Analysis Date2015-12-24 16:02:40
MD5fdf0ba2c323257b606767fc910d4043d
SHA13fa34f0dadfca1eebc07bafaf123ede6286a069e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e3b4ba3b12cf6afeaa29c7eb2e79fa81 sha1: 35bc31eaa1107a548d00f905c2c60b80879a8c43 size: 73728
Section.rdata md5: af6390add89f89378db28d4302df282f sha1: d34d9c25e083e1287f584c608a0b67e7e71ba0a7 size: 12288
Section.data md5: 7456921e759c8c0855daf5d70f3e52fc sha1: 97c23e7e7ffd6c230bec2e2eb55b496876809fbd size: 126976
Section.rsrc md5: 446c8893914179d4760afaa9c84383ce sha1: bbf2c66687ee2b407877535ae4396cd6f68e219c size: 115712
Timestamp2015-01-20 08:31:49
VersionLegalCopyright: Copyright (C) 2000-2014 JetBrains s.r.o.
InternalName: phpstorm.exe
FileVersion: 8.0.1.PS
CompanyName: JetBrains s.r.o.
ProductName: PhpStorm
ProductVersion: 8.0.1.PS-138.2001.
FileDescription: PhpStorm
OriginalFilename: phpstorm.exe
PackerMicrosoft Visual C++ ?.?
PEhash9d9564d143771142a26ccb1128b4e20eb4d4abd4
IMPhash221679b9f88e2fc8e4ad69216bcc7273
AVAd-AwareTrojan.Lethic.Gen.1
AVGrisoft (avg)Worm/VB.CLHP
AVSymantecTrojan.Cryptdef!gen13
AVCAT (quickheal)TrojanRansom.Crowti.MUE.A4
AVMicrosoft Security EssentialsWorm:Win32/Dorkbot.I
AVK7Trojan ( 004b43e11 )
AVClamAVno_virus
AVTwisterTrojan.Girtk.CVSW.busc
AVZillya!Worm.Ngrbot.Win32.6358
AVAuthentiumW32/Rovnix.A.gen!Eldorado
AVMicroWorld (escan)Trojan.Lethic.Gen.1
AVDr. WebBackDoor.IRC.NgrBot.42
AVBullGuardTrojan.Lethic.Gen.1
AVIkarusTrojan.Win32.Crypt
AVKasperskyTrojan.Win32.Generic
AVMcafeeRansom-FVA!FDF0BA2C3232
AVRisingno_virus
AVEmsisoftTrojan.Lethic.Gen.1
AVTrend Microno_virus
AVVirusBlokAda (vba32)Worm.Ngrbot.2715
AVEset (nod32)Win32/Kryptik.CVSW
AVFortinetW32/Kryptik.CVSW!tr
AVAlwil (avast)Crypt-RXH [Trj]
AVFrisk (f-prot)no_virus
AVCA (E-Trust Ino)Win32/Dorkbot.KcQGaF
AVF-SecureTrojan.Lethic.Gen.1
AVMalwareBytesTrojan.FileLock
AVBitDefenderTrojan.Lethic.Gen.1
AVArcabit (arcavir)Trojan.Lethic.Gen.1
AVAvira (antivir)TR/AD.Dorkbot.Y.225

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates ProcessC:\WINDOWS\system32\calc.exe
Creates ProcessC:\malware.exe
Creates MutexSSLOADasdasc000900

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\44d4_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 180

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer Manager ➝
C:\Documents and Settings\Administrator\Application Data\Update\Explorer.exe\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer Manager ➝
C:\Documents and Settings\Administrator\Application Data\Update\Explorer.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Update\Explorer.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\c731200
Deletes FileC:\\Documents and Settings\All users\Start Menu\Programs\Startup\desktop.ini
Deletes FileC:\\Documents and Settings\All users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
Deletes FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini
Creates ProcessC:\WINDOWS\system32\mspaint.exe
Creates MutexSVCHOST_MUTEX_OBJECT_RELEASED_c000900

Process
↳ C:\WINDOWS\system32\calc.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\c731200

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 180

Process
↳ C:\WINDOWS\system32\mspaint.exe

Network Details:


Raw Pcap

Strings