Analysis Date2015-02-01 01:51:01
MD5bb9275c9258ccefdbdc4e6a811c21da8
SHA10bfba231e4c6c3e0b5277a47d6315921d93b5c36

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 972dbac0e72e8887b5888b93a5f4f491 sha1: 12e57fde4ca916e7512738f82db664e42a4a8f54 size: 121344
Section.rsrc md5: 52890967ec83591b4ff61923d7044b58 sha1: ad8d12547b2979c3273c75b884b02ed18b26f859 size: 15360
Timestamp2007-09-08 06:39:05
VersionLegalCopyright: Copyright (C) 2003
InternalName: freegate
FileVersion: 1, 0, 0, 1
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: freegate Application
SpecialBuild:
ProductVersion: 1, 0, 0, 1
FileDescription: freegate MFC Application
OriginalFilename: freegate.EXE
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhash10b0464d998b2fa5dc3d096e1be2f56fb8977e45
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.12617853
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)Trojan.Generic.12617853
AVAuthentiumW32/SYStroj.AA.gen!Eldorado
AVAvira (antivir)TR/Rogue.137728.18
AVBullGuardTrojan.Generic.12617853
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebBackDoor.Zhou
AVEmsisoftTrojan.Generic.12617853
AVEset (nod32)no_virus
AVFortinetPossibleThreat
AVFrisk (f-prot)W32/SYStroj.AA.gen!Eldorado
AVF-SecureTrojan.Generic.12617853
AVGrisoft (avg)Generic21.AQLW
AVIkarusVirus.Win32.Agent
AVK7Backdoor ( 04c4c8501 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeGeneric.dx
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
54272
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw63.ziyoulonglive.com
Type: A
DNSw64.ziyoulonglive.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
Flows UDP192.168.1.1:1031 ➝ 195.133.91.136:53
Flows UDP192.168.1.1:1032 ➝ 195.102.98.252:53
Flows UDP192.168.1.1:1032 ➝ 195.108.61.214:53
Flows UDP192.168.1.1:1031 ➝ 198.32.252.58:53
Flows UDP192.168.1.1:1032 ➝ 195.170.121.250:53
Flows UDP192.168.1.1:1032 ➝ 195.183.250.98:53
Flows UDP192.168.1.1:1031 ➝ 153.19.102.182:53
Flows UDP192.168.1.1:1032 ➝ 195.18.244.95:53
Flows UDP192.168.1.1:1032 ➝ 195.190.112.99:53
Flows UDP192.168.1.1:1031 ➝ 64.71.218.3:53
Flows UDP192.168.1.1:1032 ➝ 195.194.242.48:53
Flows UDP192.168.1.1:1032 ➝ 195.237.79.62:53
Flows UDP192.168.1.1:1031 ➝ 83.234.232.1:53
Flows UDP192.168.1.1:1032 ➝ 195.1.213.224:53
Flows UDP192.168.1.1:1031 ➝ 141.151.128.68:53
Flows UDP192.168.1.1:1032 ➝ 195.62.192.46:53
Flows UDP192.168.1.1:1032 ➝ 195.89.165.180:53
Flows UDP192.168.1.1:1031 ➝ 81.19.69.17:53
Flows UDP192.168.1.1:1032 ➝ 195.222.59.109:53
Flows UDP192.168.1.1:1032 ➝ 195.247.86.195:53
Flows UDP192.168.1.1:1031 ➝ 211.63.185.180:53
Flows UDP192.168.1.1:1032 ➝ 195.131.179.145:53
Flows UDP192.168.1.1:1032 ➝ 195.76.10.202:53
Flows UDP192.168.1.1:1031 ➝ 195.133.91.136:53
Flows UDP192.168.1.1:1032 ➝ 195.212.37.21:53
Flows UDP192.168.1.1:1032 ➝ 195.147.126.46:53
Flows UDP192.168.1.1:1032 ➝ 195.218.22.22:53
Flows UDP192.168.1.1:1032 ➝ 195.197.237.63:53
Flows UDP192.168.1.1:1032 ➝ 195.250.245.78:53
Flows UDP192.168.1.1:1032 ➝ 195.219.60.140:53
Flows UDP192.168.1.1:1032 ➝ 195.29.177.106:53
Flows UDP192.168.1.1:1032 ➝ 195.103.156.96:53
Flows UDP192.168.1.1:1032 ➝ 195.30.42.232:53
Flows UDP192.168.1.1:1032 ➝ 195.141.164.196:53
Flows UDP192.168.1.1:1032 ➝ 195.107.88.211:53
Flows UDP192.168.1.1:1032 ➝ 195.217.149.182:53
Flows UDP192.168.1.1:1032 ➝ 195.185.21.73:53
Flows UDP192.168.1.1:1032 ➝ 195.144.198.107:53
Flows UDP192.168.1.1:1032 ➝ 195.182.223.10:53
Flows UDP192.168.1.1:1032 ➝ 195.158.165.86:53
Flows UDP192.168.1.1:1032 ➝ 195.229.64.10:53
Flows UDP192.168.1.1:1032 ➝ 195.221.88.172:53
Flows UDP192.168.1.1:1032 ➝ 195.112.65.102:53
Flows UDP192.168.1.1:1032 ➝ 195.26.28.33:53
Flows UDP192.168.1.1:1032 ➝ 195.46.118.113:53
Flows UDP192.168.1.1:1032 ➝ 195.139.114.52:53
Flows UDP192.168.1.1:1032 ➝ 195.65.150.213:53
Flows UDP192.168.1.1:1032 ➝ 195.224.189.185:53
Flows UDP192.168.1.1:1032 ➝ 195.213.166.42:53
Flows UDP192.168.1.1:1032 ➝ 195.209.162.213:53
Flows UDP192.168.1.1:1032 ➝ 195.198.41.133:53
Flows UDP192.168.1.1:1032 ➝ 195.188.192.7:53
Flows UDP192.168.1.1:1032 ➝ 195.121.57.239:53
Flows UDP192.168.1.1:1032 ➝ 195.61.125.165:53
Flows UDP192.168.1.1:1032 ➝ 195.8.168.86:53

Raw Pcap

Strings
.aF
+
.I/
h
.\R..
...>.!...
.P0
g
..
...
040904b0
1, 0, 0, 1
Comments
CompanyName
Copyright (C) 2003
FileDescription
FileVersion
freegate
freegate Application
freegate.EXE
freegate MFC Application
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
0123456789abcdt]R$efp
0MVbhdV
0{P#5rt_(R
*@0Ra=H
0r]f(8
0 v9SW
|_0Wf0
0@!x' 
`0y#KY
1,0@(D
1\4kyE
~188881~
>1i1Nz
 ;1IoP,
1uw3L02y
#!2_3q
2d048<
2d48<@
2d@DHL
|2GetN
2\<(-MUUVVVV
2P5Uka
&~2r"}UTP
2sQh's,h
_$2T	NH$
_$2T	NHi]
2w<l I.!^
>30 .iN
31	:9&8
32"QHy
+3cAb	a(\W^%
3%D	2[
;3.nghu
3`zOtG
!4$aOD
4>}G j
4u2@QrTt;h5
4,uFe/
4VWh(0
4w0VL	
4x(.#7/ow
5JZkUL
5(OF%Au
;5uKCP9
6.5\[j
	(6F^pX
"6[,h,
6lRnvY
	(6@TH$
7%*>=<;4>HT????
7b)X03
7Fa}	 
{7;IDP
'7)qjcQR
7v?	)}
~8880000/01
8 <]G^
8M/Wv/
8\S9X~
]"8Zq'
97E	B*
9 VPSo
9Yd_Y/
9YTEM\
 A2JJ<
#a	5#H
+AaEWKA{
'abR32
.Ac{O3
*A )cU
/aD\Ow
aFu'Pd
AHAT=It-
aHd\xv
akdiQ]
aMEhdn
	An\vY
Applicatio
APUW+7
AQLwH'
aS>J"r
!AskeceW	
A!x@s}
<a|z~	
/az9D!.>a
\B6888evic
ba0cX<
~"BC2B
be$H [
B@ID/gE
bip @b
B^`^!k
Bluf+~
bo*~SVCR
B/Q,Sf
]_`@B_R
!C $(,
!C$(,0
!C048<
	c)8;h
*cAQ"H
!Cdhlp
C<_-En
C%/f|=
C`Ht?u1
"CMdc,
| CN&u
CQPAAl
c.S\#uX
Ctl-AT
C#"%?u
Cv<jG	
+D][_^
D$).38D"
D<60*$D"
&d;8_)]
D=80r!
D:,aXG;
DbuA ?
{Dcb< 
DcYK.)
][/deb`
dg4Z	r,
\`dh!C
(DI)5c
+dJA:b
D"	JD>82
<dJDi?E
DJYdjyM
Dld\TLD"
DLu5T*
DNSscJ
[dntI=~Q"
dNW/|;
!DOCTYPE HML
DoulFcn
d p$7	
D"<Rfx
|D&Sa>B3h
D"S= H
dst_01@
D)":trR
DUV Wj?KT+
D"_wkE
\DWz,Lj
D"xfZrF
E2&G^V
>E>6Eq
EFGHIJKLMNO
e.F kP
#eG|)V(
,E;If~H
EiYHVm
e.=-m/
_e*;SZ
e%Xo!Fi[
-|?F2+
#>F.D!
fdHe&@L`8
fe_p?h
fFnfh!-
F<F<P^M<F<lz
ffp(y%
(F@FRP
,FgEBQ3Uy
F,gW	ZyoQfwz
)F<&HHP V
f(idd;
fnYRWP}*dL
	FRAM_Z
fTh-dc
*FTw^3
G^02X-
G''+9T
GetProcAddress
gl2rg 
G{pQu[
G,Rg-C
?gS^GoDN
G	`SHD
G^T?P!
 G,:`x{Ts
g=ZH-CN
H$,&@)
h(8]wp
HaZH[^
H=BGLQH$
hdWTZis
HFO~QM,
hG~!GhhI
'> 'hh!
h.rdOBJAS
,hsubri
[H-& Ub
Hz,i:	L^$
I:43L\
@I*4K0O
.|i/6v
I{8H(Wx/A
IA3Mp;
icus32
ifQATH
ifyzPvvH
i=+H&f
ihl .dm8
iHPtXy
immX827
INGw<l_A?
i@@@,-P
IsDebugyO
iT8x>0u
)I'	$(W
@<IYPDE
i@;ZYd
$\@,=J
J~`A~&
(j<AM%
ja'R^+
J;eo0h 
J*e\PXc8
JhD>Wr
$J}HfH(Q,n/
j@hQj]a
|jkfu\F
J$N0r7
+J.X*Y
*:JZD"
k)3=PV
 [k%e_
kernel32.dll
#kHPXc
K[#!m)d#
KN,y'8S&x4
KpKpi@
KPUR8byN_
\KP;VSd
*)K<rP_
$ks.apx?
KVS*;]S
KvZ?<g
KYg_g]	Hf
l5?[=DpC
l.#fX(T
L.,Hd.
#./(LHS%
lJ=p8<
lLDy0<_
llpuN>
L@lUAj
LoadLibraryA
[LOCKp
l/PI$t~W
LPTX!C
LQSV/BA
lr(m[jdDRr
LR!W(BJ;
:L V`U
}LY!+d
lyDvB^
LzV,	L</
M:\923RNabsrc{
M9iBy2$
maFv>f
mBUj	ih
:media^
MessageBox!Y
;,'(mF
m)FEaR 
(mH,bk*s .5
MHJu7g1j
mjSSzaW
MLKDc: 
mlp($M
N(0Tna_
N34;2#
nDm^~I
n error
(NH6)N
:n|k0+xT
 nLe\uW
N(N<qp
nr4V%Qh
nx|xL*@
ny248W
nYAFV,
\|<+O!
O+2''nKT`1
o7SuR~
ObfDer
Obj%4(
{oeeiE
oiV4pu$c&(
O[@j>|
O	Leffny
/O&NZX
~OPF9_ )4@
or/dlet
OSZh>{
_OXJ')X0[$3
P=0 k!!o
p6?+K,cVF:
P7smS8
PA*!,C
PB/\@c
\Pbkf9
^p+)D+
]pd:09
/P!D4x
P-dald
p%D@~	_"S%
PECompact2
pEwY$%ub
PHa)z lD
pIo	n@U
`pIp-U
PJQ}t J`
|plPOx
PM_f5S
P	[[Q(2
PQ[l.a'FFhQ'
P\^%Sa
PT\`!C
pt	ux|*Nx
PUQ$UzJ
P-@U@VAVX
PWPh~f
QDSU vU
 Qf~$=8
qfVptpu
q,`LHb
q\Physi
[Q$Q%BA/
Qsfpz-rJ
(QUWVRkh
}%QVO#X
"&QV<T!
QX]kfmgzC
R1eV!/
,R36V&
r)5AWd{1
r9Ic!T
RadFi'W
rd!8LH
rdct.hml@
R@dI0X
RD".PL
rDs:~N
RHlmh%
rHPZI4pr
RhVZXF
RH(x)8Q
rkPamk
R lbu)
)RP'=/X
R!_q@P
/sCikQ
%s could not bA
s!IMCm
@SlV00
!SOFTWARE
S;-+P5**
.S#(<Q_,R
stuvwxyzt+/Q #dF
StY=DCOp
s" T"Z
SUo12@
S*,V\S
=T)3e))H
t3j@h 
T-9?$?
T(_AQQ
TAR2D\
*_t]B@
"tBp# 
T(DhVNM
< .texh
TfiGuCH
tf{vtr
The pcedur
!This program cannot be run in DOS mode.
 TJ6a	Yg^
!tL#t}
t-?_o^p
tp[&YF
\ts?D[
@tU|~=U
@t$(W2-
.tx61ziy
TxIh$2
	T^yaDh
u-2T4)
ub*e,"v
UBIC"-/W3/
Ucf@ w
$[:'UL
ulS4jP
%um[b] 
u~mxFKnYt:
umxxmu
upe)RV
`^upt*
U RCtb
us %ergA
USQWVR
uU. v)
U@UxI#
UVVVWX
U_xS_M
U$ Y%@
u#Z:F%(
v2wreT
?v#:A'o(|
vbj7i386
vd4Mhf
vHP/1.*
}vI?:c
$# Virtu6
VirtualAlloc
VirtualFree
vjBI\B
v,Kby+
vP&}P[bck[
v `_TI
%v-XMH
vxy%s:d
W3+W9Q
w(arsgb6jS
@-WBjPM
wF,tB;_
w"[GP]2
)%>wH*,&
W<hTa*@)A
wK&j.P%(
W PO&y7
wR$L3HTC
Wt;~xSpY
#<::w)u
=wuMy7
W:\vT/
WXYZPghijklmn{qrY
^;X2?F>G
x2j``b
X4gtxK
%%x4W_,
+%X_	8
	 	Xah
X#(	D$
$XdQ!q
XJIDT&
XLEjAGT
xr(@^I]8
XS^TaU
(X w-<
\XX^Kn'8S
XZA:2t
_x@zrthBI
y1B"wh1)S|
$$y4D)
Y!+DJ3
>y>{kS
Ym?np%HJR
yPH0 `
yPReWn
(^)y-R^ 
Y^<@RPrdcK
%y|utn
,YvLT^!C
yvN(sRjq
ywBy^R
,+y>ziK
z54:=,I
z+g(6o
ZJoA.0
z.NWhiB
ZQpPP(
Z	Xk(G
Z^_Y[]
z Y>4|