Type: Spyware

Destruction Level: Moderate

Prevalence: Moderate


Malware names:

Spy.Win32.SecondEye (Padvish)



What is spyware?

This type of malware is used to steal organizational personal information and espionage purposes. With spyware installed on the system, the user’s information is under constant threat from the security point of view, and there is a possibility of information theft and access by unauthorized people at any moment. Spyware is usually installed on the system secretly and out of sight of the user and performs their activities completely secretly. Spyware is often installed on the system by deceiving users on the Internet in the form of a useful application. Typically, this type of malware collects information about user activities on the system, especially passwords, credit card information, browser history, digital wallet information, and other security information such as keylogging or keys pressed by the user, clipboard contents, and captured images. They collect from the screen and send it to the malware server.

What is SecondEye malware?

The SecondEye malware is actually a Trojan from the category of spyware, which is presented in the form of a 20Speed VPN installer file, and after execution, along with the installation of the VPN program, it sends malicious files to steal the victim’s information, including the keys pressed by the user, the data in the clipboard. It creates and executes the information of cryptocurrency wallets on the system, and the browser’s data.

Technical description

Symptoms of contamination

  • The presence of executable and .bat files with the prefix “lib” or “sys” in the path “%LocalAppData%/Microsoft/WindowsApps”
  • The existence of a scheduling task to execute the executable file in the above path


Description of performance

After execution, SecondEye malware creates two categories of files as follows in the victim’s system:

The first category: a number of malicious files in the path “%LocalAppData%\Microsoft\WindowsApps”

The second category: is the VPN file named 20SPEED-VPN-v9.exe in the %Temp% path, which is a healthy file.

After creating the above files, the libCrt32.exe file is run from the first category, and the VPN file from the second category. Since the second file is healthy, the continuation of the explanation will be about the execution of the first batch of files.

Run the libCrt32.exe file

This file is also seen in some types of malware with the name sysCrt32.exe and its task is to hide the current process window and also to run the libCrt.bat file from the path “%LocalAppData%\Microsoft\WindowsApps”. libCrt file. bat, the code of which can be seen below, also creates a scheduled task called “Check libHourly32” to run the file “%LocalAppData%\Microsoft\WindowsApps\libBus32.exe”.

Next, part of the content of the libCert.xml file can be seen.

Run the libBus32.exe file

This file, which has been seen in some types of malware with the name SysBus32.exe, is similar to the previous executable file, first, it hides the current process window, then the libBus.bat file in the “WindowsApps” path with the remote server address and username and It implements the necessary passwords to communicate. The libBus.bat file is responsible for executing the main functionality of the malware.

Run the libBus.bat file

The commands in this file result in stealing the victim’s information and sending it to a remote server. In previous versions, these commands were saved and executed in the form of several files. But in the analyzed version, it is written in the form of a file.

Sending the stolen information to the remote server is done at most once a day. For this purpose, the malware compares today’s date with the date entered in the text file in the path %Temp% in each execution, and if there is no equality while inserting today’s date in the file, it prepares and sends the information to its server. The observed names for this text file are libCtl32.txt and sysCtl32.dat.

The actions performed by the libBus.bat file are as follows:

♦ Download the new version

The malware queries its server for the new version number of the program and compares it with the current version number listed in the lib_release.txt file in the “WindowsApps” path. If there is a new version, the Updt.zip file containing the new files of the program will be downloaded and decompressed, and finally, the compressed file will be downloaded and some old files will be deleted.

♦ Stealing pressed keys of the keyboard and clipboard (related to old versions of malware, analysis from the observed sample)

If present, the malware executes the two files libTemp32.exe and libCache32.exe from the Windows App path. Both files prepare a Python code during execution and execute it by loading and calling functions of the python.dll library. These two files are probably created either in the initial execution of various types of malware along with other files in the Windows App path or in the download made in the execution of the libbus.bat file. In the present analysis, these files were not created by malware, and the observed sample was used for analysis.

The libTemp32.exe file executes the following Python code with the aim of stealing the information in the clipboard. The obtained data is stored in a file called sys.tmp in the WindowsApps path.

The libCache32.exe file executes the following piece of Python code with the aim of stealing the keys pressed by the user, which leads to the creation of a hook for keyboard-type events on the victim system. The information collected in this way, including the pressed keys along with the time of receiving this event and the name of the process window receiving this event, is stored in a file named boot.tmp in the WindowsApps path.

♦ Collection of login information related to Google Chrome (related to old versions of malware, analysis from the observed sample)

The malware reads the login information stored in the Google Chrome browser from the path “%LocalAppData%\Google\*Login Data” and using the executable file named libchrome.exe, extracts the data stored in it and stores it in a file named %Temp Saves %\ChromeData.txt. The libchrome.exe file is probably created either in the initial execution of different types of malware in the Windows App path or in the downloads made in the execution of the libbus.bat file. In the current analysis, the observed sample is used.

♦ Extract information about Firefox

The libBus.bat file saves information about the Firefox browser, including the following files, in a new folder called firegetz. Then it compresses this folder and sends it to the remote server.

  • cookies.sqlite
  • cert8.db
  • cert9.db
  • key3.db
  • key4.db
  • logins.json
  • signons.sqlite

In the old version of Firefox, these files are in the path “%APPDATA%\Mozilla\Firefox\Profiles\*default\*” and in the new version of this program, the files are in the path “%APPDATA%\Mozilla\Firefox\Profiles\*default-release\ *” are located.

♦ Send list.txt

The libBus.bat file also prepares the information of the following files in the form of a file named list.txt and sends it to the remote server:

  • .zip files in %AppData% path
  • coinCoinomi.zip file in %LocalAppData% path
  • Files named Firefox.zip.* in %AppData%/Mozilla path

♦ Cryptocurrency wallet information

The malware compresses the data of cryptocurrency wallet applications including Exodus, atomi, Jaxx Liberty, Guarda in the %Appdata% path and Coinomi in the %LocalAppData% path and sends it to its server.

Digital currency wallet information

♦ Sending files with the extension .doc, txt, jpg, png in the %AppData% path

Sending files with the extension .doc, txt, jpg, png

The obtained information is uploaded in the form of the following files to the remote FTP server of the malware and then deleted from the victim’s system. In the analyzed example, the remote server address of the malware is

The file name content
ChromeData.txt username and password information registered in the Google Chrome browser



Sending files related to Firefox browser
logz.zip The contents of the boot.tmp file includes the log of keys pressed by the user, which is compressed and sent under the name logz.zip.

The contents of the sys.tmp file includes the data log in the victim’s clipboard, which is compressed and sent under the name sys.zip.




The contents of this file include the information of the following files:

  • .zip files in %AppData% path
  • coinCoinomi.zip file in %LocalAppData% path
  • Files named Firefox.zip in %AppData%/Mozilla path
atomic.zip Atomic digital wallet information
Exodus.zip Exodus digital wallet information
com.liberty.jaxx.zip  Liberty digital wallet information
Guarda.zip Guarda digital wallet information
Coinomi.zip Coinomi digital wallet information




The contents of the Mozilla/Firefox path in the %AppData% path are compressed (if the files are large, they will be sent as multiple compressed files)

All_Of_ txt.zip


All_Of_ png.zip

All_Of_ jpg.zip

Files with the extension doc, txt, jpg, png are compressed in the %AppData% path


How to deal with and clear the system

Padvish antivirus detects this malware and removes it from the system.

In order to prevent possible infection with this malware, it is recommended to avoid receiving files from unreliable sources that can lead to a system infection.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>