Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bpaymentcopy.exe

Overview

General Information

Sample name:bpaymentcopy.exe
Analysis ID:1566523
MD5:5205be9a501dae770c6e557b5fdaeebc
SHA1:a8a34796e05ac4ff1a0b92bdbbaedc01e8cedfa5
SHA256:aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331
Tags:exePaymentuser-cocaman
Infos:

Detection

HawkEye, MailPassView, PredatorPainRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected PredatorPainRAT
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • bpaymentcopy.exe (PID: 6616 cmdline: "C:\Users\user\Desktop\bpaymentcopy.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC)
    • bpaymentcopy.exe (PID: 6696 cmdline: "C:\Users\user\Desktop\bpaymentcopy.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC)
    • bpaymentcopy.exe (PID: 6468 cmdline: "C:\Users\user\Desktop\bpaymentcopy.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC)
      • Windows Update.exe (PID: 5272 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC)
        • Windows Update.exe (PID: 728 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC)
          • WerFault.exe (PID: 7104 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 2052 MD5: C31336C1EFC2CCB44B4326EA793040F2)