PasswordFox64[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

PasswordFox64.exe
Size

138KB
MD5

d1c619a76f646f44c6ac4c284c282510
SHA1

9605ad4adc7de7f53fa7d99e6f32082da90831a1
SHA256

7fee96ae0ed1972a80abbd4529dc81ec033083857455bbf3c803c4f47e1ac31c
SHA512

3dd9270fe6abfa9b41830efdf9880d847ddeef7de9d5a859d4d0f3534785b43544011e50f90f03e49ad5529fe9c97e489bc24913e3c81c8634cdf1421a1d8964
SSDEEP

3072:CozrqvXnBlJuse+j6aiUcybOO1P/PNXDrXQjOotWBT4gVZSH7BAXNs:CoziB6JyHgjOotWR4g6NAXO

Score

10^/10

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
sample	Nirsoft

Files

PasswordFox64.exe
.exe windows x64

dbb40f8cbd296a97d55674032d14649c

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

Issuer

CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE

Not Before

07/06/2005, 08:09

Not After

30/05/2020, 10:48

Subject

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bb
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

24/08/2011, 00:00

Not After

30/05/2020, 10:48

Subject

CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8
Certificate

Issuer

CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

12/09/2014, 00:00

Not After

12/09/2019, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

30/03/2016, 00:00

Not After

30/06/2019, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-256 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

7d:7d:1b:9e:26:66:9d:17:d6:07:b9:29:ee:5a:77:ae:a2:60:4c:77:5f:b4:6d:a3:e1:74:65:7e:01:0d:fd:2b
Signer

Actual PE Digest

7d:7d:1b:9e:26:66:9d:17:d6:07:b9:29:ee:5a:77:ae:a2:60:4c:77:5f:b4:6d:a3:e1:74:65:7e:01:0d:fd:2b

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

05/11/2017, 10:21
Valid: true

Chain 1

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

4c:c1:11:dc:44:35:78:ac:bc:1f:59:40:8e:75:dd:a0:6f:d9:5a:40
Signer

Actual PE Digest

4c:c1:11:dc:44:35:78:ac:bc:1f:59:40:8e:75:dd:a0:6f:d9:5a:40

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

05/11/2017, 10:21
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

comctl32

CreateToolbarEx
CreateStatusWindowW
ImageList_ReplaceIcon
ImageList_AddMasked
ImageList_SetImageCount
ImageList_Create
ord17

msvcrt

_initterm
__wgetmainargs
_wcmdln
exit
_cexit
_exit
_c_exit
_XcptFilter
__C_specific_handler
_onexit
__dllonexit
_wcslwr
__setusermatherr
_purecall
_itow
memmove
_memicmp
free
wcschr
modf
memcmp
wcstoul
malloc
strcpy
_commode
_fmode
__set_app_type
_wtoi
_wtoi64
strcmp
_wcsnicmp
wcsrchr
??3@YAXPEAX@Z
??2@YAPEAX_K@Z
memcpy
wcscmp
_wcsicmp
wcslen
_ultow
abs
log
wcscpy
memset
strlen
_snwprintf
wcsncat
wcscat

kernel32

GetStartupInfoW
EnumResourceTypesW
OpenProcess
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
SetCurrentDirectoryW
GetCurrentProcessId
ExitProcess
ReadProcessMemory
GetCurrentProcess
SetErrorMode
DeleteFileW
EnumResourceNamesW
GetPrivateProfileIntW
WritePrivateProfileStringW
GetPrivateProfileStringW
CompareFileTime
WriteFile
WideCharToMultiByte
LoadLibraryW
FileTimeToSystemTime
GetProcAddress
FreeLibrary
SystemTimeToFileTime
GetCurrentDirectoryW
ExpandEnvironmentStringsW
MultiByteToWideChar
GetFileSize
CloseHandle
GetDateFormatW
SizeofResource
GetLastError
GetTempFileNameW
GlobalLock
FormatMessageW
GetVersionExW
FindNextFileW
FindFirstFileW
GetModuleHandleW
GetFileTime
FindClose
GetTimeFormatW
GetFileAttributesW
ReadFile
GetModuleFileNameW
GetWindowsDirectoryW
CreateFileW
FileTimeToLocalFileTime
FindResourceW
LoadResource
LocalFree
SystemTimeToTzSpecificLocalTime
GlobalAlloc
LockResource
LoadLibraryExW
GlobalUnlock
GetTempPathW

user32

RegisterWindowMessageW
DispatchMessageW
DrawTextExW
TranslateMessage
IsDialogMessageW
GetMessageW
PostQuitMessage
ChildWindowFromPoint
SetCursor
LoadCursorW
GetSysColorBrush
ShowWindow
InvalidateRect
EndPaint
GetWindow
DrawFrameControl
SetDlgItemInt
SetWindowTextW
UpdateWindow
SetDlgItemTextW
BeginPaint
GetDlgItemTextW
GetClientRect
GetSystemMetrics
DeferWindowPos
CreateWindowExW
SendDlgItemMessageW
EndDialog
GetWindowRect
GetDlgItem
GetDlgItemInt
TranslateAcceleratorW
SetMenu
SetWindowPos
GetWindowPlacement
LoadAcceleratorsW
DefWindowProcW
SendMessageW
PostMessageW
RegisterClassW
MessageBoxW
GetParent
LoadImageW
LoadIconW
GetWindowLongW
SetWindowLongW
SetFocus
EndDeferWindowPos
BeginDeferWindowPos
GetMenuItemCount
CheckMenuItem
GetMenuStringW
GetCursorPos
SetClipboardData
GetSysColor
EnableWindow
CloseClipboard
MapWindowPoints
GetMenu
GetDC
EmptyClipboard
GetSubMenu
EnableMenuItem
ReleaseDC
GetClassNameW
OpenClipboard
MoveWindow
GetDlgCtrlID
DestroyMenu
DialogBoxParamW
CreateDialogParamW
EnumChildWindows
LoadStringW
DestroyWindow
GetWindowTextW
LoadMenuW
ModifyMenuW
GetMenuItemInfoW
TrackPopupMenu

gdi32

SetBkMode
CreateFontIndirectW
SetTextColor
GetDeviceCaps
SelectObject
SetBkColor
DeleteObject
GetStockObject
GetTextExtentPoint32W

comdlg32

GetSaveFileNameW
FindTextW

advapi32

RegOpenKeyExW
RegQueryValueExW
RegCloseKey
RegEnumKeyExW

shell32

SHBrowseForFolderW
SHGetPathFromIDListW
SHGetMalloc
SHGetFileInfoW
ShellExecuteW

ole32

CoUninitialize
CoInitialize

Sections

.text
Size: 84KB - Virtual size: 84KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

dbb40f8cbd296a97d55674032d14649c

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4bCertificate

Key Usages

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0bCertificate

Extended Key Usages

Key Usages

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bbCertificate

Extended Key Usages

Key Usages

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8Certificate

Extended Key Usages

Key Usages

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17Certificate

Extended Key Usages

Key Usages

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:afCertificate

Extended Key Usages

Key Usages

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77Certificate

Extended Key Usages

Key Usages

7d:7d:1b:9e:26:66:9d:17:d6:07:b9:29:ee:5a:77:ae:a2:60:4c:77:5f:b4:6d:a3:e1:74:65:7e:01:0d:fd:2bSigner

Signature Validations

Verification

05/11/2017, 10:21 Valid: true

Chain 1

4c:c1:11:dc:44:35:78:ac:bc:1f:59:40:8e:75:dd:a0:6f:d9:5a:40Signer

Signature Validations

Verification

05/11/2017, 10:21 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

comctl32

msvcrt

kernel32

user32

gdi32

comdlg32

advapi32

shell32

ole32

Sections

.text Size: 84KB - Virtual size: 84KB

.rdata Size: 21KB - Virtual size: 20KB

.data Size: 1KB - Virtual size: 6KB

.pdata Size: 4KB - Virtual size: 4KB

.rsrc Size: 14KB - Virtual size: 13KB

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bb
Certificate

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8
Certificate

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17
Certificate

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77
Certificate

7d:7d:1b:9e:26:66:9d:17:d6:07:b9:29:ee:5a:77:ae:a2:60:4c:77:5f:b4:6d:a3:e1:74:65:7e:01:0d:fd:2b
Signer

05/11/2017, 10:21
Valid: true

4c:c1:11:dc:44:35:78:ac:bc:1f:59:40:8e:75:dd:a0:6f:d9:5a:40
Signer

05/11/2017, 10:21
Valid: false

.text
Size: 84KB - Virtual size: 84KB

.rdata
Size: 21KB - Virtual size: 20KB

.data
Size: 1KB - Virtual size: 6KB

.pdata
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 14KB - Virtual size: 13KB