Analysis Date2015-02-01 00:06:58
MD54d820ba630837353aa6b5ff79080d270
SHA12caece68b9ac03dbed359bfddcde30ade9bf101c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f28e1123781be6f279abe7a6211c8527 sha1: 93861c0338b2f2bf5304377a6ae01e36569385e3 size: 110592
Section.rsrc md5: 4abe96b2f0b0f2ebd86ffb422814680e sha1: 8db1cea7134fa1cb524ddd762322efe02c2583d9 size: 15360
Timestamp2007-10-28 05:12:30
VersionLegalCopyright: Copyright (C) 2003
InternalName: freegate
FileVersion: 1, 0, 0, 1
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: freegate Application
SpecialBuild:
ProductVersion: 1, 0, 0, 1
FileDescription: freegate MFC Application
OriginalFilename: freegate.EXE
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhash0a0e51932a3470cddc09ea0fdd1098cad3e04638
IMPhash09d0478591d4f788cb3e5ea416c25237

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
37888
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw64.ziyoulonglive.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
DNSw63.ziyoulonglive.com
Type: A
Flows UDP192.168.1.1:1031 ➝ 195.133.91.136:53
Flows UDP192.168.1.1:1032 ➝ 195.102.98.252:53
Flows UDP192.168.1.1:1032 ➝ 195.108.61.214:53
Flows UDP192.168.1.1:1031 ➝ 198.32.252.58:53
Flows UDP192.168.1.1:1032 ➝ 195.170.121.250:53
Flows UDP192.168.1.1:1032 ➝ 195.183.250.98:53
Flows UDP192.168.1.1:1031 ➝ 153.19.102.182:53
Flows UDP192.168.1.1:1032 ➝ 195.18.244.95:53
Flows UDP192.168.1.1:1032 ➝ 195.190.112.99:53
Flows UDP192.168.1.1:1031 ➝ 64.71.218.3:53
Flows UDP192.168.1.1:1032 ➝ 195.194.242.48:53
Flows UDP192.168.1.1:1032 ➝ 195.237.79.62:53
Flows UDP192.168.1.1:1031 ➝ 83.234.232.1:53
Flows UDP192.168.1.1:1032 ➝ 195.1.213.224:53
Flows UDP192.168.1.1:1031 ➝ 141.151.128.68:53
Flows UDP192.168.1.1:1032 ➝ 195.62.192.46:53
Flows UDP192.168.1.1:1032 ➝ 195.89.165.180:53
Flows UDP192.168.1.1:1031 ➝ 81.19.69.17:53
Flows UDP192.168.1.1:1032 ➝ 195.222.59.109:53
Flows UDP192.168.1.1:1032 ➝ 195.247.86.195:53
Flows UDP192.168.1.1:1031 ➝ 211.63.185.180:53
Flows UDP192.168.1.1:1032 ➝ 195.131.179.145:53
Flows UDP192.168.1.1:1032 ➝ 195.76.10.202:53
Flows UDP192.168.1.1:1031 ➝ 195.133.91.136:53
Flows UDP192.168.1.1:1032 ➝ 195.212.37.21:53
Flows UDP192.168.1.1:1032 ➝ 195.147.126.46:53
Flows UDP192.168.1.1:1032 ➝ 195.218.22.22:53
Flows UDP192.168.1.1:1032 ➝ 195.197.237.63:53
Flows UDP192.168.1.1:1032 ➝ 195.250.245.78:53
Flows UDP192.168.1.1:1032 ➝ 195.219.60.140:53
Flows UDP192.168.1.1:1032 ➝ 195.29.177.106:53
Flows UDP192.168.1.1:1032 ➝ 195.103.156.96:53
Flows UDP192.168.1.1:1032 ➝ 195.30.42.232:53
Flows UDP192.168.1.1:1032 ➝ 195.141.164.196:53
Flows UDP192.168.1.1:1032 ➝ 195.107.88.211:53
Flows UDP192.168.1.1:1032 ➝ 195.217.149.182:53
Flows UDP192.168.1.1:1032 ➝ 195.185.21.73:53
Flows UDP192.168.1.1:1032 ➝ 195.144.198.107:53
Flows UDP192.168.1.1:1032 ➝ 195.182.223.10:53
Flows UDP192.168.1.1:1032 ➝ 195.158.165.86:53
Flows UDP192.168.1.1:1032 ➝ 195.229.64.10:53
Flows UDP192.168.1.1:1032 ➝ 195.221.88.172:53
Flows UDP192.168.1.1:1032 ➝ 195.112.65.102:53
Flows UDP192.168.1.1:1032 ➝ 195.26.28.33:53
Flows UDP192.168.1.1:1032 ➝ 195.46.118.113:53
Flows UDP192.168.1.1:1032 ➝ 195.139.114.52:53
Flows UDP192.168.1.1:1032 ➝ 195.65.150.213:53
Flows UDP192.168.1.1:1032 ➝ 195.224.189.185:53
Flows UDP192.168.1.1:1032 ➝ 195.213.166.42:53
Flows UDP192.168.1.1:1032 ➝ 195.209.162.213:53
Flows UDP192.168.1.1:1032 ➝ 195.198.41.133:53
Flows UDP192.168.1.1:1032 ➝ 195.188.192.7:53
Flows UDP192.168.1.1:1032 ➝ 195.121.57.239:53
Flows UDP192.168.1.1:1032 ➝ 195.61.125.165:53
Flows UDP192.168.1.1:1032 ➝ 195.8.168.86:53

Raw Pcap

Strings
8.$..
0..;
I..O.:.
83.;*
g.j

040904b0
1, 0, 0, 1
Comments
CompanyName
Copyright (C) 2003
FileDescription
FileVersion
freegate
freegate Application
freegate.EXE
freegate MFC Application
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
0123456789abc
,048!C
)%0~iK
0pF1er]fz
0T SU,1
0UVW1_h
 0($Y+J
~188881~
1uw3L7y(p
~1Vbhds
#!2_3h
2 +BS2
2=}Bv+0@
2d,048
2d048<
2d@DHL
2e&Z,nBw
2File corrupt.
2)Hk]p
2\<(-MUUVVVV
2,NQ&m
^2R8d1
2-sA&F kP
%	2$Te
2?v^pe%\no
2Xb&|E!
 2yU"N0
3I3qte
3+mEYO
3uCAaw
@3+XS8
'"4d2B
4e2@QR
-@4gtx
:!4	.(H$
4I-iy2
4NNMGQ$
4QB)%X`
:4R@3V
4Y.#E)
4Z8/lJ
4zQEN	
*5bEPN
5UFJQh
;5uKCP9
.@5_uvr
64W |lRU+
6801*M>c
6a	@[gtVq,ty'mI
$6oT O
!7jIb"
*7JQCop
7PXt1	
7QUWVR
<7:t G
7%zxvt*4>H~~~|T
82'yH$
~8880000/01
89A4>xR
8b\Phy
'8?dq?
8kernel32
)8QHf)
8upMSVCR
8)xynT`
9r$ (08
- 9V-)
9Y)(nf
[a0 t4
Ab	a(\Wx
ADoulFc
=	A!EL(
a	entI=~
aIOHmD
,>A^!k
Application error
<+~a.r,+y.>zi
[AW	S$
A!x@s}
<a|z~	Dkz*
b0-4rqJz
B2= p<
ba0c T
)`!B<D$0
#~BDI*k
B`(,#$e@
}b-E4bg
[BF+Bl
B~}G j
%^BjN8i
B;>|K3
B kqtO
bKVMQ$Q
bMfr-^
@bmN80
bPc*yK
bPv'Lm
bt4th^
Bt!]5MSN
'b\V0i
bV=4W@
Bz>ayA
bZ/v"~
!C $(,
!C048<
(C)20-
CDJGHIJKLMNOPQXYZt
;(CFu7
c(I`(y
CloseHandle
CN&u'=?
`CPTI8 E
,cVFEI
+!CZ7.
d0vpj"
D4T;Pj!
D=80r!
D8q"Avr
DbuA ?
D!;D!H`DB8F
}#De>}
D"F<4(
d@`fG<?}P
\`dh!C
(DhVNM
(DI)5c
dia3.nghu
\d+j%Jx\
 .dJL@
DJYdjy8
'@ D$,k
,d$KSymb
*<dk	U
Dk[Y8]]
DLL %s.4ordinal %dR
Dns[l2r
dP3`(Fy
Dpk }@H
d)SpTh
!DUV Wj?
dV"]	C
DVV04`
& d.y<
dyR)!!3
`=,E%``
E0PQEX
.<#e)2 J
>E>6Eq
$E!C(L
'=el\p
~e	muD"
e"OWNnV'8
#e"R$R
EWhf	De
Exdf W
e%Xo!Fi[
exum""+
^-f;. 
+f=,~	
F46B;HQVTMTD
fe_p?h=2
<F<F&4
F,gW	ZB
;@F\h`
FHxr(@^I]	
FISUdCua
^$(fJ6
G5L(@k
G''+9T
$GDOC2
GetModu
GetProcAddress
ghijklmnFq?uvw"
~_g,iE
`giYrHoKJ
GK$9WG
gkSV`_
gnbdLp
GoD%um[G
GPkW0_
G%qC:\
g r#SL
\gSO(G l
GxXwp~
g=ZH-CN
$H [	\
H4(>skSS,
hdWTZis
h^fHG`
H!.$-h
hH0tNC
<`hJDzE
H@`kHE"
HLPT!C
HP/g6A91.
H(Q,n/	_u{l;
Hr,gX[Q
Ht6i.n 
`Ht?u1
h(=*v+
h<V8Ep
hwe,Qu
H"Ws:R
)h%('=xe
hXOC7'
hz3X.?
I0sk >
:i4n,!
i#5:mD
ICc4?Iv
ifyzPv	RE
INGw<l_A?
IofCal
i@@@,-P
IP_wyx
@IU,ai
IXJIDT
&Iz/RWX0e}
i@;ZYd
&	@J7<
 J,B)9sljQ}t 
_ ]=JC
JDgP&8
jf&`3Z
j	=gh[
jGXNh8
jiZ	J8D
_[jQ%R
 )jt$ 
jx)*FTw^3
JxGb Of'iA#
Jx@p#q
#k008xL
{#K0X[q$
kD|}4"
<kdiQ]
 [k%e_
kernel32.dll
KERNLE
KH$,Mu
@KIOb+
K;>%j=e!B(
@'ko*At
KRR}74_K
;kRzjIor8
k{xR6rc
kz>gKt
KZ`VK4
)L/&<'
`l8D!]
L9Leff
}L:L<h(g
@ LNOPBe}	
LoadLibraryA
lP0#G%
LPHd)S
LPTX!C
Lp'XYfS
LTAnQB|+
LuNPLrk
M:\923R
M9iByRToWY
MessageBoxA
(mHs .5
m=	i]8
MLKDc: 
MLUBIC1
 (mTF{H
N34;2#
*N48+z
Nabsrc
nFxy%s:
NHLDOS
{n@j>0
`}N|L/
[{ntNSE+
nT,vWbd+
N*V!h 
nWtSAI.
N[$*Y9
NY<_]uJn
o_0n#p
ObfDerf
#oD)0`0
:oeV)I'	$(W
O	Leffny
/O&NZX
or/dleH
OSZh>{
oY~U O
^@@`P"
p@()>6
=?^p6X
,?,&`P;7
p<8P3>
P}&9	SU
\PbkS{
pCVB8R;
PECompact2
PGS5DObj=
PHa)z @
~]	Pht
PHXS<G
pIo	n@U
plmVq<
Pn@~B?
Poa4!3
PP-8BG
.Pr/ad
PRh08Z
P-@U@VAVX
\PWQZR,
p:[xB2
@pxd!q
p(x'Q 
Py#KY`(
PZ+dep
p$ZqR`0
PZ!S`X
 \Q2EB
Q,)3q=
]Q6sf6
Q7%(GX
	q(8"$
QB,H|=[
QC&4KeY
q<F<Bh
qh|3TRs
{QhP5&dtK
QUSR.G
Qw@Ih!
QX]kfmgzC
QYR7Ef"s
r0,l-[b
rATT^$qY
(R<}&b
R:@b	g
rdct.hmlRIkf
RD".PL
R	=e^kW
]r\JhXI
RLF@Df"3
RlMHlmh%8 
RN!QF"DLw
}"!r)o
~rpck(
\RpvDb
>Rq0s)P
RVhd"i
R,VRd$
rWRrp/Qf
s^02X-
s"4>92D,uFrqK'
|Sb<~%
 %s could not be located in the 
S-HH6h,1
~shxni
SMoz8a/
)SNIj 
"SOFTWARE
sP[127.0
S;-+P5**
.StY=D8).aCOpx
Su7:o,l
S+=u!q
SVCT,s
|;s{vyE
$s&y.)
#'=t,3l_
T7,e3Q
T(_AQQ
TdJ$r\
< .tex
@T~F*(
.tG.M|
t`h4xe
The procedure
!This program cannot be run in DOS mode.
TJBBSkpb
$tkQy'@
TO2)bj
TppB]J
TP%Y+I&
T,RgXIT
\ts?D[
{TSQfR
`tU|~=
t	ux|:
 t$(W2
,TYCh\,9
TYPE H
U9tv"yw
$<UB _
ub"sb*
UcfJHh&@ wO
u%"/EF
Ug^TV-r
Uh1QYAd
]U*_/J
Ukd-`h
?u~muiFwH
umxxmu
uN4Yi#h
Urachv
:urQ0p!n
user32
USQWVR
ut$ks.apx? 
UVVVWX
U_xS_MR
UZ(lr)
v^&b~P
vc?pbhdD
_v I NI&
VirtualAlloc
VirtualFree
VirtualProtect
vjBI\B
vOGC2X&
VPW7cM
v `|Q%
v )QqK
V(@R8n
vSd4Mh
vT	X<0
VxLts!*
W0G_/4-F!
WB!$Ba
WBjP[w
WbsPal
W@DRPA
W<hTa*@)A
wil}O~
wip01@gm
WIv	&<
WJ*(Dn
WlH|_E
'!w<l I.
Wl'SXJ
workPa^
^|Wp,'
W.rd$'
"WR@D2
writWo
wsprin
$W@ttre
wVkbTnO.
WXQ4uf0
W[zHLA;
X0+P9qr
X/\;(ars
<XClosHa
x#E @#
x|^e%!pl
~xGZyyl
x;LfHt
XPt%Yb
~xrw&"
x^tE>fD
x/V/_-
[xW"$3
y1B"wh@R*
Y\'^9G
@YAX?H
Yb4LSQ14#N!J
Y)F(e[
+,Y	H^
yjQ%W>
yoQfwz|
,YQh`K
|}y$v	sgP,
yxn!+d
'$z5H$\y
ZgQhD1
zHA.4$D
Z"Hj@-O
zi+<&HE
z>jAVh
Z(N}(u
z.NWhiNH
z-O-:z!
Z.tx61
Z^_Y[]