Analysis Date2014-11-28 11:06:32
MD54fae3375b754b90b86d0d81613166f1a
SHA11178a8c99c73e85ad9c0d34dd6ba20d8f9bdbab2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0f81ab0f480e3aa73506585fa8534416 sha1: 3cef9e5cae60147625f9d561679e00eb64eb4e7b size: 156672
Section.rsrc md5: adf762234a30e2660b9421666c5101fe sha1: b9f46cc7031d59e403ca154a997eaadd5c1a530d size: 16384
Timestamp1991-12-27 04:45:56
VersionLegalCopyright: Copyright (C) 2003-2008
InternalName: Freegate
FileVersion: 0, 0, 0, 0
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Freegate Application
SpecialBuild:
ProductVersion: 0, 0, 0, 0
FileDescription: Freegate Application
OriginalFilename: freegate.EXE
PackerPeCompact 2.xx (Slim Loader) -> BitSum Technologies
PEhash88e4bbc2fc40f1673bf2fa90ca9fe3ca4e8febe4
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 SafeTrojan.GenericKD.1990657
AVAd-AwareTrojan.GenericKD.1990657
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardTrojan.GenericKD.1990657
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Proxy.3764
AVEmsisoftTrojan.GenericKD.1990657
AVEset (nod32)no_virus
AVFortinetW32/Clack.K!tr.bdr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.1990657
AVGrisoft (avg)no_virus
AVIkarusBackdoor.Win32.Clack
AVK7no_virus
AVKasperskyBackdoor.Win32.Clack.k
AVMalwareBytesTrojan.Agent.PEC
AVMcafeeProxy-Agent.bk
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Proxy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
5120
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw64.ziyoulonglive.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
DNSw63.ziyoulonglive.com
Type: A
DNSd9d4e4d8f6d15f8e9144790d2535acbe9b836bf8.b8ad30e2fbd85ee166305d4a3d050103f5d53c5f.4.ziyouforever.com
Type: MX
DNSa11dc67acf7f3ef918efe1891df600b0e34a495a.810351957273c6655ef3f1442b15b7614d365305.4.ziyouforever.com
Type: MX
DNS1b5bdbe29aa0a4e23c9aa968b0cde593590c54c2.d4dccb8e56068e84f3c8146751aa11445d16547a.4.ziyouforever.com
Type: MX
DNS1fdbe982e1fadc2fe691659d9b4461d25d8c66a2.af86b3438c0d4271d841902637adaa0f20906d57.4.ziyouforever.com
Type: MX
DNSbbfc8823b46b04936e956db1434feadff9ab0703.fa176bff04094a5d004a1b2b6b3e6e6a55d8a25a.4.ziyouforever.com
Type: MX
DNSb93b3bf0ad894ffaca2c5ec433e6882cfb6cb4d0.e3f52096a0b0792870e379d81c1546773d5fd604.4.ziyouforever.com
Type: MX
DNScf1d23c4ca7291cf8e043f307c1bb4d28d4aace4.840efea3e49818dc3f1e4526b6a064193dac7e6a.4.ziyouforever.com
Type: MX
DNSa5cb43e77c4e581965290cd29a74390be79cccc7.323237750fb52b3ed971c8ff800390349df41b29.4.ziyouforever.com
Type: MX
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.35.193.158:53
Flows UDP192.168.1.1:1032 ➝ 38.65.238.191:53
Flows UDP192.168.1.1:1031 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1032 ➝ 38.121.7.4:53
Flows UDP192.168.1.1:1032 ➝ 38.52.86.4:53
Flows UDP192.168.1.1:1031 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1032 ➝ 38.90.52.20:53
Flows UDP192.168.1.1:1032 ➝ 38.8.89.139:53
Flows UDP192.168.1.1:1032 ➝ 38.229.52.56:53
Flows UDP192.168.1.1:1031 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1032 ➝ 38.124.246.93:53
Flows UDP192.168.1.1:1031 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1032 ➝ 38.169.113.191:53
Flows UDP192.168.1.1:1032 ➝ 38.255.164.59:53
Flows UDP192.168.1.1:1032 ➝ 38.154.10.26:53
Flows UDP192.168.1.1:1031 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1032 ➝ 38.187.73.55:53
Flows UDP192.168.1.1:1032 ➝ 38.31.161.238:53
Flows UDP192.168.1.1:1031 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1032 ➝ 38.108.170.121:53
Flows UDP192.168.1.1:1032 ➝ 38.155.32.47:53
Flows UDP192.168.1.1:1031 ➝ 143.166.82.252:53
Flows UDP192.168.1.1:1032 ➝ 38.133.71.220:53
Flows UDP192.168.1.1:1032 ➝ 38.188.56.178:53
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.210.125.75:53
Flows UDP192.168.1.1:1032 ➝ 38.211.181.4:53
Flows UDP192.168.1.1:1032 ➝ 38.104.12.145:53
Flows UDP192.168.1.1:1032 ➝ 38.227.90.71:53
Flows UDP192.168.1.1:1032 ➝ 38.189.151.150:53
Flows UDP192.168.1.1:1032 ➝ 38.148.218.131:53
Flows UDP192.168.1.1:1032 ➝ 38.33.166.85:53
Flows UDP192.168.1.1:1032 ➝ 38.41.255.155:53
Flows UDP192.168.1.1:1032 ➝ 38.181.225.55:53
Flows UDP192.168.1.1:1032 ➝ 38.64.8.106:53
Flows UDP192.168.1.1:1032 ➝ 38.244.140.201:53
Flows UDP192.168.1.1:1032 ➝ 38.138.151.88:53
Flows UDP192.168.1.1:1032 ➝ 38.27.124.220:53
Flows UDP192.168.1.1:1032 ➝ 38.48.17.114:53
Flows UDP192.168.1.1:1032 ➝ 38.45.90.86:53
Flows UDP192.168.1.1:1032 ➝ 38.60.92.227:53
Flows UDP192.168.1.1:1032 ➝ 38.190.71.167:53
Flows UDP192.168.1.1:1032 ➝ 38.204.197.183:53
Flows UDP192.168.1.1:1032 ➝ 38.205.131.63:53
Flows UDP192.168.1.1:1032 ➝ 38.151.54.94:53
Flows UDP192.168.1.1:1032 ➝ 38.129.129.247:53
Flows UDP192.168.1.1:1032 ➝ 38.25.142.242:53
Flows UDP192.168.1.1:1032 ➝ 38.14.38.100:53
Flows UDP192.168.1.1:1032 ➝ 38.2.148.17:53
Flows UDP192.168.1.1:1032 ➝ 38.78.223.129:53
Flows UDP192.168.1.1:1032 ➝ 38.209.105.242:53
Flows UDP192.168.1.1:1032 ➝ 38.179.244.70:53
Flows UDP192.168.1.1:1033 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1033 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1033 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1033 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1033 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1033 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1033 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1033 ➝ 143.166.82.252:53
Flows TCP192.168.1.1:1034 ➝ 175.181.101.252:443
Flows TCP192.168.1.1:1035 ➝ 175.181.114.173:443
Flows TCP192.168.1.1:1036 ➝ 1.161.151.225:443
Flows TCP192.168.1.1:1037 ➝ 118.169.168.243:443
Flows TCP192.168.1.1:1038 ➝ 122.121.11.111:443
Flows TCP192.168.1.1:1039 ➝ 114.43.197.79:443
Flows TCP192.168.1.1:1040 ➝ 114.27.38.18:443
Flows TCP192.168.1.1:1041 ➝ 36.224.10.251:443
Flows TCP192.168.1.1:1042 ➝ 64.235.32.206:53
Flows TCP192.168.1.1:1043 ➝ 129.66.95.3:53
Flows TCP192.168.1.1:1044 ➝ 141.151.0.68:53
Flows TCP192.168.1.1:1045 ➝ 211.10.204.5:53
Flows TCP192.168.1.1:1046 ➝ 64.80.255.251:53
Flows TCP192.168.1.1:1047 ➝ 128.30.52.200:53
Flows TCP192.168.1.1:1048 ➝ 208.101.39.236:53

Raw Pcap
0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .


Strings
.
.
*
..
V...
.`
.
,.
.
.
.
.
h..
.
S>
z
~
K.
..
.
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
=&}$!0`<
07)In@
0aIcm.
0dH2GT
"0dJ]@
("0D:J
0!FQWo
0hjiza
0!j@K-
0N~sVs
^0rn "
0RR$}Q
&0s8dl
0sXEnGuI
^0tF$;
@0_U&:A!P
\0UDk,
~188881~
1-_In}j!~
1sh G3
2/1lL(
!2_3r`
24L$T]
2Fn@8V
2HI~JN
@^2I]	[
2lwix`|{
2\<(-MUUVVVV
2	ofjYuD
 2 (+q
2R3hk^
,2u9Fhx
2}V&AW
2zp+b@w'
3=/8r}6721
38X.&?{
39dap*
3D)/h-
3)|fzP
3gkIf%
%3JCXT
3lpAn3EH9mg
3p2<Au
3UNDaf
4@*`8,"RVg
	`*4,e
4,e2@ZQZ
4)h@(A
4>|O:8
4ue8-V
4@(VRSM
4w)0VL
4x<^*`
4yw{:.Xz
<'50$nE|Rj
56789abc
)5c]J?y@9
=5K[Y2
@<5_)uv
61B2/=ST
64Ix}1:
$6 BF8/Z
	6"JD^r
&6J-<W
;6NMB(
6u|xP.
6ZE8] 
721j^^
 7d!@;
7lJQC|o
7:t nGW
7VaPMulaAz
7-X	qT
\8	"1Br
8;2 9O
~8880000/01
!8dxo#`
&8<$IX
8r1"s*
	;8`V\=
8z"HCDK
/91.k4
9$5	f,~
9O|-JD6
9p"9C'
9UQ@Cu
A6\/:lA
a8zb_D
AdHA`W
ahGETE
AL;IRF
al<KXZ
AN@;S+
aQhDh'
^\aqxd(
AR_1J]y
A>z>"A
!Azb8%
B *2:dJ
^(ba0)
)baL8q{x
BCDEFGH
&B)d<	6H0
BExplv
<  bfN
bG b)u[
bIckQg
b^[j>B
Bk)TrDf
BO}iBt
BRJL2"
buRgjK
bv@r<8
b:(V_y ?
BXmdZ=4
%\C6@'
C<#@d(7
#CDWdd
cD]YcP!0y
cF,gW<	Zeyo
C"/ic"
c IK8J
cIoI d
/C=;w(
@--|/d
D0V'hY
!d 10P)k
d>3@m"
d4E8h#[_
[D8:))
\]!d<]"F
d`gx\Fp+8
)`dh]#
d@HoFp
diu)6>-
djy6)MHlBmh
++D"kD
D L!PQr
%D:n:[dp
*dNxf1
<!DOCTYP
"(dPLK
DrC'DL
d%RysI
@dv'-;Y
dw:~!c
:d-@x|
)$}E0>o!
E`21e,e
<_e2Mb
E@5PH&=
>E>6Eq
e6h.z_E
'E8Rt\
 e[	\{(.b
EB?,49X
e`(bMKT
e-^C\#`Q`]%6-
eIE[iF
 EMPF;
en<>1lcCM$
e`rL2gat
.ER|wH
E-TIB(fDQ
e/%x-C!
;EzHriS
(F !($
+f=`5~	
%(f#B5J
fcAeb	a{("\DWR
$"fdE(
^"fDpz
[?FF,@
 F	<(F<3F<AF<OF
 F-<+F"6
F<+F<9F<GL
fFghij
fItkOx*
 F	iXar
<]F<kF<yF<
FounB&bip
:Fq*_r
=,=fR(-iB
FRJnb/fDZ
</f&T_
G0,^`R~
G''+9T
GetProcAddress
G(}gUhrt
gh b/-
G|J(	V(x
@go(P6o
GOq KpU
GS<[H0
GW<bZ9
Gx0q6S
h>2@eY
h3qU!=
H4|WD*
 HC, xG|
h-CyQL<A
: HDSN=z
hdWTZis
*#HE^jx
(/HeTxlH5
<HF<VF<dF)r
hgY6	.
Hh:LHd
hIa	Qy
"HIPHt
 =HJ NK
HJu37gK1
H ~NE3v
houKan
}:h<*p
H<QI|L
HR%!PA6
Hsr-t|
HTzsS,
( H-(u
HY0ql;
hysPal
'\HZ~~
I1=l5df
I8G?Q 
Ia\vx*/
IbL'pA71WJv
i)fy(	US
iH$s.fl
)II|_vB
IJH[z}
IJKLMNOP	QXYZ
ilEDf4O
iOH`"1
i@@@,-P
ISD<O 
i XOd.U
I'xpG +
I%zD>	P
i@;ZYd
J$2ny2Ed
jb&	'_
j@!D4xvj
Jm4!$A
^Jnpey
?j:`oi
%jPVEF
jQ2GT_
j`Q_L 
J+rU	_
:Js.<!
JWO}WPt
jX3pu$cQ
K)0DC'
k3dieL)8c
KA5, !
kb`6m M
KbPUR8_
#kD&H"P+
kernel32.dll
K!h$^{m
kI`-nT
KLS1E>!)
KmLu,8
knBOB"
ks.abpx?F 
K[_vBd#H>D0
K-vI^M
kWh0TB
{'@kxBd
L2!F	@$:H4
%l8G8B828381v
le(mJ2s k[
" $,Lf	@@
l>+H8k
L<h:(Lg}
LL?4v4
LLXJID
Lo(3:A
LoadLibraryA
LoOPgSV
l+!yYx
MaRMx[ey;H<N
~mde&J@
 media;3.
}meg^C
m\lK8H
MLKDc: 
M)SN -
MSVCR&
`{("my|tt}
'N\1/S
N34;2#
n9r:[,8)"-C
N?bM0q+
n<B^O\
/:NF>\
ngTOb\
\NHIPIO
nicmpp
NI.^]IK%
NrT&^>3.r
\nxyZxn(
!N^ZA"
OC]A`b}A
,O);I'!
/O&N3ZX
'oR_1"
orVPU9
OT2#X&P$
otaS>8D
oW4:)y
OW6a"E
P~2( h)
p2Io	nO@
P_4,-&
^p5p6E7D
\p7&Y{
p-9fOIVI
#Pa=^0
P"DD.$
PEC2=O
PGd'RL
pMP,f9
#pn0@C
poFJ\'7
pOFQV&RW0{
$pqpZ@
P<R@<!X
P S(K,%
P`'U22
P-@U@VAVX
?	P@UxfK
PUYri4P
PV_d*b%sy^
p'^V"g
pxSf|J
pzD@ND
Q449d.
Q81l62
 |Qahfo=
Q~|irK
q:K]iTSB
?qKRtb
q>l.G_"
qN8oc=
QR4J)Q
QRkH{&/
Q{`R{r:d
qt3H)p
QX]kfmgzC
QxvuMNR
*r2,)pN
R30KD:!
R)5e$9	
;+rDdC']
R]I|0+
R"IQ}\
RM[,D?
|rqH8e
r\rVV/_&
.R|Te/w
 rTp"r
R;VP{,_
r-	W pZ
S0-Wq2
{S2:$V;k*d>W
SAEiEv
**s_,B-
SeJnp9e
sE!U:d
>s*HX5
sjA&nx
S&l	lc
S!NL	B7
S;-+P5**
)SP#"QR
S=P-S3HPm
SrC9IDvpK
STUVWXYZ
SVBwY\3
.sVm0E@
SZZ4Zb
_T4B\M
t7_)SF
t"9S6f
`#TaH;
t'&+cld
T#Dl9\
TF*-8U
T]	fgs
!This program cannot be run in DOS mode.
th'pI7
t"jD`L
TKUVd#
(tl1EPBxyF/
To(3_A
@tPE&MFd
<T)|Qe
tTfdgLh
tX6h0R
tYV~NA
>u"1:F
 u|91_
U99+_@
U)AD7&v$u
	ud94p
U@Dh$0;Z
(=uDRG
uK@]tOshD
u&L^I$
%@um[%
uM3!]-|
umxxmu
%uQ [0M
<uS$-Ds
USQWVR
+`uT9uw
~UUjE\
UVVVWX
uvwx8yz./
uwVj^ 
V4^[WY
v9hXRw
/vA'Qva
vbeR6}7N4B
VirtualAlloc
VirtualFree
|ViVvF|
vjBI\B
vjcYMb.DA
(v*NQY
VPBQR6
 VPS1o
/vtDYv
V Wj?tf
VWKlVd%
	,V{Yszm
w,DDH!
WD-t4^
"wD|uM
wFh*us
@Wh`6k@
=wT!6@
w)tWyR
WV<-$t
W^w[ip
~WXG*(
`(wY)L,0
x1W7IN
*x3Ff5
xb_`0V
^"XfPqR
X-Pow~
?,(x<PP
x$|rQe
%xx@LeI
xY ~r4
Xz'M^V
Y]= +]
{*YAt:
>Y-&|DD
Yf?bVw
*yN{-}U
ypK({F
.yQ=rRb6
Y^rSG#
YRUAzhdJ'L
~z8Q)u
Z?bd1u
zI{"X 
Zn&o8-U	j
^Z+<Xf
Z^_Y[]