Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
ReversingLabs: Detection: 76% |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Joe Sandbox ML: detected |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: |
Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen, |
0_2_0040702D |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe, 00000000.00000002.2791480565.000000000019B000.00000004.00000010.00020000.00000000.sdmp |
String found in binary or memory: http://www.nirsoft.net |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
String found in binary or memory: http://www.nirsoft.net/ |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_0040ADA4 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, |
0_2_0040ADA4 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_00406073 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_00406073 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_00405FD0 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
0_2_00405FD0 |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe, type: SAMPLE |
Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth |
Source: 0.0.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth |
Source: 0.2.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_00404DE5 |
0_2_00404DE5 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_00404E56 |
0_2_00404E56 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_00404EC7 |
0_2_00404EC7 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_00404F58 |
0_2_00404F58 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_0040BF6B |
0_2_0040BF6B |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: String function: 00412084 appears 39 times |
|
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe, type: SAMPLE |
Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ |
Source: 0.0.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ |
Source: 0.2.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ |
Source: classification engine |
Classification label: mal80.phis.spyw.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_0040F37C FindResourceA,SizeofResource,LoadResource,LockResource, |
0_2_0040F37C |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
ReversingLabs: Detection: 76% |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: pstorec.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
File opened: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.cfg |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts |
Jump to behavior |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Static PE information: section name: RT_CURSOR |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Static PE information: section name: RT_BITMAP |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Static PE information: section name: RT_ICON |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Static PE information: section name: RT_MENU |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Static PE information: section name: RT_DIALOG |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Static PE information: section name: RT_STRING |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Static PE information: section name: RT_ACCELERATOR |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Static PE information: section name: RT_GROUP_ICON |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_00403C17 LoadLibraryA,GetProcAddress,strcpy, |
0_2_00403C17 |
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Static PE information: real checksum: 0x20c22 should be: 0x1c68c |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_00412341 push ecx; ret |
0_2_00412351 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_00412360 push eax; ret |
0_2_00412374 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_00412360 push eax; ret |
0_2_0041239C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_0040FCBC memset,strcpy,memset,strcpy,strcat,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_0040FCBC |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Window / User API: foregroundWindowGot 367 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen, |
0_2_0040702D |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_00403C17 LoadLibraryA,GetProcAddress,strcpy, |
0_2_00403C17 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, |
0_2_004073B6 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: 0_2_00406282 GetVersionExA, |
0_2_00406282 |
Source: Yara match |
File source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.1536326687.0000000000413000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2791709876.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe PID: 5320, type: MEMORYSTR |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword |
0_2_00402D74 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword |
0_2_00402D74 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe |
Code function: ESMTPPassword |
0_2_004033B1 |