Analysis | #totalhash

Analysis Date	2014-09-16 18:22:50
MD5	38f97da7df2aa6ff7f699b3161701923
SHA1	2dbffd921859907a2000ecea192593d2a059d3ff

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 628f86bdc1697c687b6b68c603a31593 sha1: 7791cb8176d33b6ec8e9fd54a5626f68152b7697 size: 139776
Section	.rsrc md5: 0a2bc0dfdf5818687134f36b795d7d48 sha1: 33169081a89ab1de117aa2eae8927de431604747 size: 17920
Timestamp	2008-07-29 22:55:23
Version	LegalCopyright: Copyright (C) 2003-2008 InternalName: Freegate FileVersion: 0, 0, 0, 0 CompanyName: PrivateBuild: LegalTrademarks: Comments: ProductName: Freegate Application SpecialBuild: ProductVersion: 0, 0, 0, 0 FileDescription: Freegate Application OriginalFilename: freegate.EXE
Packer	PECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhash	c94136959181ad7ad975791a9c140203d2936269
IMPhash	09d0478591d4f788cb3e5ea416c25237

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL
Registry	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝ 5120
Creates File	C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File	C:\Documents and Settings\Administrator\Cookies\index.dat
Creates File	PhysicalDrive0
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates File	\Device\Afd\AsyncConnectHlp
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex	c:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex	WininetConnectionMutex
Creates Mutex	c:!documents and settings!administrator!cookies!
Creates Mutex	c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNS	w63.ziyoulonglive.com Type: A
DNS	w64.ziyoulonglive.com Type: A
DNS	w65.ziyoulonglive.com Type: A
DNS	w61.ziyoulonglive.com Type: A
DNS	w62.ziyoulonglive.com Type: A
DNS	098362be7f210702c3d0b1587594c6a14cdb21f9.a9094dc921186e2b3196afcafd70224934286933.4.ziyouforever.com Type: MX
DNS	9905bfe1fdcae4693bd6726d4b79ae53dc5dfca6.2be2aea2d91ead1e0f7bc7386f413a78b92ca310.4.ziyouforever.com Type: MX
DNS	8cc2952a4cd0d0c4007c2ff04c9097b2c99ad66d.9af89a0fe2b4f0830892fed9dfe2b74d35edc23f.4.ziyouforever.com Type: MX
DNS	1f641efc2d108ddb9e2a28d924ccfa915a3c5dbb.fb38c7107ce2f7aa60ce93fa74ce9514aa325e24.4.ziyouforever.com Type: MX
DNS	6231426d8abafce25d38b9a19524b09f2769012a.5c92b629bff066d2d126d9f4e622314e29eeb314.4.ziyouforever.com Type: MX
DNS	b6b8637be635a732ebc6c7a3f6128f0db8f17a77.2147a6e85c45098af95bf73cf527bc66aaba9a06.4.ziyouforever.com Type: MX
DNS	7d12877e17a5d4a63aa1a3599dfb0b6d735b9e72.d0d7d57c8d226d7092b2735c9ba91a4873b06845.4.ziyouforever.com Type: MX
DNS	b9f234b0d91935c8dba8544da885fcbbb7bb2dbc.1e6b34126c2b9a64a7cc848a68634431faef9066.4.ziyouforever.com Type: MX
Flows UDP	192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP	192.168.1.1:1032 ➝ 38.35.193.158:53
Flows UDP	192.168.1.1:1032 ➝ 38.65.238.191:53
Flows UDP	192.168.1.1:1032 ➝ 38.121.7.4:53
Flows UDP	192.168.1.1:1031 ➝ 88.85.74.8:53
Flows UDP	192.168.1.1:1032 ➝ 38.52.86.4:53
Flows UDP	192.168.1.1:1032 ➝ 38.90.52.20:53
Flows UDP	192.168.1.1:1031 ➝ 211.115.66.121:53
Flows UDP	192.168.1.1:1032 ➝ 38.8.89.139:53
Flows UDP	192.168.1.1:1032 ➝ 38.229.52.56:53
Flows UDP	192.168.1.1:1031 ➝ 192.88.195.10:53
Flows UDP	192.168.1.1:1032 ➝ 38.124.246.93:53
Flows UDP	192.168.1.1:1032 ➝ 38.169.113.191:53
Flows UDP	192.168.1.1:1031 ➝ 202.27.17.253:53
Flows UDP	192.168.1.1:1032 ➝ 38.255.164.59:53
Flows UDP	192.168.1.1:1031 ➝ 63.90.67.11:53
Flows UDP	192.168.1.1:1032 ➝ 38.154.10.26:53
Flows UDP	192.168.1.1:1032 ➝ 38.187.73.55:53
Flows UDP	192.168.1.1:1031 ➝ 209.191.16.131:53
Flows UDP	192.168.1.1:1032 ➝ 38.31.161.238:53
Flows UDP	192.168.1.1:1032 ➝ 38.108.170.121:53
Flows UDP	192.168.1.1:1031 ➝ 143.166.82.252:53
Flows UDP	192.168.1.1:1032 ➝ 38.155.32.47:53
Flows UDP	192.168.1.1:1032 ➝ 38.133.71.220:53
Flows UDP	192.168.1.1:1032 ➝ 38.188.56.178:53
Flows UDP	192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP	192.168.1.1:1032 ➝ 38.210.125.75:53
Flows UDP	192.168.1.1:1032 ➝ 38.211.181.4:53
Flows UDP	192.168.1.1:1032 ➝ 38.104.12.145:53
Flows UDP	192.168.1.1:1032 ➝ 38.227.90.71:53
Flows UDP	192.168.1.1:1032 ➝ 38.189.151.150:53
Flows UDP	192.168.1.1:1032 ➝ 38.148.218.131:53
Flows UDP	192.168.1.1:1032 ➝ 38.33.166.85:53
Flows UDP	192.168.1.1:1032 ➝ 38.41.255.155:53
Flows UDP	192.168.1.1:1032 ➝ 38.181.225.55:53
Flows UDP	192.168.1.1:1032 ➝ 38.64.8.106:53
Flows UDP	192.168.1.1:1032 ➝ 38.244.140.201:53
Flows UDP	192.168.1.1:1032 ➝ 38.138.151.88:53
Flows UDP	192.168.1.1:1032 ➝ 38.27.124.220:53
Flows UDP	192.168.1.1:1032 ➝ 38.48.17.114:53
Flows UDP	192.168.1.1:1032 ➝ 38.45.90.86:53
Flows UDP	192.168.1.1:1032 ➝ 38.60.92.227:53
Flows UDP	192.168.1.1:1032 ➝ 38.190.71.167:53
Flows UDP	192.168.1.1:1032 ➝ 38.204.197.183:53
Flows UDP	192.168.1.1:1032 ➝ 38.205.131.63:53
Flows UDP	192.168.1.1:1032 ➝ 38.151.54.94:53
Flows UDP	192.168.1.1:1032 ➝ 38.129.129.247:53
Flows UDP	192.168.1.1:1032 ➝ 38.25.142.242:53
Flows UDP	192.168.1.1:1032 ➝ 38.14.38.100:53
Flows UDP	192.168.1.1:1032 ➝ 38.2.148.17:53
Flows UDP	192.168.1.1:1032 ➝ 38.78.223.129:53
Flows UDP	192.168.1.1:1032 ➝ 38.209.105.242:53
Flows UDP	192.168.1.1:1032 ➝ 38.179.244.70:53
Flows UDP	192.168.1.1:1033 ➝ 38.99.76.229:53
Flows UDP	192.168.1.1:1033 ➝ 88.85.74.8:53
Flows UDP	192.168.1.1:1033 ➝ 211.115.66.121:53
Flows UDP	192.168.1.1:1033 ➝ 192.88.195.10:53
Flows UDP	192.168.1.1:1033 ➝ 202.27.17.253:53
Flows UDP	192.168.1.1:1033 ➝ 63.90.67.11:53
Flows UDP	192.168.1.1:1033 ➝ 209.191.16.131:53
Flows UDP	192.168.1.1:1033 ➝ 143.166.82.252:53
Flows TCP	192.168.1.1:1034 ➝ 175.181.101.252:443
Flows TCP	192.168.1.1:1035 ➝ 175.181.114.173:443
Flows TCP	192.168.1.1:1036 ➝ 1.161.151.225:443
Flows TCP	192.168.1.1:1037 ➝ 118.169.168.243:443
Flows TCP	192.168.1.1:1038 ➝ 122.121.11.111:443
Flows TCP	192.168.1.1:24206 ➝ 114.43.197.79:443
Flows TCP	192.168.1.1:1039 ➝ 114.27.38.18:443
Flows TCP	192.168.1.1:1040 ➝ 36.224.10.251:443
Flows TCP	192.168.1.1:1041 ➝ 64.235.32.206:53
Flows TCP	192.168.1.1:1042 ➝ 129.66.95.3:53
Flows TCP	192.168.1.1:1043 ➝ 141.151.0.68:53
Flows TCP	192.168.1.1:1044 ➝ 211.10.204.5:53
Flows TCP	192.168.1.1:1045 ➝ 64.80.255.251:53
Flows TCP	192.168.1.1:1046 ➝ 128.30.52.200:53
Flows TCP	192.168.1.1:1047 ➝ 208.101.39.236:53

Raw Pcap

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

Strings

F
.
8
-
..+
.
.f[.x
...
e.-....
.L.
...)
..
...
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
|({{	*
)@@*(,(
)0[%5=
+(0i+C
}0 JGc
+_0u[P
0zyY"VHB
%1^_-/
1@.0,L
~188881~
?"18YI
1|aI~%|
1i/R9d
1;uBDtqf B
1{~^[Y
27Q Py
2Is(Ye
2\<(-MUUVVVV
2Q}69|ad
"2yQF.^
3b&~~nb
3y<O5:
/4b?V8
4CP]Ok
4h_R7aw
4ordinal %d2*
?4?y57
5BNyXW
5XY~';
'|5yWve
6<fh1&
6%Gsc<
6HMF~@ 
<_6@[l0?
6mF{?P
77j>l_v
)7|[8.
7bjO]y
7ryKi1D
7uE_bp
"8;7b@4c
~8880000/01
^8F1KA0
9Kkh66
$9oE/!
|9pVmQ7 1q
9`Q$bf78D
/9`tGn
aAwkGNH
adt}SK
"AECqQp
a{H1-$
AP.=6%
Application error
ASPKN^
^\aUp=
}[=a"w
!AxrYW
ba\?'(
$babep
|bDaw/
(BE,7_
b+OxS 
bu+O#D
+C2*o 
cCHM)=b
Ci)S/$`
CKi,Dj
>:CloseHandle
corrupt.
CzF=E1mq
d1+#.P
D9X-7l
/dc,@E
Dfh	yLRX
#dm=;|v
d not be located in the DLL %s
<-d+t@
*!`D|V
E3t<W8
>E>6Eq
ec=KGlZ
eD1Gtx
(]&E#h
ehVKJQ
Eiy6z9r
#Ek}>Y
}EM5^\E
!}Eo7T
er@C~S
erK;X 6W
e+``Tr
eveb)L
F7y{"A
\}fA[H
'f!#kyP*
Fn-"d{
FP!O7',P
FUBp94
fUe22.8
FVEbhD0
g-1D\Z
g:1wB'
g=4eS<
g@9-jg
G''+9T
GetModul
GetProcAddress
GI8-y)
Glr&<R;
|GoFhy1Y-B
Gq^>`m
G[U:FW
|gZ-~T/'
hdWTZis
HeSime
H\G66?
HP9"E*
H+"pI:U
 Hqf1(0
+hQZ?<
i8aWh%
&iB@Ro
i/'d9,
ID_w=f
IO_|0"NL
i@@@,-P
^iSe#[5
i@;ZYd
$"{J,:
j]*'N3
jo_ApbZG7P
<J,RW	
J$*SyX
JZWO1lr
.K2.=G
K!2r2h
kernel32
kernel32.dll
kLa`F(
K'q1:^
(kV1$	
K>z|{x
$L$/|%
Lao=94
>*LC[viMo@"
.lEZZ[
ln_7Hf
LoadLibraryA
lr	hp4
Lrl$(l
LT%Hh\
/LVst8^Q<
m2i?4kn
+M3?:\q
MaU#^D
Message
Mf3 ;*
m:i,5o
MLKDc: 
|[=mO5
M)rL:R,
msvbvmU
<=M*T3
M!yYJuVv
N34;2#
N4Qqct
n,<9X+
ndeo5c
NJTLk%
NK]MW4(
nn_yZ|
N)}/@Q
|#ns2'
NuO5}M&peS
NX\T_j
ny	K%iiL
 #O`#\{
!-oDHd
oiH C 
o[M'tp
ON1!AiB^
OnK+2U
} Oo-l
o	\RSE
ORZ1!'
O!]vBD
o(@^-Y
pan{>|E'Emk
Paww	1X
PEC2=O
PECompact2
\[pLzF
pnVGtggSL
@p+%P5
Pq<rVG
Protect
P-@U@VAVX
&&Pwt[<
pw$*X]
,pYPo+
/pyWb8
q/~]8Q
Qb}hq v
q+d8[/-4
q#,I ~4
}|Q/I+8
qKbWf*
& {q<t
qW:6z`
QWXa+R
QX]kfmgzC
Q'&ZGc%
R1`qd 
Rd	>3a
R'dA"#
RInkAl
r'=KH&
&"rTI_
R: u6K
^@Rv#t=
rw>>#<
|	RXIufw[
rZ6&>}
s0KWQ&
S7k[84
`S@.oh
S;-+P5**
sUSY,J0
S~XnU[
SzFI9w
T+afD9
t*/&dD
;tDyZCw
tfJ!]g
The procedure %s coul
!This program cannot be run in DOS mode.
(t+i>R
T|LjSHx
: t>QV
t`[-V7tZ
TWl:En
tWvN(30
TYmMiC
u4R$xa/
UH`wxR
umxxmu
user32
USQWVR
UVVVWX
Uw'{bds
,U=?xE.0
uXyg5E#&
u?Zm]>
v"_03E
vaZ#eH
vFam_O
V+fUkt
(_v|G4
vG\tfy@
Virtual
VirtualAlloc
VirtualFree
vjBI\B
VKfeHM
%V	*,%N
vQJn%5
&	)VSQ1w
.|#%'W}*
w"5LwwM
/*W~8(
w^9||H|-X
w!EG*u
:wGm]@
WO_u@E.
wsprintfA
ww>dV7
Xe5FR\
}x+m&&
xS"G4!^
Xw`v:w
Xx]dCa{<
Xy]n/G
y"^%/=
Yb|qTp
y}lG$]
Yp~[zf
.Yr|SHX
]yXYH!
z]3b+]
~z/C~E
ZG?"%P
Z?Ja)Kl
^Z"j. q
*z$#O"
zW"?gi9%D
zXr;SCI
Z^_Y[]