Analysis Date2014-12-20 18:40:06
MD59b1b3375a1536f648e63f0525c9c0b73
SHA13429081b0dee856333328e0912ee2baffc42e32a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 882378f5883701bbc1b04475b9099661 sha1: 276d2fd4539eee89306bbc39581e36d868d7d20d size: 171008
Section.rsrc md5: 031430730e643d56af4b6d356f6a3c38 sha1: c988c95377ff325c38c7630981c5f8618916be80 size: 17920
Timestamp2008-07-29 22:55:23
VersionLegalCopyright: Copyright (C) 2003-2008
InternalName: Freegate
FileVersion: 0, 0, 0, 0
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Freegate Application
SpecialBuild:
ProductVersion: 0, 0, 0, 0
FileDescription: Freegate Application
OriginalFilename: freegate.EXE
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhash0732c3bdbdd7956a8c8445d86e89973687bbcd9d
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Rogue.189952.9
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Proxy.3764
AVEmsisoftno_virus
AVEset (nod32)no_virus
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)BackDoor.Generic18.AXYN
AVIkarusBackdoor.Win32.Clack
AVK7Backdoor ( 04c4c5c21 )
AVKasperskyBackdoor.Win32.Clack.k
AVMalwareBytesTrojan.Agent
AVMcafeeRDN/Generic BackDoor!b2z
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Proxy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
5120
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
DNSw63.ziyoulonglive.com
Type: A
DNSw64.ziyoulonglive.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.35.193.158:53
Flows UDP192.168.1.1:1031 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1032 ➝ 38.65.238.191:53
Flows UDP192.168.1.1:1032 ➝ 38.121.7.4:53
Flows UDP192.168.1.1:1032 ➝ 38.52.86.4:53
Flows UDP192.168.1.1:1031 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1032 ➝ 38.90.52.20:53
Flows UDP192.168.1.1:1032 ➝ 38.8.89.139:53
Flows UDP192.168.1.1:1031 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1032 ➝ 38.229.52.56:53
Flows UDP192.168.1.1:1032 ➝ 38.124.246.93:53
Flows UDP192.168.1.1:1031 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1032 ➝ 38.169.113.191:53
Flows UDP192.168.1.1:1031 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1032 ➝ 38.255.164.59:53
Flows UDP192.168.1.1:1032 ➝ 38.154.10.26:53
Flows UDP192.168.1.1:1031 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1032 ➝ 38.187.73.55:53
Flows UDP192.168.1.1:1032 ➝ 38.31.161.238:53
Flows UDP192.168.1.1:1031 ➝ 143.166.82.252:53
Flows UDP192.168.1.1:1032 ➝ 38.108.170.121:53
Flows UDP192.168.1.1:1032 ➝ 38.155.32.47:53
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.133.71.220:53
Flows UDP192.168.1.1:1032 ➝ 38.188.56.178:53
Flows UDP192.168.1.1:1032 ➝ 38.210.125.75:53
Flows UDP192.168.1.1:1032 ➝ 38.211.181.4:53
Flows UDP192.168.1.1:1032 ➝ 38.104.12.145:53
Flows UDP192.168.1.1:1032 ➝ 38.227.90.71:53
Flows UDP192.168.1.1:1032 ➝ 38.189.151.150:53
Flows UDP192.168.1.1:1032 ➝ 38.148.218.131:53
Flows UDP192.168.1.1:1032 ➝ 38.33.166.85:53
Flows UDP192.168.1.1:1032 ➝ 38.41.255.155:53
Flows UDP192.168.1.1:1032 ➝ 38.181.225.55:53
Flows UDP192.168.1.1:1032 ➝ 38.64.8.106:53
Flows UDP192.168.1.1:1032 ➝ 38.244.140.201:53
Flows UDP192.168.1.1:1032 ➝ 38.138.151.88:53
Flows UDP192.168.1.1:1032 ➝ 38.27.124.220:53
Flows UDP192.168.1.1:1032 ➝ 38.48.17.114:53
Flows UDP192.168.1.1:1032 ➝ 38.45.90.86:53
Flows UDP192.168.1.1:1032 ➝ 38.60.92.227:53
Flows UDP192.168.1.1:1032 ➝ 38.190.71.167:53
Flows UDP192.168.1.1:1032 ➝ 38.204.197.183:53
Flows UDP192.168.1.1:1032 ➝ 38.205.131.63:53
Flows UDP192.168.1.1:1032 ➝ 38.151.54.94:53
Flows UDP192.168.1.1:1032 ➝ 38.129.129.247:53
Flows UDP192.168.1.1:1032 ➝ 38.25.142.242:53
Flows UDP192.168.1.1:1032 ➝ 38.14.38.100:53
Flows UDP192.168.1.1:1032 ➝ 38.2.148.17:53
Flows UDP192.168.1.1:1032 ➝ 38.78.223.129:53
Flows UDP192.168.1.1:1032 ➝ 38.209.105.242:53
Flows UDP192.168.1.1:1032 ➝ 38.179.244.70:53

Raw Pcap

Strings
;
...
p...&)J
..
r&.
=`.
G4.>
.>?c
g
>
(.|..
.T
x
.
..
.
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
_-?.&`%
)@@*(,(
]0>>*>
08x&	s
	($0H:
~~(~,~0n4;
@0O Pj\
0q{b*=
:0S7@,
#0sQ@,)
+0uT9w
0$Y[0|
0yCfH;
0zg12K
0	(ZO`h
1-4#,Hc~Lp.
~188881~
	1!}xT
'207.46
20RS>;
234.56
2gE{eT`
2\<(-MUUVVVV
2q:"+)
;%2Q4a
2x	$Zi1Ga[
&~2zJ(
3+/]A,
3# C@=1
/+3dRZ
@3P: AcaNe
3S.cr$
?/-)3U
3(VRS]D
4HGW1b
$;4_'M
,,4W+(r
5)4B(C3
5aM2(RQ
-7c8%Ku
"7;h0N
7jsqq:
<7:t ER
7yk8URzpP
86N;@]
~8880000/01
8&A9quw
8[]]cZr>
'8exX@
 (;@8=Mh!
"8r99!
8u$#Nj
8u,:rW
8Uz>YJ
8vSV%t
8YW\CI
9abcdeJf
9}	CQK^"
9es3ov
9GeXE&
9	N3"H
9<t	7U
.a0px?
A#	3)W;*2
a]^=e0
Aht/5g
{@"]AJ
a.$N!`
ASA!4s
avj!oC{
/aX[(W
';=B0L
`B10xH
`B<a	t
Bc7a@ 
Be_p?h
='b-KA
bpCJWA
B~r)	Expl
b`UAjF
C8o8r-e
c+gJ[0
?;CNQJ
C: S~e
Ctrl-A
,C`u&l
C%ul#DH
|dc8oP
DEFGHIJK}L
dev.n@
d,j2`F
$DpT3;
D	#q,vHa
Dt:1,aNG
{D)u!`
"|dv	pHj
E02K?+:
e'20K8
 ,E3Wh.v
>E>6Eq
EC2_Is
E{^daI
edia3.
EfFgh	ijkl
@Ej}XP
/e/`oT
ES>4LX1
ew/XpP
_ezWLlU
f2n;bh	b
F?5 w,3
Fgxa\3
}F\'$T
F,t/2 
 (=#\G
G''+9T
?G@ai{
GElHt.
GetProcAddress
Gmgayr
-G[M S
|g? `P$
+grP'6
gtYSVL
gW<	Zh\
h 2d;&
`HaB	/
Half+B
h(\B}.
HDSN=(
hdWTZis
HG?[cs
hHr,gX[
H,?L?P?T?X!\
:hoswIyE
H:PKy>
H:PM8SH
hr%|p:Sp
!HT;~IP
Ht-Z<'
H{,"uA
hUgDou
hv/CpM
hw=-W_
I6t`$uC0
(i7I")
I90Qw 
;iByTT
I'<dQU
IeJ&0_
Ih=	RPU
INJ&V]70
IO4@BG
i@@@,-P
ip0@1@g
IXH~?b
i@;ZYd
-j \;0
;%jH	3
j IPwx:
!jn|~v*G
j.U0SFj
j_UBQ@
J!uOW)	
{_jXB.0lY
kc!	*.
k+DFEv
K@@d-Z
kernel32.dll
kS@&l3r
kS$pFU
k U><`
kW'wE(
K>%(?,x
"&$l=&
L3-Bktb
L4aII=
lEh_Qc9
LoadLibraryA
|Lp:7<}T
LpDp|r
LW.d`{
}M4rX.
M9<	!+D
mgfuPa
 m!}k}ly6}
MLKDc: 
m/tx~7r
m~uIz.
)MV	Up
-Mx,	G
m 	[x|pd
MXRAply!O>
N34;2#
n*@>8x
'nicmpp
"nl68X
NLOAT.-
NOPQXYZ
%~@}nP
Np.tuy
o5u0	J
(\O%75p 
O(8x3u
OHE9UM
OL0oRW
O]Ru'Q
Orv	84
owS;|)
&,oX-PY:ed
p0 V`P
P8E+1S
PDa(rzt>
P$DJ.$d$H
PEC2=O
PECompact2
pfi  #
pG\@=L
'p*H4:
PhXV(<^W
P^;i]ttt
Pk7_[z
PkB}o.
pMSVCR
"P@)Ot
@\`ppf
;/pQ	v
&P}S\\
ptersInf
P-@U@VAVX
P}<	v< 
PVhx/06
	}p,yn
Q1a"(Ex
Q;bIrX
=qj?DH
QPe0n%q
QX]kfmgzC
,|Q'Y3
QZ>^&&
R3p-k\
<r$8t2
R_-9=P
'@rB[w
Rc?n#V
rEHO!M
(@rGhZ
ri@e	.
rK/qbnx
rQ;B-S
r`t(a$
@=;'rz|
!"&S+$"0D5:
s8.+P9
,}s;/C
s>f:J=
sL+3!Q
S:okie
S;-+P5**
spE!G>
S(q,{0
`Su>KP
._t=F/s
TG5H_7
!This program cannot be run in DOS mode.
$tJb$dJH<
t$jDzR
Tpuric
<TUq	~
t	V2gz<
tVhK^PX
T"yooE 
.u`3D4
`ueF)~
UGQgd.
umxxmu
 uns7p
@uNSOjF
u?p z= 
UrlCach
>U+SI65:~]
USQWVR
UVVVWX
uwVjLH
V<43gpZr,!|
V8*;x]
^v;CzQ
view`2f=15
VirtualAlloc
VirtualFree
vjBI\B
vO/;Sd
V"	VsD6M
Vy Al<Qf&M
w6	1.zi
WaLZTra!
`wB=as
WcsN]M$
 >w'jb
(|W<mo
workPa
W>PIz&
&WpL8,
W	RTPDG
wV*a]g
x=3c(q 
:/\?X5
{X}c<q
XMoz\@	a/
XnhPHQ
X,Q3"8t:T
 xQi'\
.xrlGp
X_V ^Pu
,x?WEa
x,zP`L
y}0`9:
YAqXpZ)
/Y#)\d
@YE:@4
YhLi}z>b
yk+z(=fK
Y+	nGn
yX'`H!
YYu|9E
z}3 $w
Z@cR-un
Z	[lcN
Z^_Y[]