Analysis Date2014-12-19 13:39:51
MD533eae01294b4c2a9165f03f7f014fd9b
SHA12bb1285981087e3ef1f8475b9418d7c310551ed4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: be86db93560b53ee0860e207fa60cc74 sha1: 7242ceb5157ab4f86658ce391157595976e2a413 size: 139776
Section.rsrc md5: c40f670c25b2b5b8dda532cd2ddc369a sha1: 331d153424248aeeb5f52e9230c196d37942fa5e size: 17920
Timestamp2008-07-29 22:55:23
VersionLegalCopyright: Copyright (C) 2003-2008
InternalName: Freegate
FileVersion: 0, 0, 0, 0
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Freegate Application
SpecialBuild:
ProductVersion: 0, 0, 0, 0
FileDescription: Freegate Application
OriginalFilename: freegate.EXE
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhashc94136959181ad7ad975791a9c140203d2936269
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.OIFK-7062
AVAvira (antivir)BDS/Rogue.158720
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Backdoor.Clack.r2
AVClamAVno_virus
AVDr. WebTrojan.Proxy.3764
AVEmsisoftno_virus
AVEset (nod32)no_virus
AVFortinetW32/Clack.K!tr.bdr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)BackDoor.Generic_c.ACLR
AVIkarusBackdoor.Win32.Clack
AVK7Riskware ( 0040eff71 )
AVKasperskyBackdoor.Win32.Clack.k
AVMalwareBytesTrojan.Agent
AVMcafeeRDN/Generic BackDoor!b2h
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Asprox.B
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Proxy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
5120
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
DNSw63.ziyoulonglive.com
Type: A
DNSw64.ziyoulonglive.com
Type: A
DNS477635c6a93ae11a29b105bba4559614fd3d70f2.308b688e833019781fa8b0cf521b192a7b54bf45.4.ziyouforever.com
Type: MX
DNS14058c70dca2b915a30ad6f8daacd1f0ae4ec944.45133081098bca3b6151f72b136060492e2bf90d.4.ziyouforever.com
Type: MX
DNSa4135d32af6abfde273ea6b47e5b5ed31e581806.36db364a8dbfba77c5a67808de5f903dd918097e.4.ziyouforever.com
Type: MX
DNS646627db32f6c14f4338cd31e61ee35fde2d62ef.ab4748dbe9b9d1f25de3c5845d245b73f67f5e13.4.ziyouforever.com
Type: MX
DNS3df9f493fdcedc85fc71d4785f5c5fcf87b2b1a7.647f551156f0c8bbe4a17914a13c68060a39b061.4.ziyouforever.com
Type: MX
DNS79e0d291db1e1fa739370d4cae5f2d71c3ab97a5.42af963393b6118f15a20baa8e9ea25acbfc7622.4.ziyouforever.com
Type: MX
DNS23dd1785591416c1266a2801082cab78999652b1.c0a59f558ceb34c2b3d18da32c12ff0b43d48959.4.ziyouforever.com
Type: MX
DNS0d1f806dce46f4a6dcb331c19b1e59abb754c559.57f77d3276322d0220e37f70dd16963f3c96544f.4.ziyouforever.com
Type: MX
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.35.193.158:53
Flows UDP192.168.1.1:1032 ➝ 38.65.238.191:53
Flows UDP192.168.1.1:1031 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1032 ➝ 38.121.7.4:53
Flows UDP192.168.1.1:1032 ➝ 38.52.86.4:53
Flows UDP192.168.1.1:1031 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1032 ➝ 38.90.52.20:53
Flows UDP192.168.1.1:1032 ➝ 38.8.89.139:53
Flows UDP192.168.1.1:1031 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1032 ➝ 38.229.52.56:53
Flows UDP192.168.1.1:1032 ➝ 38.124.246.93:53
Flows UDP192.168.1.1:1031 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1032 ➝ 38.169.113.191:53
Flows UDP192.168.1.1:1032 ➝ 38.255.164.59:53
Flows UDP192.168.1.1:1031 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1032 ➝ 38.154.10.26:53
Flows UDP192.168.1.1:1032 ➝ 38.187.73.55:53
Flows UDP192.168.1.1:1031 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1032 ➝ 38.31.161.238:53
Flows UDP192.168.1.1:1032 ➝ 38.108.170.121:53
Flows UDP192.168.1.1:1031 ➝ 143.166.82.252:53
Flows UDP192.168.1.1:1032 ➝ 38.155.32.47:53
Flows UDP192.168.1.1:1032 ➝ 38.133.71.220:53
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.188.56.178:53
Flows UDP192.168.1.1:1032 ➝ 38.210.125.75:53
Flows UDP192.168.1.1:1032 ➝ 38.211.181.4:53
Flows UDP192.168.1.1:1032 ➝ 38.104.12.145:53
Flows UDP192.168.1.1:1032 ➝ 38.227.90.71:53
Flows UDP192.168.1.1:1032 ➝ 38.189.151.150:53
Flows UDP192.168.1.1:1032 ➝ 38.148.218.131:53
Flows UDP192.168.1.1:1032 ➝ 38.33.166.85:53
Flows UDP192.168.1.1:1032 ➝ 38.41.255.155:53
Flows UDP192.168.1.1:1032 ➝ 38.181.225.55:53
Flows UDP192.168.1.1:1032 ➝ 38.64.8.106:53
Flows UDP192.168.1.1:1032 ➝ 38.244.140.201:53
Flows UDP192.168.1.1:1032 ➝ 38.138.151.88:53
Flows UDP192.168.1.1:1032 ➝ 38.27.124.220:53
Flows UDP192.168.1.1:1032 ➝ 38.48.17.114:53
Flows UDP192.168.1.1:1032 ➝ 38.45.90.86:53
Flows UDP192.168.1.1:1032 ➝ 38.60.92.227:53
Flows UDP192.168.1.1:1032 ➝ 38.190.71.167:53
Flows UDP192.168.1.1:1032 ➝ 38.204.197.183:53
Flows UDP192.168.1.1:1032 ➝ 38.205.131.63:53
Flows UDP192.168.1.1:1032 ➝ 38.151.54.94:53
Flows UDP192.168.1.1:1032 ➝ 38.129.129.247:53
Flows UDP192.168.1.1:1032 ➝ 38.25.142.242:53
Flows UDP192.168.1.1:1032 ➝ 38.14.38.100:53
Flows UDP192.168.1.1:1032 ➝ 38.2.148.17:53
Flows UDP192.168.1.1:1032 ➝ 38.78.223.129:53
Flows UDP192.168.1.1:1032 ➝ 38.209.105.242:53
Flows UDP192.168.1.1:1032 ➝ 38.179.244.70:53
Flows UDP192.168.1.1:1033 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1033 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1033 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1033 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1033 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1033 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1033 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1033 ➝ 143.166.82.252:53
Flows TCP192.168.1.1:1034 ➝ 175.181.101.252:443
Flows TCP192.168.1.1:1035 ➝ 175.181.114.173:443
Flows TCP192.168.1.1:1036 ➝ 1.161.151.225:443
Flows TCP192.168.1.1:1037 ➝ 118.169.168.243:443
Flows TCP192.168.1.1:1038 ➝ 122.121.11.111:443
Flows TCP192.168.1.1:1039 ➝ 114.43.197.79:443
Flows TCP192.168.1.1:1040 ➝ 114.27.38.18:443
Flows TCP192.168.1.1:1041 ➝ 36.224.10.251:443
Flows TCP192.168.1.1:1042 ➝ 64.235.32.206:53
Flows TCP192.168.1.1:1043 ➝ 129.66.95.3:53
Flows TCP192.168.1.1:1044 ➝ 141.151.0.68:53
Flows TCP192.168.1.1:1045 ➝ 211.10.204.5:53
Flows TCP192.168.1.1:1046 ➝ 64.80.255.251:53
Flows TCP192.168.1.1:1047 ➝ 128.30.52.200:53
Flows TCP192.168.1.1:1048 ➝ 208.101.39.236:53

Raw Pcap
0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .


Strings
F
.
8
-
..+
.
.f[.x
...
e.-....
.L.
...)
..
..
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
|({{	*
)@@*(,(
)0[%5=
+(0i+C
}0 JGc
+_0u[P
0zyY"VHB
%1^_-/
1@.0,L
~188881~
?"18YI
1|aI~%|
1i/R9d
1;uBDtqf B
1{~^[Y
27Q Py
2Is(Ye
2\<(-MUUVVVV
2Q}69|ad
"2yQF.^
3b&~~nb
3y<O5:
/4b?V8
4CP]Ok
4h_R7aw
:4t>QV
?4?y57
5BNyXW
5XY~';
'|5yWve
6<fh1&
6%Gsc<
6HMF~@ 
<_6@[l0?
6mF{?P
77j>l_v
)7|[8.
7bjO]y
7ryKi1D
7uE_bp
"8;7b@4c
~8880000/01
^8F1KA0
9Kkh66
$9oE/!
|9pVmQ7 1q
9`Q$bf78D
/9`tGn
A1Protect
aAwkGNH
adt}SK
"AECqQp
a{H1-$
AP.=6%
Application err
ASPKN^
^\aUp=
}[=a"w
!AxrYW
ba\?'(
$babep
|bDaw/
(BE,7_
b+OxS 
bu+O#D
+C2*o 
cCHM)=b
Ci)S/$`
CKi,Dj
corrupt.
CzF=E1mq
d1+#.P
D9X-7l
/dc,@E
Dfh	yLRX
#dm=;|v
<-d+t@
*!`D|V
E3t<W8
>E>6Eq
ec=KGlZ
eD1Gtx
e DLL %s4ordinal %d
(]&E#h
ehVKJQ
Eiy6z9r
#Ek}>Y
}EM5^\E
!}Eo7T
er@C~S
erK;X 6W
e+``Tr
eveb)L
ExiRNC
F7y{"A
\}fA[H
'f!#kyP*
Fn-"d{
FP!O7',P
FUBp94
fUe22.8
FVEbhD0
g-1D\Z
g:1wB'
g=4eS<
g@9-jg
G''+9T
GetModul
GetProcAddress
GI8-y)
Glr&<R;
|GoFhy1Y-B
Gq^>`m
G[U:FW
|gZ-~T/'
hdWTZis
HeSime
H\G66?
hGVWG?
HP9"E*
H+"pI:U
 Hqf1(0
+hQZ?<
i8aWh%
&iB@Ro
i/'d9,
ID_w=f
IO_|0"NL
i@@@,-P
^iSe#[5
i@;ZYd
$"{J,:
j]*'N3
jo_ApbZG7P
<J,RW	
J$*SyX
JZWO1lr
.K2.=G
K!2r2h
kernel32
kernel32.dll
kLa`F(
K'q1:^
(kV1$	
K>z|{x
$L$/|%
Lao=94
>*LC[viMo@"
.lEZZ[
ln_7Hf
LoadLibraryA
loseHandle
lr	hp4
Lrl$(l
LT%Hh\
/LVst8^Q<
m2i?4kn
+M3?:\q
MaU#^D
MessageBoxA
Mf3 ;*
m:i,5o
MLKDc: 
|[=mO5
M)rL:R,
msvbvm
<=M*T3
M!yYJuVv
N34;2#
N4Qqct
n,<9X+
ndeo5c
NJTLk%
NK]MW4(
nn_yZ|
N)}/@Q
|#ns2'
NuO5}M&peS
NX\T_j
ny	K%iiL
 #O`#\{
!-oDHd
oiH C 
o[M'tp
ON1!AiB^
OnK+2U
} Oo-l
o	\RSE
ORZ1!'
O!]vBD
o(@^-Y
pan{>|E'Emk
Paww	1X
PEC2=O
PECompact2
\[pLzF
pnVGtggSL
@p+%P5
Pq<rVG
P-@U@VAVX
&&Pwt[<
pw$*X]
,pYPo+
/pyWb8
q/~]8Q
Qb}hq v
q+d8[/-4
q#,I ~4
}|Q/I+8
qKbWf*
& {q<t
qW:6z`
QWXa+R
QX]kfmgzC
Q'&ZGc%
R1`qd 
Rd	>3a
R'dA"#
re %s could not be located in thU
RInkAl
r'=KH&
&"rTI_
R: u6K
^@Rv#t=
rw>>#<
|	RXIufw[
rZ6&>}
s0KWQ&
S7k[84
`S@.oh
S;-+P5**
sUSY,J0
S~XnU[
SzFI9w
T+afD9
t*/&dD
;tDyZCw
tfJ!]g
The procedu
!This program cannot be run in DOS mode.
(t+i>R
T|LjSHx
t`[-V7tZ
TWl:En
tWvN(30
TYmMiC
u4R$xa/
uggerPresent
UH`wxR
umxxmu
USQWVR
UVVVWX
Uw'{bds
,U=?xE.0
uXyg5E#&
u?Zm]>
v"_03E
vaZ#eH
vFam_O
V+fUkt
(_v|G4
vG\tfy@
Virtual
VirtualAlloc
VirtualFree
vjBI\B
VKfeHM
%V	*,%N
vQJn%5
&	)VSQ1w
.|#%'W}*
w"5LwwM
/*W~8(
w^9||H|-X
w!EG*u
:wGm]@
WO_u@E.
wsprintfA
ww>dV7
Xe5FR\
}x+m&&
xS"G4!^
Xw`v:w
Xx]dCa{<
Xy]n/G
y"^%/=
Yb|qTp
y}lG$]
Yp~[zf
.Yr|SHX
]yXYH!
z]3b+]
~z/C~E
ZG?"%P
Z?Ja)Kl
^Z"j. q
*z$#O"
zW"?gi9%D
zXr;SCI
Z^_Y[]