Advice Request PasswordFox false alarm or really malware

Please provide comments and solutions that are helpful to the author of this topic.

giulia

Level 5
Thread author
Verified
Nov 30, 2016
236
Hi
PasswordFox is a tool to export firefox password and it can save in many way , even in keepass csv file

the last version is protected by password nspsfx403!
Code:
nspsfx403!

and many antivirus mark like malware
virustotal

Nirsoftware release amazing utility just a look at the list
nirsoftware list

do you think PasswordFox is really malware?
some antivirus mark as potential unsafe other like malware

and can i ask you what do you use to export your firefox passwords?
thanks
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779

Based off what some of the other engines say, it seems like it's labeled as a hacktool because of its ability to reveal passwords already stored on the user's machine. I suspect this was probably used as part of some piece of ransomware to exfiltrate passwords from the browser, hence why it's now labeled across the board as malware.

Here's what the vendor says if you want to take their word: NirBlog » Blog Archive » Antivirus companies cause a big headache to small developers.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Kaspersky already fixed it, not showing up on VT anymore.

BTW this is right in line with one of my gripes about certain engines, particularly BitDefender, Norton, and Microsoft. They frequently label hacking/piracy related tools with extremely generic malware sigs like Trojan.GenericKD or similar. Surely it's not coincidence the same is true of those 3 engines for this sample.

This tool is even borderline to label as PUA or a HackTool. Labeling it as a trojan I think should be considered a false positive, period.

(With regards to Kaspersky, it's really rare in my experience for them to mislabel a PUA as a generic malware detection, so I'll be a little more forgiving compared to with WD or BD who have a long track record of these misclassifications... Kudos to them for their quick response)
 

giulia

Level 5
Thread author
Verified
Nov 30, 2016
236

Based off what some of the other engines say, it seems like it's labeled as a hacktool because of its ability to reveal passwords already stored on the user's machine. I suspect this was probably used as part of some piece of ransomware to exfiltrate passwords from the browser, hence why it's now labeled across the board as malware.

Here's what the vendor says if you want to take their word: NirBlog » Blog Archive » Antivirus companies cause a big headache to small developers.
hi
it's weird it's password protected, it makes me suspicious
and i have appreicated your help to submit to kaspersky
I often submint some sample but never got an answer even from eset
thanks!
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779

FWIW It's not signed either -- getting it properly digitally signed and working with AV vendors to get their certificate whitelisted is probably the right way instead of just complaining on blogs. This app apparently has 4 KSN users per day at this point -- if an app with that low prevalence is peeking into my browser passwords, IMO I'd expect a good AV to be suspicious.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
I ran it on AnyRun and it did nothing else then advertised. Zero outbound connections, so yeah I would guess the VT results are false positives. It's still the developer/s main responsibility to get that fixed as in the end it boils down to the keyfactor, trust.

Btw, F-Secure ( latest stable version 17.8 ) blocked it on the spot after extracted.
 
Last edited:

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
I ran it on AnyRun and it did nothing else then advertised. Zero outbound connections, so yeah I would guess the VT results are false positives. It's still the developer/s main responsibility to get that fixed as in the end it boils down to the keyfactor, trust.

Btw, F-Secure ( latest stable version 17.8 ) blocked it on the spot after extracted.

Interestingly, F-Secure only blocks the 32-bit version and thinks the 64-bit one is clean. It's labeled as a "PrivacyRisk.SPR" Avira signature, and is classified as a PUA with the option to trust it if you'd like. I think they should be consistently classifying the 32-bit and 64-bit versions the same way.

I agree with your assessment, but will add, the ones that detect this as a PUA explicitly (in terms of being a privacy risk or HackTool) I think are acceptable. A password reader could be used in suspicious or legitimate ways, labeling it as a PUA is probably accurate. But the ones that flat out label it as a trojan, that is a false positive for sure.
 

giulia

Level 5
Thread author
Verified
Nov 30, 2016
236
hi
but it's still flagged as malware , bitdefender flags it as Trojan.GenericKD.34618188 ,McAfee as Artemis!3DB2A889BAE6 ,norton as Trojan.Gen.2
even i have sent many times to bidfender as false positive ,but they still flag as malware

hi
are you a kaspersky client (just for the fast answer) ?
i'm an eset client , i'm thinking to switch to kaspersky soon in January or February 2021 , their database is really amazing
thanks
I ran it on AnyRun and it did nothing else then advertised. Zero outbound connections, so yeah I would guess the VT results are false positives. It's still the developer/s main responsibility to get that fixed as in the end it boils down to the keyfactor, trust.

Btw, F-Secure ( latest stable version 17.8 ) blocked it on the spot after extracted.
hi ,do you run on local machine ?
anyrun is one of the best ,isn't it?
just pricey the searcher and the hunder version
thanks
 
Last edited:

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
hi
are you a kaspersky client (just for the fast answer) ?
i'm an eset client , i'm thinking to switch to kaspersky soon in January or February 2021 , their database is really amazing
thanks
If if was to me, yes of course I am :)

Yeah, Kaspersky signatures are good, not so paranoid, and when They are, after reporting the false positive usually is fixed...
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
hi
but it's still flagged as malware , bitdefender flags it as Trojan.GenericKD.34618188 ,McAfee as Artemis!3DB2A889BAE6 ,norton as Trojan.Gen.2
even i have sent many times to bidfender as false positive ,but they still flag as malware
Many NirSoft apps are flagged by Antivirus software. It's even mentioned on their webpage.

I recommend switching to a secure password manager after recovering your credentials. Don't let your browser store this information, unless you are explicitly sure.
 

giulia

Level 5
Thread author
Verified
Nov 30, 2016
236
Many NirSoft apps are flagged by Antivirus software. It's even mentioned on their webpage.

I recommend switching to a secure password manager after recovering your credentials. Don't let your browser store this information, unless you are explicitly sure.
Hi
I use keepass professional under windows , but under mac KeePassXC (but I don't trust of KeePassXC )
thanks
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
From a malware analysts perspective: A lot of these tools by NirSoft are abused by malware or components of malware, e.g., information stealers that extract credentials from the infected system. So much so that hunting for malware by searching for certain NirSoft programs is a viable thing to do.

The detection as Hacktool/PUP is correct because unless you installed the program on purpose, its presence on a system indicates a serious problem.
The detections as malware/trojan are not correct.

I suspect the main reason for the malware detections are systems which automatically create signatures. They determine that this is a crucial and common component of malware and malware behavior, so they flag it.

To answer OPs question:
You can safely download and use NirSoft products.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
hi ,do you run on local machine ?
anyrun is one of the best ,isn't it?
just pricey the searcher and the hunder version
thanks
AnyRun is a tool/service I can highly recommend for almost anyone. It's great for basic url/link tests or as in this case a quick check on a software. It's has a free account option, that works just fine.

Btw, when checking on VT again it seems for example Bitdefender does not detect the file anymore and I was curious enough also on F-Secure. This time when tested locally with F-Secures latest stable version 17.9, nothing! Confirms my first initial check on this software with AnyRun and it also extra confirm the answer from member @struppigel .

Update! I recalled the note from member @MacDefender about F-Secure only blocks the 32-bit version. Tested, and it's still the same, but with the option to either remove/delete or trust. In this specific case if I personal wanted the software on my system and also from where I downloaded it ( it's main source ), I would click Trust. Then on the other hand, I normally always install 64-bit versions anyway.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top