Analysis Date2015-01-31 15:09:33
MD51949f194022e4cdd73281c42944cdbdf
SHA10f4f7c6d8c5e79cbdea04c7678a80e356d32fc9a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3b6db62c921f5bf0cb9b60b6feac7d5b sha1: 08f146bceed54746254b3289c06d9e7bf2f76c42 size: 122368
Section.rsrc md5: 015791734560dd5ae5c7489ec737167b sha1: 1e33ef8be2bf0e5dead9f1bd105363178a40babd size: 14848
Timestamp2007-11-19 01:00:20
VersionLegalCopyright: Copyright (C) 2003
InternalName: freegate
FileVersion: 1, 0, 0, 1
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: freegate Application
SpecialBuild:
ProductVersion: 1, 0, 0, 1
FileDescription: freegate MFC Application
OriginalFilename: freegate.EXE
PackerPeCompact 2.xx (Slim Loader) -> BitSum Technologies
PEhashceade4b538f2f394d9cc15c11419f602cfc7f61c
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.12599827
AVAlwil (avast)no_virus
AVArcabit (arcavir)Trojan.Generic.12599827
AVAuthentiumno_virus
AVAvira (antivir)TR/Rogue.138240.16
AVBullGuardTrojan.Generic.12599827
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Proxy.3853
AVEmsisoftTrojan.Generic.12599827
AVEset (nod32)no_virus
AVFortinetW32/Agent.BK!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.12599827
AVGrisoft (avg)no_virus
AVIkarusVirus.Win32.Agent
AVK7Backdoor ( 04c4de821 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeProxy-Agent.bk
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Proxy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
37888
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw62.ziyoulonglive.com
Type: A
DNSw63.ziyoulonglive.com
Type: A
DNSw64.ziyoulonglive.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
Flows UDP192.168.1.1:1031 ➝ 195.133.91.136:53
Flows UDP192.168.1.1:1032 ➝ 195.102.98.252:53
Flows UDP192.168.1.1:1032 ➝ 195.108.61.214:53
Flows UDP192.168.1.1:1032 ➝ 195.170.121.250:53
Flows UDP192.168.1.1:1031 ➝ 198.32.252.58:53
Flows UDP192.168.1.1:1032 ➝ 195.183.250.98:53
Flows UDP192.168.1.1:1031 ➝ 153.19.102.182:53
Flows UDP192.168.1.1:1032 ➝ 195.18.244.95:53
Flows UDP192.168.1.1:1032 ➝ 195.190.112.99:53
Flows UDP192.168.1.1:1032 ➝ 195.194.242.48:53
Flows UDP192.168.1.1:1031 ➝ 64.71.218.3:53
Flows UDP192.168.1.1:1032 ➝ 195.237.79.62:53
Flows UDP192.168.1.1:1031 ➝ 83.234.232.1:53
Flows UDP192.168.1.1:1032 ➝ 195.1.213.224:53
Flows UDP192.168.1.1:1031 ➝ 141.151.128.68:53
Flows UDP192.168.1.1:1032 ➝ 195.62.192.46:53
Flows UDP192.168.1.1:1032 ➝ 195.89.165.180:53
Flows UDP192.168.1.1:1032 ➝ 195.222.59.109:53
Flows UDP192.168.1.1:1031 ➝ 81.19.69.17:53
Flows UDP192.168.1.1:1032 ➝ 195.247.86.195:53
Flows UDP192.168.1.1:1031 ➝ 211.63.185.180:53
Flows UDP192.168.1.1:1032 ➝ 195.131.179.145:53
Flows UDP192.168.1.1:1032 ➝ 195.76.10.202:53
Flows UDP192.168.1.1:1031 ➝ 195.133.91.136:53
Flows UDP192.168.1.1:1032 ➝ 195.212.37.21:53
Flows UDP192.168.1.1:1032 ➝ 195.147.126.46:53
Flows UDP192.168.1.1:1032 ➝ 195.218.22.22:53
Flows UDP192.168.1.1:1032 ➝ 195.197.237.63:53
Flows UDP192.168.1.1:1032 ➝ 195.250.245.78:53
Flows UDP192.168.1.1:1032 ➝ 195.219.60.140:53
Flows UDP192.168.1.1:1032 ➝ 195.29.177.106:53
Flows UDP192.168.1.1:1032 ➝ 195.103.156.96:53
Flows UDP192.168.1.1:1032 ➝ 195.30.42.232:53
Flows UDP192.168.1.1:1032 ➝ 195.141.164.196:53
Flows UDP192.168.1.1:1032 ➝ 195.107.88.211:53
Flows UDP192.168.1.1:1032 ➝ 195.217.149.182:53
Flows UDP192.168.1.1:1032 ➝ 195.185.21.73:53
Flows UDP192.168.1.1:1032 ➝ 195.144.198.107:53
Flows UDP192.168.1.1:1032 ➝ 195.182.223.10:53
Flows UDP192.168.1.1:1032 ➝ 195.158.165.86:53
Flows UDP192.168.1.1:1032 ➝ 195.229.64.10:53
Flows UDP192.168.1.1:1032 ➝ 195.221.88.172:53
Flows UDP192.168.1.1:1032 ➝ 195.112.65.102:53
Flows UDP192.168.1.1:1032 ➝ 195.26.28.33:53
Flows UDP192.168.1.1:1032 ➝ 195.46.118.113:53
Flows UDP192.168.1.1:1032 ➝ 195.139.114.52:53
Flows UDP192.168.1.1:1032 ➝ 195.65.150.213:53

Raw Pcap

Strings
!.
P
...
.
.H=
.t*.,
:
/
g
.
.
..
..
i.
040904b0
1, 0, 0, 1
Comments
CompanyName
Copyright (C) 2003
FileDescription
FileVersion
freegate
freegate Application
freegate.EXE
freegate MFC Application
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
*(\<)*
0123456789abcdefp
048<!@DH
0BobSq
0-f.sIQ
:0,K@3
0LQuoW
0(PQEX
0r]fz4
~188881~
1I:S0H,
1k!Fs<P
1VQ(hl
]2_	2|
~26z$tq)
$27<FKPU
2<A;#r
|2GetN
2@gZHL
2IHjj7R{	
2Itl4V
2\<(-MUUVVVV
2-sA&F kP
3/8626
3Gh (g2
'3+?Kc
3Nq tyAy2
3"oMoz
]3-OS-
4[0u:j
4f1eXu`j:
4i'$U V]0
@:4zDD
5bE/`N
5Hm,tu
;5uKCP9
5~Z/[@
=6l2=S
[&;6pR
@7D0~4
7-J&0SLG
7Q_YB 
	7:t G
80FLkV
~8880000/01
8)dfjT
8I@VnI 
8L&$)&
9et$k$
9upMSVCR
A7S5DObj=
Ab	a(\W^%
( aDL6
aE4uf0
APR~&2E+
A!x@s}
<a|z~	DMO
b0z	<D
B)6MHh
%&bBcCJ
bc8BFm
(B'dD}
(b/EL$
b\INII
B OhT?:j0
"b:Q%)ugj
BRq9'C
%?]c41
c?9HLfu
@;(CFu7
Ctl-AU
,cu{JA:
,cVF:S
cZJhsKa
D.0(v'(Q9^
d|9t[z
^Dai:xUu
D:,aXG
\`ddhlptD0P
D  fQz
dG829O
,DHj:_@L
(DI)5c
DJYdjy
dKVS*;]N
DLu	BP
D_-QbQ
dtwip01@gm
DUV Wj?.
}'Dz\/
<D,*Z\]
 $>.+E
>E>6Eq
E!erU2
E|H]9[t 
EH!c@h
E HMLU'
eIeH(`Xh
E$R	9_^
et37SI
euvwz/D
ExitProcess
e%Xo!Fi[
F\%2fi
F(8;r[
FB*B8l#
)FCb W
f	;;*G\
FG(YQ)
)fL ] 
FRAM}]Q
&=|F,tD
$ft[k	<
fX"B8S
g=5cIP
 @g(6c
,G6TaRY
G''+9T
GC3,raw
GetProcAddress
`giYrHoKS
g}j}30F
@Gj%S>+
!GL97WD	
^|Gpi$R
	gs/q.
GuidADouX
GWjn\K*
h;=~%=
h7V&(?
Handle
&HB@Gq
hCb!\	V8D[
Hd	<60*
hD)B\I
hdWTZis
HeWVk>
HFCF'?4
HG@~	_rS
hjiza*
HP'_t 
Hthyj([`
.{Ht(P
H:)U2PMS@s~
H"Ws:R
HX--<hXP
I0/k0 =
i._/5`
I`6JZXcx@
.i7qY"
:iBL2Z
I(C)20-
IFW~).
I'	$(g
I^maFv>
i@@@,-P
]IP_wy
irtual
}I`.ud
(I=ykD
i@;ZYd
j4da@,
 J>]bX
JD7g1Ni
j	=gC2
$J}HfH(Q,n/
JKaD:-
JL(DhVNM
[J?<W{
jWJq^%?Uh
KANN3.
Kc @(0
kernel32.dll
KK`,pj(V
$K<L]bPUR8
K%qC:\
l8EN qu	">
L8!t[]
,L.Jx_
LoadLibraryA
lR}Y~l)
LSQ1,!J
LT,RD%
)l!tTN3
m0@DMk
M9	lK!y
mCx^P[B
.md #u
MLKDc: 
"mS&3cS
Ms!J9@*O:
>mWBjP
N34;2#
N3exb,m4
n	7'CQ
nDm^|Io
n?{ihl
nimp^<
N*J\lx
+*,\nL
^+n!O;
nO jhP
NOPQXYZs_lB
n.t jRe
n#TMTU
N.\@)u
n=xcL/
nzCV$<(
O@8yv,Kb
O`F,[P
OI];c$
.(Okwn
OpenGe|[
o|%s:d5
{OUjV*
o,UWub
|P @0	
P4_	Q	%
p_AQQf
pA Y_r
P/C-nc
pCPTIjo
Pd1XcF".Tq
P#EgXd
PhWL~f
PhysPalZ
PI^lWZC
pIo	n@U
pjd^XRLF@
pjGxXp~e
Pkernel32
	pn0GU"
POS]qI
\P	Tv|
pUA7vu
P-@U@VAVX
Px=_-?.
Q!_0K-q
Q4,(jD
\q6ABCDqGJKLM
"QB(R8
q/NScc
,qwI;pw
q!X>}`
QX]kfmgzC
?Q_Z1u
R0SVbhd*
rdct.h
+rDs:~N
Rest2@
R:	fh3
R`~'"H
	r`H2$$
RhNYuD
r	KXLf
,$R+:p
?rsgb231uP
RSTUVW
rthlnk
RW[r/H
Ryk$i)H{RQ
,~S* <#
s49" J
s.apx?b
Sh-HHv
$Sk,wg
SOFARE
S;-+P5**
s$|QXz
sx%b-(
S'Ykph@
t4IQE 
|tCN&u
tectyN
.tGNM|
!This program cannot be run in DOS mode.
#%toKH$
Tp,xX'd,
\ts?D[
?Tt#FS
-t\|uH
TVhref#
tVU(H>
U02}^<
>uBIC"-/W3
 $UhZ,U
'uIp^RWhC
umxxmu
USQWVR
u:u)C}[(?9
UVVVWX
ux|*Nx
V"3Wzl7
?v=62`"RJ
!^V`7t
V-DSN 
viCS}d
VirtualAlloc
VirtualFree
vjBI\B
V`PB2@
@ VPSo
V}rV0*
VTNWhiMs
&w:8w/
<w+bp9
"wH[f?F
~wH/P*
w<l IEZ7
-WPXLB
 WQ+{r
x5~NHj	
	 	XaJL
XAR!L	Fh
x/\;(au
x/locme
|Xl}P6
@.xMe64D
;xor/dl
XPLOR.
 XpxPJXR
X\xF<j
xy1B"w
x#>ziK
xZyoQfw
y0@F6GZ
Y0Hi4/
y!4hfzH~i:4Kp
<Y/B'@2
Y)ba8qx
@Y^Dfe)
) y:iF-
YodulA
`(Y@P*L@t
yR)!!3
y|utng2h$
 Yy* q
 ()^yzGcS
YZrWN8
/Z_}`@
Z{0Ejx
; &:Zd
Zm5abi
ZNH@yO
z/\nx8PKy
Z^_Y[]