Riskware/PassView

Analysis

Riskware/PassView is a generic detection for a riskware, this is synonymous to Generic PUA or Generic PUP. Since this is a generic detection, riskware that are detected as Riskware/PassView may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• Files detected as Riskware/PassView fall under the category of password recovery tools and is classified as greyware.


• These files may potentially compromise or weaken a user's security by displaying the saved passwords and details from certain applications/programs on the user's computer.


• Depending on the tool, passwords may be recovered from the following applications/programs:
  • Email Clients:
    • Eudora
    • Gmail
    • IncrediMail
    • Hotmail
    • IncrediMail
    • Mozilla Thunderbird
    • Netscape
    • Outlook
  • Web Browsers:
    • Chrome
    • FireFox
    • Internet Explorer
    • Opera
    • Safari


• Below are images of the password recovery tools:
  

  Figure 1: Password recovery tool for email clients.

  
  

  Figure 2: Password recovery tool for web browser.

  
  

  Figure 3: Password recovery tool for web browser.

  
  


• Following are some of the exact file hashes associated with this detection:
  
  • Md5: 3e81668df5b7ae38fb883663020454fe
    Sha256: e61bf9bd369c8de2cf56b331b03d14773accc2857c7d52d325c1bf727c7f61ae
  • Md5: 64ce7b9de8918df073c22143a971ef9d
    Sha256: 700c053da68ba071145672e2ddba2a6189e14912ab0501f6bd5108dbdbab6eb4
  • Md5: 1258a816dcd08b85895aecf7140ed2da
    Sha256: 38929e3bf6c539a0c27e6fa10d63168bbbbe551c5b396fb06bc7a4513336f6e3

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.