 0fe4 1a6c WARNING HttpConnection mb::common::net::HttpConnection::SendRequest "HttpConnection.cpp" 374 "HTTP POST - host not found"
02/21/24 " 12:36:24.526" 6925250 0fe4 1a6c WARNING HttpConnection mb::common::net::HttpConnection::LogExceptionDetails "HttpConnection.cpp" 1791 "Exception details: text=Host not found: telemetry.malwarebytes.com"
02/21/24 " 12:36:24.526" 6925250 0fe4 1a6c WARNING TelemCtrlImpl TelemetryControllerImpl::SendTelemetryRecord "TelemetryControllerImplHelper.cpp" 2535 "Problem sending JSON data to DSE stream [malware] - server returned: -3"
02/21/24 " 12:36:24.912" 6925640 0fe4 1a8c INFO CleanControllerImpl mb::cleanctlrimpl::whitelist::RulesWhiteLister::IsObjectWhiteListedEx "ruleswhitelister.cpp" 76 "Checking rules white listing for 'C:\Users\USER\AppData\Local\Keybase\keybaserq.exe'"
02/21/24 " 12:36:24.913" 6925640 0fe4 1a8c INFO CleanControllerImpl mb::cleanctlrimpl::whitelist::SignatureWhiteLister::IsObjectWhiteListedEx "signaturewhitelister.cpp" 126 "SignatureWhiteLister skipped due to disable flag set for 'C:\Users\USER\AppData\Local\Keybase\keybaserq.exe'"
02/21/24 " 12:36:24.913" 6925640 0fe4 1a8c INFO CleanControllerImpl mb::cleanctlrimpl::whitelist::HubbleWhiteLister::GetWhiteListStatus "hubblewhitelister.cpp" 207 "Hubble white listing has been disabled for 'C:\Users\USER\AppData\Local\Keybase\keybaserq.exe'"
02/21/24 " 12:36:24.914" 6925640 0fe4 1a8c INFO CleanControllerImpl mb::cleanctlrimpl::whitelist::WhiteListManager::LogWhiteListStatus "whitelistmanager.cpp" 302 "White list status: File 'C:\Users\USER\AppData\Local\Keybase\keybaserq.exe' F6334B9B77853A653BEE76F06E1A148B (dds) => None:Unknown"
02/21/24 " 12:36:24.914" 6925640 0fe4 1a8c INFO CleanControllerImpl PreCleanEngine::GetCleanItemsFromDetectionResultsPreCleanNotStarted "precleanengine.cpp" 364 "Post-cleanup actions not supported for RTP detections"
02/21/24 " 12:36:24.914" 6925640 0fe4 1a8c INFO CleanControllerImpl PreCleanEngine::AddLinkedTraces "precleanengine.cpp" 953 "Getting linked traces"
02/21/24 " 12:36:24.914" 6925640 0fe4 1a8c INFO CleanControllerImpl QuarantineEngine::QuarantineFile "quarantineengine.cpp" 531 "Quarantining C:\Users\USER\AppData\Local\Keybase\keybaserq.exe"
02/21/24 " 12:36:24.924" 6925656 0fe4 1a8c INFO CleanControllerImpl Cleaner::RemediateAndWriteMetadata "cleaner.cpp" 349 "Starting cleaning of File C:\Users\USER\AppData\Local\Keybase\keybaserq.exe"
02/21/24 " 12:36:24.924" 6925656 0fe4 1a8c INFO CleanControllerImpl RemovalEngine::RemediateFile "removalengine.cpp" 1532 "Cleaning file 'C:\Users\USER\AppData\Local\Keybase\keybaserq.exe', anti-rootkit = false"
02/21/24 " 12:36:24.927" 6925656 0fe4 1a8c INFO CleanControllerImpl RemovalEngine::DeleteFileAPI "removalengine.cpp" 1862 "Deleting file 'C:\Users\USER\AppData\Local\Keybase\keybaserq.exe', resolved path = 'C:\Users\USER\AppData\Local\Keybase\keybaserq.exe'"
02/21/24 " 12:36:24.931" 6925656 0fe4 1a8c INFO CleanControllerImpl RemovalEngine::LogCleanResult "removalengine.cpp" 2075 "Succeeded cleaning file 'C:\Users\USER\AppData\Local\Keybase\keybaserq.exe' (pending ver)"
02/21/24 " 12:36:24.931" 6925656 0fe4 1a8c INFO CleanControllerImpl RemovalEngine::CompleteVerification "removalengine.cpp" 152 "Completing verification step."
02/21/24 " 12:36:24.932" 6925656 0fe4 1a8c WARNING mb::common::io::NtFileSystemUtils::QueryFileObjectAttributes "ntfilesystemutils.cpp" 301 "Error getting attributes for 'C:\Users\USER\AppData\Local\Keybase\keybaserq.exe', error = 'The system cannot find the file specified. ' (0xc0000034)"
02/21/24 " 12:36:24.932" 6925656 0fe4 1a8c INFO CleanControllerImpl RemovalEngine::GetVerificationDataAndDrives "removalengine.cpp" 2640 "Fixed drives 'C:'"
02/21/24 " 12:36:24.932" 6925656 0fe4 1a8c INFO CleanControllerImpl RemovalEngine::VerifyFilesRemoval "removalengine.cpp" 2480 "Verifying files have been deleted with DDA"
02/21/24 " 12:36:24.972" 6925703 0fe4 1a8c INFO CleanControllerImpl QuarantineEngine::CopyMetadataToQuarantine "quarantineengine.cpp" 181 "Copying quarantine metadata for C:\Users\USER\AppData\Local\Keybase\keybaserq.exe"
02/21/24 " 12:36:24.973" 6925703 0fe4 1a8c INFO CleanController CCleanController::SendQuarantineActionDataToTelemetry "cleancontroller.cpp" 2790 "Sending quarantine action data to telemetry controller, id=0f94e3f9-d0a5-11ee-8e7e-3c7c3fc35250, action=1"
02/21/24 " 12:36:24.973" 6925703 0fe4 1a8c INFO CleanControllerImpl QuarantineEngine::LogQuarantineResult "quarantineengine.cpp" 991 "Succeeded quarantining File 'C:\Users\USER\AppData\Local\Keybase\keybaserq.exe'"
02/21/24 " 12:36:24.973" 6925703 0fe4 1a8c INFO CleanControllerImpl Cleaner::RebuildSystemRegistryValues "cleaner.cpp" 539 "Rebuilding system registry values."
02/21/24 " 12:36:24.974" 6925703 0fe4 1a8c INFO CleanControllerImpl Cleaner::RebuildRegistryValue "cleaner.cpp" 529 "Successfully rebuilt registry value at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, from 'scecli^^' to 'scecli'."
02/21/24 " 12:36:24.974" 6925703 0fe4 1a8c INFO CleanControllerImpl Cleaner::RebuildRegistryValue "cleaner.cpp" 529 "Successfully rebuilt registry value at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages, from '""""^^' to '""""'."
02/21/24 " 12:36:24.974" 6925703 0fe4 1a8c INFO CleanControllerImpl Cleaner::RebuildRegistryValue "cleaner.cpp" 529 "Successfully rebuilt registry value at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages, from 'msv1_0^^' to 'msv1_0'."
###############
https://www.malwarebytes.com/blog/detections/malware-ai
(end)