Submission Summary:

What's been foundSeverity Level
Contains characteristics of an identified security risk.


Technical Details:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.


Possible Security Risk

Security RiskDescription
PSWTool.Messen!sd5 PSWTool.Messen!sd5 is a potentially unsafe program designed to access the passwords in your system.
PSWTool.NetPass!sd5 PSWTool.NetPass!sd5 is a potentially unsafe program designed to access the passwords in your system.
Application.StoragePass_Viewer StoragePass Viewer is a utility that is able to reveal passwords stored by Internet Explorer, Outlook Express and MSN Explorer.
Application.MessenPass MessenPass is used to retrieve password from various instant messenging application. It has been used by attackers with malicious intent. We recommend that Messenpass be removed unless installed for a purpose.
Application.MailPass_Viewer MailPass Viewer is a email password recovery application from NirSoft. It enables the user to view all email accounts passwords stored in email applications. We recommend that MailPass Viewer be removed unless installed for a purpose.
Adware.ProduKey ProduKey is an application which is used to retrieve Product ID and CD-Key for Microsoft applications. It can be used by attackers with malicious intent. We recommend that ProduKey be removed unless installed for a purpose.
Adware.Protected_Storage_Pass_View Protected Storage Pass View displays all passwords stored in user's protected storage. It has been used by attackers with malicious intent. We recommend that Protected Storage Pass View be removed unless installed for a purpose.

Threat CategoryDescription
A hacktool that could be used by attackers to break into a system


File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Temp%\Switchblade-Siliv-1-3-0-1\autorun.inf 91 bytes MD5: 0xF4012045B45DE6B617C208AAD17C8D1D (not available)
2 %Temp%\Switchblade-Siliv-1-3-0-1\blank.ico 766 bytes MD5: 0xDE67C8A550ECFA5BAB367FEE7675A9D4 (not available)
3 %Temp%\Switchblade-Siliv-1-3-0-1\Documents\logfiles\%ComputerName%.log 3,353 bytes MD5: 0xC3647CE5CFA2FC5B1D398DD3A53782F5 (not available)
4 %Temp%\Switchblade-Siliv-1-3-0-1\Documents\logfiles\pwfile.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E (not available)
5 %Temp%\Switchblade-Siliv-1-3-0-1\folder.ico 25,214 bytes MD5: 0x0EFBFDC86BE9496D6123E5162ACA5687 (not available)
6 %Temp%\Switchblade-Siliv-1-3-0-1\README.txt 1,438 bytes MD5: 0x649456E92868B93859E4945EB2E30AB9 (not available)
7 %Temp%\Switchblade-Siliv-1-3-0-1\Thumbs.db 4,096 bytes MD5: 0x8E8D6332E1FEC5B0AA69917E5FCA8D29 (not available)
8 %Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\DUH.vbs 402 bytes MD5: 0x4A5140F6E510B3300C82063CD483242C (not available)
9 %Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\go.cmd 5,407 bytes MD5: 0x9DFC82253462497EDD748EF36746D054 (not available)
10 %Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\go.exe 5,120 bytes MD5: 0x8204F34555645A11D068EA8817FDD5DC (not available)
11 %Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\iepv.exe 40,448 bytes MD5: 0x640E7144859C57E21E489BE91998E1CC (not available)
12 %Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\LsaExt.dll 61,440 bytes MD5: 0x03E8E98DFE06611EAC5694CD2F2DC542 PWCrack-Pwdump [McAfee]
13 %Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\mspass.exe 44,032 bytes MD5: 0x588AB9262F42D01D153257CE3B71EBFE PSWTool.Messen!sd5 [PCTools]
14 %Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\netpass.exe 39,936 bytes MD5: 0x634FAAD6C5F06DBB88A40CBE91F9CD10 PSWTool.NetPass!sd5 [PCTools]
15 %Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\ProduKey.exe 31,744 bytes MD5: 0xBA312165D0B19BCD9E01B1C0B55C41FC Hacktool [Symantec]
16 %Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\pspv.exe 52,736 bytes MD5: 0x35861F4EA9A8ECB6C357BDB91B7DF804 Application.StoragePass_Viewer [PCTools]
PWCrack-PassView [McAfee]
17 %Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\PwDump.exe 188,416 bytes MD5: 0x3573E1F3D7F2E39675C37E5ECE21258F PWCrack-Pwdump [McAfee]
18 %Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\pwservice.exe 45,056 bytes MD5: 0xFE201C1F942707D645CD34EC3368ACF2 (not available)
19 %Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\wkv.exe 36,864 bytes MD5: 0xD1BF4F47ED8362D91E94CD7253972F87 (not available)
20 [file and pathname of the sample #1] 337,858 bytes MD5: 0x3B33847C20FDA540A004613A44B3533A Trojan.PWS.IcqSmiley.A [PCTools]


Memory Modifications

Process NameProcess FilenameMain Module Size
iepv.exe%Temp%\switchblade-siliv-1-3-0-1\wip\cmd\iepv.exe102,400 bytes
mspass.exe%Temp%\switchblade-siliv-1-3-0-1\wip\cmd\mspass.exe110,592 bytes
netpass.exe%Temp%\switchblade-siliv-1-3-0-1\wip\cmd\netpass.exe102,400 bytes
ProduKey.exe%Temp%\switchblade-siliv-1-3-0-1\wip\cmd\produkey.exe86,016 bytes
pspv.exe%Temp%\switchblade-siliv-1-3-0-1\wip\cmd\pspv.exe65,536 bytes
wkv.exe%Temp%\switchblade-siliv-1-3-0-1\wip\cmd\wkv.exe98,304 bytes
pwservice.exe%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\pwservice.exe53,248 bytes
PwDump.exe%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\PwDump.exe200,704 bytes
go.exe%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\go.exe28,672 bytes

Module NameModule FilenameAddress Space Details
LsaExt.dll%Temp%\Switchblade-Siliv-1-3-0-1\WIP\CMD\LsaExt.dllProcess name: [generic host process]
Process filename: [generic host process filename]
Address space: 0x920000 - 0x931000


Registry Modifications


Other details

Russian Federation



All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2015 ThreatExpert. All rights reserved.