Windows
Analysis Report
bpaymentcopy.exe
Overview
General Information
Detection
HawkEye, MailPassView, PredatorPainRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected PredatorPainRAT
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
bpaymentcopy.exe (PID: 6616 cmdline:
"C:\Users\ user\Deskt op\bpaymen tcopy.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC) bpaymentcopy.exe (PID: 6696 cmdline:
"C:\Users\ user\Deskt op\bpaymen tcopy.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC) bpaymentcopy.exe (PID: 6468 cmdline:
"C:\Users\ user\Deskt op\bpaymen tcopy.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC) Windows Update.exe (PID: 5272 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Windows U pdate.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC) Windows Update.exe (PID: 728 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Windows U pdate.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC) WerFault.exe (PID: 7104 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 28 -s 2052 MD5: C31336C1EFC2CCB44B4326EA793040F2)