WebBrowserPassView[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

WebBrowserPassView.exe
Size

361KB
MD5

09078828931a04c2a3f95db7641ce805
SHA1

32f91aae5803d710b398eacf57eedce6e2047f29
SHA256

cb29097bc5b9ff161d0457b271dd3a49b5b916f82e2c1f16ece96383981285d6
SHA512

d7f99a057a27a23128a992bb82abcdc2a34ff72ec1cdc723cb89bca9f01191fc2a647ec818d997f6f7609f4bae049e7d78ed2fa5c958fb28a0a537ae279b8b9f
SSDEEP

6144:6l3F4O8iCSPnDmDvbXGFtv9cVs68ZV6kjEGTjX93eIb1AtcGkihvn:aFXpDmDLDX86kj/NuQMk6n

Score

10^/10

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
sample	Nirsoft

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
sample	WebBrowserPassView

Files

WebBrowserPassView.exe
.exe windows x86

72f8577f4311144f53af1bd738fb6e13

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

Issuer

CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE

Not Before

07/06/2005, 08:09

Not After

30/05/2020, 10:48

Subject

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bb
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

24/08/2011, 00:00

Not After

30/05/2020, 10:48

Subject

CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8
Certificate

Issuer

CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

12/09/2014, 00:00

Not After

12/09/2019, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

30/03/2016, 00:00

Not After

30/06/2019, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-256 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

f6:dd:f7:75:a0:10:39:c7:27:97:ae:42:9f:f9:1c:09:f0:de:93:0d:f0:11:ee:d1:8b:8a:69:25:99:9d:2b:0e
Signer

Actual PE Digest

f6:dd:f7:75:a0:10:39:c7:27:97:ae:42:9f:f9:1c:09:f0:de:93:0d:f0:11:ee:d1:8b:8a:69:25:99:9d:2b:0e

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

01/07/2017, 18:36
Valid: true

Chain 1

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

bd:f0:16:10:fc:87:d0:8b:99:d6:8d:b4:4a:ce:52:a8:80:fe:27:90
Signer

Actual PE Digest

bd:f0:16:10:fc:87:d0:8b:99:d6:8d:b4:4a:ce:52:a8:80:fe:27:90

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

01/07/2017, 18:36
Valid: false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
wcscat
__set_app_type
_controlfp
_gmtime64
_itow
_wcslwr
strchr
_strlwr
_initterm
wcsncmp
memmove
free
modf
_memicmp
wcstoul
malloc
_XcptFilter
_wtoi64
strcmp
strcpy
wcsrchr
__wgetmainargs
_wcmdln
exit
_wcsupr
_cexit
_wcsnicmp
??2@YAPAXI@Z
??3@YAXPAX@Z
memcmp
_purecall
wcslen
wcscmp
abs
log
_wtoi
_wcsicmp
wcschr
memcpy
wcscpy
memset
strlen
wcsncat
_snwprintf
_except_handler3
_exit
_c_exit
_onexit
__dllonexit
memchr
strftime
realloc

comctl32

ord17
ImageList_Create
ImageList_AddMasked
ImageList_SetImageCount
ImageList_ReplaceIcon
CreateToolbarEx
CreateStatusWindowW

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

wininet

FindFirstUrlCacheEntryW
FindCloseUrlCache
FindNextUrlCacheEntryW

kernel32

GetFullPathNameW
AreFileApisANSI
EnterCriticalSection
GetSystemTime
LockFileEx
FormatMessageA
GetSystemTimeAsFileTime
GetTempPathA
UnlockFileEx
LockFile
UnlockFile
InterlockedCompareExchange
DeleteCriticalSection
GetFileAttributesExW
GetDiskFreeSpaceW
DeleteFileA
GetFullPathNameA
InitializeCriticalSection
GetModuleHandleA
GetStartupInfoW
FlushFileBuffers
QueryPerformanceCounter
GetFileAttributesA
LeaveCriticalSection
SetEndOfFile
GetSystemInfo
Sleep
GetDiskFreeSpaceA
CreateFileA
EnumResourceTypesW
CreateToolhelp32Snapshot
LocalFree
GetFileSize
SystemTimeToFileTime
CloseHandle
FileTimeToLocalFileTime
DeleteFileW
CopyFileW
CreateFileW
CompareFileTime
LoadLibraryW
GetProcAddress
FreeLibrary
GetLastError
FileTimeToSystemTime
GetTickCount
SetFilePointerEx
GetCurrentDirectoryW
ExpandEnvironmentStringsW
WideCharToMultiByte
MultiByteToWideChar
GlobalLock
GetFileTime
GetDateFormatW
FormatMessageW
GetTempFileNameW
GetVersionExW
FindClose
FindFirstFileW
GetModuleHandleW
GetTimeFormatW
SetFilePointer
GetWindowsDirectoryW
GetFileAttributesW
ReadFile
GetModuleFileNameW
WriteFile
LockResource
lstrcpyW
FindResourceW
lstrlenW
LoadResource
SystemTimeToTzSpecificLocalTime
LoadLibraryExW
GlobalAlloc
GlobalUnlock
GetTempPathW
FindNextFileW
SizeofResource
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetCurrentProcess
DuplicateHandle
GetCurrentProcessId
OpenProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileIntW
EnumResourceNamesW
GetStdHandle
SetErrorMode
ReadProcessMemory
ExitProcess
SetCurrentDirectoryW
Process32FirstW
Process32NextW

user32

DrawTextExW
GetMessageW
PostQuitMessage
TrackPopupMenu
RegisterWindowMessageW
GetKeyState
DispatchMessageW
TranslateMessage
IsDialogMessageW
DestroyMenu
GetDlgCtrlID
GetMenuItemInfoW
ModifyMenuW
LoadMenuW
ChildWindowFromPoint
LoadCursorW
SetCursor
GetSysColorBrush
ShowWindow
SetWindowTextW
SetDlgItemInt
UpdateWindow
SetDlgItemTextW
GetDlgItemTextW
GetClientRect
GetSystemMetrics
DeferWindowPos
CreateWindowExW
GetWindowRect
SendDlgItemMessageW
GetDlgItemInt
EndDialog
SetWindowLongW
GetDlgItem
GetWindow
InvalidateRect
GetWindowPlacement
LoadAcceleratorsW
DefWindowProcW
SendMessageW
PostMessageW
RegisterClassW
MessageBoxW
TranslateAcceleratorW
SetMenu
SetWindowPlacement
LoadImageW
LoadIconW
GetWindowLongW
SetFocus
KillTimer
GetParent
SetTimer
BeginDeferWindowPos
EndDeferWindowPos
GetMenuStringW
CheckMenuItem
GetMenuItemCount
CloseClipboard
CheckMenuRadioItem
GetCursorPos
SetClipboardData
EnableWindow
GetSysColor
MapWindowPoints
GetMenu
GetDC
GetSubMenu
EmptyClipboard
EnableMenuItem
ReleaseDC
GetClassNameW
OpenClipboard
MoveWindow
DialogBoxParamW
CreateDialogParamW
EnumChildWindows
LoadStringW
DestroyWindow
SetWindowPos
GetWindowTextW

gdi32

SetBkColor
SelectObject
GetDeviceCaps
SetBkMode
SetTextColor
DeleteObject
CreateFontIndirectW
GetTextExtentPoint32W
GetStockObject

comdlg32

GetSaveFileNameW
GetOpenFileNameW
FindTextW

advapi32

RegEnumKeyExW
RegOpenKeyExW
RegQueryValueExW
RegEnumValueW
RegCloseKey

shell32

SHGetMalloc
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetFileInfoW
ShellExecuteW

ole32

CoUninitialize
CoInitialize
CoTaskMemFree

Sections

.text
Size: 270KB - Virtual size: 270KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 46KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

72f8577f4311144f53af1bd738fb6e13

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4bCertificate

Key Usages

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0bCertificate

Extended Key Usages

Key Usages

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bbCertificate

Extended Key Usages

Key Usages

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8Certificate

Extended Key Usages

Key Usages

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17Certificate

Extended Key Usages

Key Usages

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:afCertificate

Extended Key Usages

Key Usages

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77Certificate

Extended Key Usages

Key Usages

f6:dd:f7:75:a0:10:39:c7:27:97:ae:42:9f:f9:1c:09:f0:de:93:0d:f0:11:ee:d1:8b:8a:69:25:99:9d:2b:0eSigner

Signature Validations

Verification

01/07/2017, 18:36 Valid: true

Chain 1

bd:f0:16:10:fc:87:d0:8b:99:d6:8d:b4:4a:ce:52:a8:80:fe:27:90Signer

Signature Validations

Verification

01/07/2017, 18:36 Valid: false

Headers

File Characteristics

Imports

msvcrt

comctl32

version

wininet

kernel32

user32

gdi32

comdlg32

advapi32

shell32

ole32

Sections

.text Size: 270KB - Virtual size: 270KB

.rdata Size: 46KB - Virtual size: 46KB

.data Size: 5KB - Virtual size: 11KB

.rsrc Size: 26KB - Virtual size: 26KB

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bb
Certificate

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8
Certificate

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17
Certificate

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77
Certificate

f6:dd:f7:75:a0:10:39:c7:27:97:ae:42:9f:f9:1c:09:f0:de:93:0d:f0:11:ee:d1:8b:8a:69:25:99:9d:2b:0e
Signer

01/07/2017, 18:36
Valid: true

bd:f0:16:10:fc:87:d0:8b:99:d6:8d:b4:4a:ce:52:a8:80:fe:27:90
Signer

01/07/2017, 18:36
Valid: false

.text
Size: 270KB - Virtual size: 270KB

.rdata
Size: 46KB - Virtual size: 46KB

.data
Size: 5KB - Virtual size: 11KB

.rsrc
Size: 26KB - Virtual size: 26KB