Analysis Date2014-09-16 18:22:50
MD538f97da7df2aa6ff7f699b3161701923
SHA12dbffd921859907a2000ecea192593d2a059d3ff

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 628f86bdc1697c687b6b68c603a31593 sha1: 7791cb8176d33b6ec8e9fd54a5626f68152b7697 size: 139776
Section.rsrc md5: 0a2bc0dfdf5818687134f36b795d7d48 sha1: 33169081a89ab1de117aa2eae8927de431604747 size: 17920
Timestamp2008-07-29 22:55:23
VersionLegalCopyright: Copyright (C) 2003-2008
InternalName: Freegate
FileVersion: 0, 0, 0, 0
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Freegate Application
SpecialBuild:
ProductVersion: 0, 0, 0, 0
FileDescription: Freegate Application
OriginalFilename: freegate.EXE
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhashc94136959181ad7ad975791a9c140203d2936269
IMPhash09d0478591d4f788cb3e5ea416c25237

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
5120
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw63.ziyoulonglive.com
Type: A
DNSw64.ziyoulonglive.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
DNS098362be7f210702c3d0b1587594c6a14cdb21f9.a9094dc921186e2b3196afcafd70224934286933.4.ziyouforever.com
Type: MX
DNS9905bfe1fdcae4693bd6726d4b79ae53dc5dfca6.2be2aea2d91ead1e0f7bc7386f413a78b92ca310.4.ziyouforever.com
Type: MX
DNS8cc2952a4cd0d0c4007c2ff04c9097b2c99ad66d.9af89a0fe2b4f0830892fed9dfe2b74d35edc23f.4.ziyouforever.com
Type: MX
DNS1f641efc2d108ddb9e2a28d924ccfa915a3c5dbb.fb38c7107ce2f7aa60ce93fa74ce9514aa325e24.4.ziyouforever.com
Type: MX
DNS6231426d8abafce25d38b9a19524b09f2769012a.5c92b629bff066d2d126d9f4e622314e29eeb314.4.ziyouforever.com
Type: MX
DNSb6b8637be635a732ebc6c7a3f6128f0db8f17a77.2147a6e85c45098af95bf73cf527bc66aaba9a06.4.ziyouforever.com
Type: MX
DNS7d12877e17a5d4a63aa1a3599dfb0b6d735b9e72.d0d7d57c8d226d7092b2735c9ba91a4873b06845.4.ziyouforever.com
Type: MX
DNSb9f234b0d91935c8dba8544da885fcbbb7bb2dbc.1e6b34126c2b9a64a7cc848a68634431faef9066.4.ziyouforever.com
Type: MX
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.35.193.158:53
Flows UDP192.168.1.1:1032 ➝ 38.65.238.191:53
Flows UDP192.168.1.1:1032 ➝ 38.121.7.4:53
Flows UDP192.168.1.1:1031 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1032 ➝ 38.52.86.4:53
Flows UDP192.168.1.1:1032 ➝ 38.90.52.20:53
Flows UDP192.168.1.1:1031 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1032 ➝ 38.8.89.139:53
Flows UDP192.168.1.1:1032 ➝ 38.229.52.56:53
Flows UDP192.168.1.1:1031 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1032 ➝ 38.124.246.93:53
Flows UDP192.168.1.1:1032 ➝ 38.169.113.191:53
Flows UDP192.168.1.1:1031 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1032 ➝ 38.255.164.59:53
Flows UDP192.168.1.1:1031 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1032 ➝ 38.154.10.26:53
Flows UDP192.168.1.1:1032 ➝ 38.187.73.55:53
Flows UDP192.168.1.1:1031 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1032 ➝ 38.31.161.238:53
Flows UDP192.168.1.1:1032 ➝ 38.108.170.121:53
Flows UDP192.168.1.1:1031 ➝ 143.166.82.252:53
Flows UDP192.168.1.1:1032 ➝ 38.155.32.47:53
Flows UDP192.168.1.1:1032 ➝ 38.133.71.220:53
Flows UDP192.168.1.1:1032 ➝ 38.188.56.178:53
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.210.125.75:53
Flows UDP192.168.1.1:1032 ➝ 38.211.181.4:53
Flows UDP192.168.1.1:1032 ➝ 38.104.12.145:53
Flows UDP192.168.1.1:1032 ➝ 38.227.90.71:53
Flows UDP192.168.1.1:1032 ➝ 38.189.151.150:53
Flows UDP192.168.1.1:1032 ➝ 38.148.218.131:53
Flows UDP192.168.1.1:1032 ➝ 38.33.166.85:53
Flows UDP192.168.1.1:1032 ➝ 38.41.255.155:53
Flows UDP192.168.1.1:1032 ➝ 38.181.225.55:53
Flows UDP192.168.1.1:1032 ➝ 38.64.8.106:53
Flows UDP192.168.1.1:1032 ➝ 38.244.140.201:53
Flows UDP192.168.1.1:1032 ➝ 38.138.151.88:53
Flows UDP192.168.1.1:1032 ➝ 38.27.124.220:53
Flows UDP192.168.1.1:1032 ➝ 38.48.17.114:53
Flows UDP192.168.1.1:1032 ➝ 38.45.90.86:53
Flows UDP192.168.1.1:1032 ➝ 38.60.92.227:53
Flows UDP192.168.1.1:1032 ➝ 38.190.71.167:53
Flows UDP192.168.1.1:1032 ➝ 38.204.197.183:53
Flows UDP192.168.1.1:1032 ➝ 38.205.131.63:53
Flows UDP192.168.1.1:1032 ➝ 38.151.54.94:53
Flows UDP192.168.1.1:1032 ➝ 38.129.129.247:53
Flows UDP192.168.1.1:1032 ➝ 38.25.142.242:53
Flows UDP192.168.1.1:1032 ➝ 38.14.38.100:53
Flows UDP192.168.1.1:1032 ➝ 38.2.148.17:53
Flows UDP192.168.1.1:1032 ➝ 38.78.223.129:53
Flows UDP192.168.1.1:1032 ➝ 38.209.105.242:53
Flows UDP192.168.1.1:1032 ➝ 38.179.244.70:53
Flows UDP192.168.1.1:1033 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1033 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1033 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1033 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1033 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1033 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1033 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1033 ➝ 143.166.82.252:53
Flows TCP192.168.1.1:1034 ➝ 175.181.101.252:443
Flows TCP192.168.1.1:1035 ➝ 175.181.114.173:443
Flows TCP192.168.1.1:1036 ➝ 1.161.151.225:443
Flows TCP192.168.1.1:1037 ➝ 118.169.168.243:443
Flows TCP192.168.1.1:1038 ➝ 122.121.11.111:443
Flows TCP192.168.1.1:24206 ➝ 114.43.197.79:443
Flows TCP192.168.1.1:1039 ➝ 114.27.38.18:443
Flows TCP192.168.1.1:1040 ➝ 36.224.10.251:443
Flows TCP192.168.1.1:1041 ➝ 64.235.32.206:53
Flows TCP192.168.1.1:1042 ➝ 129.66.95.3:53
Flows TCP192.168.1.1:1043 ➝ 141.151.0.68:53
Flows TCP192.168.1.1:1044 ➝ 211.10.204.5:53
Flows TCP192.168.1.1:1045 ➝ 64.80.255.251:53
Flows TCP192.168.1.1:1046 ➝ 128.30.52.200:53
Flows TCP192.168.1.1:1047 ➝ 208.101.39.236:53

Raw Pcap
0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .


Strings
F
.
8
-
..+
.
.f[.x
...
e.-....
.L.
...)
..
...
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
|({{	*
)@@*(,(
)0[%5=
+(0i+C
}0 JGc
+_0u[P
0zyY"VHB
%1^_-/
1@.0,L
~188881~
?"18YI
1|aI~%|
1i/R9d
1;uBDtqf B
1{~^[Y
27Q Py
2Is(Ye
2\<(-MUUVVVV
2Q}69|ad
"2yQF.^
3b&~~nb
3y<O5:
/4b?V8
4CP]Ok
4h_R7aw
4ordinal %d2*
?4?y57
5BNyXW
5XY~';
'|5yWve
6<fh1&
6%Gsc<
6HMF~@ 
<_6@[l0?
6mF{?P
77j>l_v
)7|[8.
7bjO]y
7ryKi1D
7uE_bp
"8;7b@4c
~8880000/01
^8F1KA0
9Kkh66
$9oE/!
|9pVmQ7 1q
9`Q$bf78D
/9`tGn
aAwkGNH
adt}SK
"AECqQp
a{H1-$
AP.=6%
Application error
ASPKN^
^\aUp=
}[=a"w
!AxrYW
ba\?'(
$babep
|bDaw/
(BE,7_
b+OxS 
bu+O#D
+C2*o 
cCHM)=b
Ci)S/$`
CKi,Dj
>:CloseHandle
corrupt.
CzF=E1mq
d1+#.P
D9X-7l
/dc,@E
Dfh	yLRX
#dm=;|v
d not be located in the DLL %s
<-d+t@
*!`D|V
E3t<W8
>E>6Eq
ec=KGlZ
eD1Gtx
(]&E#h
ehVKJQ
Eiy6z9r
#Ek}>Y
}EM5^\E
!}Eo7T
er@C~S
erK;X 6W
e+``Tr
eveb)L
F7y{"A
\}fA[H
'f!#kyP*
Fn-"d{
FP!O7',P
FUBp94
fUe22.8
FVEbhD0
g-1D\Z
g:1wB'
g=4eS<
g@9-jg
G''+9T
GetModul
GetProcAddress
GI8-y)
Glr&<R;
|GoFhy1Y-B
Gq^>`m
G[U:FW
|gZ-~T/'
hdWTZis
HeSime
H\G66?
HP9"E*
H+"pI:U
 Hqf1(0
+hQZ?<
i8aWh%
&iB@Ro
i/'d9,
ID_w=f
IO_|0"NL
i@@@,-P
^iSe#[5
i@;ZYd
$"{J,:
j]*'N3
jo_ApbZG7P
<J,RW	
J$*SyX
JZWO1lr
.K2.=G
K!2r2h
kernel32
kernel32.dll
kLa`F(
K'q1:^
(kV1$	
K>z|{x
$L$/|%
Lao=94
>*LC[viMo@"
.lEZZ[
ln_7Hf
LoadLibraryA
lr	hp4
Lrl$(l
LT%Hh\
/LVst8^Q<
m2i?4kn
+M3?:\q
MaU#^D
Message
Mf3 ;*
m:i,5o
MLKDc: 
|[=mO5
M)rL:R,
msvbvmU
<=M*T3
M!yYJuVv
N34;2#
N4Qqct
n,<9X+
ndeo5c
NJTLk%
NK]MW4(
nn_yZ|
N)}/@Q
|#ns2'
NuO5}M&peS
NX\T_j
ny	K%iiL
 #O`#\{
!-oDHd
oiH C 
o[M'tp
ON1!AiB^
OnK+2U
} Oo-l
o	\RSE
ORZ1!'
O!]vBD
o(@^-Y
pan{>|E'Emk
Paww	1X
PEC2=O
PECompact2
\[pLzF
pnVGtggSL
@p+%P5
Pq<rVG
Protect
P-@U@VAVX
&&Pwt[<
pw$*X]
,pYPo+
/pyWb8
q/~]8Q
Qb}hq v
q+d8[/-4
q#,I ~4
}|Q/I+8
qKbWf*
& {q<t
qW:6z`
QWXa+R
QX]kfmgzC
Q'&ZGc%
R1`qd 
Rd	>3a
R'dA"#
RInkAl
r'=KH&
&"rTI_
R: u6K
^@Rv#t=
rw>>#<
|	RXIufw[
rZ6&>}
s0KWQ&
S7k[84
`S@.oh
S;-+P5**
sUSY,J0
S~XnU[
SzFI9w
T+afD9
t*/&dD
;tDyZCw
tfJ!]g
The procedure %s coul
!This program cannot be run in DOS mode.
(t+i>R
T|LjSHx
: t>QV
t`[-V7tZ
TWl:En
tWvN(30
TYmMiC
u4R$xa/
UH`wxR
umxxmu
user32
USQWVR
UVVVWX
Uw'{bds
,U=?xE.0
uXyg5E#&
u?Zm]>
v"_03E
vaZ#eH
vFam_O
V+fUkt
(_v|G4
vG\tfy@
Virtual
VirtualAlloc
VirtualFree
vjBI\B
VKfeHM
%V	*,%N
vQJn%5
&	)VSQ1w
.|#%'W}*
w"5LwwM
/*W~8(
w^9||H|-X
w!EG*u
:wGm]@
WO_u@E.
wsprintfA
ww>dV7
Xe5FR\
}x+m&&
xS"G4!^
Xw`v:w
Xx]dCa{<
Xy]n/G
y"^%/=
Yb|qTp
y}lG$]
Yp~[zf
.Yr|SHX
]yXYH!
z]3b+]
~z/C~E
ZG?"%P
Z?Ja)Kl
^Z"j. q
*z$#O"
zW"?gi9%D
zXr;SCI
Z^_Y[]