Trojan-PSW.Win32.Papras.DC steals login credentials and other sensitive information on the compromised system. It also drops and uses a rootkit driver to hide itself. The rootkit driver is detected as Rootkit.Win32.Agent.SZ.
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Once executed, the malware creates a copy of itself with the following name in the Windows directory:
It creates the following batch file in the current working directory that will be used to delete the original file executed by user:
The malware then installs a kernel-mode driver in the Windows directory in order to hide its activities:
The .SYS file is detected as Rootkit.Win32.Agent.SZ.It deletes the following file:
Papras.DC creates the following process:
The following process and files are hidden by the installed rootkit driver:
The malware creates the following registry key:
The following values are modified:
The following functions are hooked in order to steal user information:
The malware sniffs for the following information:
Papras.DC attempts to establish a connection to the following domain through HTTP in order to pass the stolen information: