Windows Analysis Report
SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe

Overview

General Information

Sample name: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe
Analysis ID: 1446234
MD5: a878dd0345c3721d93791ab68fcc1faf
SHA1: 4982b21603e872f148b8ff1f9336dbd448d6abb5
SHA256: 8458cddbadb39ca77e624b8dc5f28db74d14b03f0e573bb97dce2ebd5f2e6f05
Tags: exe
Infos:

Detection

MailPassView
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MailPassView
Machine Learning detection for sample
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe ReversingLabs: Detection: 76%
Machine Learning detection for sample
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen, 0_2_0040702D
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe, 00000000.00000002.2791480565.000000000019B000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe String found in binary or memory: http://www.nirsoft.net/
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_0040ADA4 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, 0_2_0040ADA4
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_00406073 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00406073
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_00405FD0 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 0_2_00405FD0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe, type: SAMPLE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.0.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.2.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_00404DE5 0_2_00404DE5
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_00404E56 0_2_00404E56
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_00404EC7 0_2_00404EC7
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_00404F58 0_2_00404F58
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_0040BF6B 0_2_0040BF6B
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: String function: 00412084 appears 39 times
Uses 32bit PE files
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe, type: SAMPLE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.0.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.2.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: classification engine Classification label: mal80.phis.spyw.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_0040F37C FindResourceA,SizeofResource,LoadResource,LockResource, 0_2_0040F37C
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe ReversingLabs: Detection: 76%
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe File opened: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.cfg Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Static PE information: section name: RT_CURSOR
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Static PE information: section name: RT_BITMAP
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Static PE information: section name: RT_ICON
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Static PE information: section name: RT_MENU
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Static PE information: section name: RT_DIALOG
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Static PE information: section name: RT_STRING
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Static PE information: section name: RT_ACCELERATOR
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Static PE information: section name: RT_GROUP_ICON
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_00403C17 LoadLibraryA,GetProcAddress,strcpy, 0_2_00403C17
PE file contains an invalid checksum
Source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Static PE information: real checksum: 0x20c22 should be: 0x1c68c
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_00412341 push ecx; ret 0_2_00412351
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_00412360 push eax; ret 0_2_00412374
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_00412360 push eax; ret 0_2_0041239C
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_0040FCBC memset,strcpy,memset,strcpy,strcat,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0040FCBC
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Window / User API: foregroundWindowGot 367 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen, 0_2_0040702D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_00403C17 LoadLibraryA,GetProcAddress,strcpy, 0_2_00403C17
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 0_2_004073B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: 0_2_00406282 GetVersionExA, 0_2_00406282

Stealing of Sensitive Information
barindex
Yara detected MailPassView
Source: Yara match File source: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe, type: SAMPLE
Source: Yara match File source: 0.0.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2791537341.0000000000413000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1536326687.0000000000413000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2791709876.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe PID: 5320, type: MEMORYSTR
Tries to steal Instant Messenger accounts or passwords
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword 0_2_00402D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword 0_2_00402D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe Code function: ESMTPPassword 0_2_004033B1
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1446234 Sample: SecuriteInfo.com.PUA.Tool.P... Startdate: 23/05/2024 Architecture: WINDOWS Score: 80 8 Malicious sample detected (through community Yara rule) 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected MailPassView 2->12 14 Machine Learning detection for sample 2->14 5 SecuriteInfo.com.PUA.Tool.PassView.1835.14688.26789.exe 2->5         started        process3 signatures4 16 Tries to steal Mail credentials (via file registry) 5->16 18 Tries to steal Instant Messenger accounts or passwords 5->18 20 Tries to steal Mail credentials (via file / registry access) 5->20
No contacted IP infos