Analysis Date2015-01-11 03:37:13
MD5c802472af46d9b4671d199ec163e9b81
SHA1375d397aa0690398c72bf0522b6755872a04b1c0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5c8fe040c2a415d4f5f92882bdaaa1db sha1: 3e39a76e2da752d999a935b65ed394561505ae4f size: 134656
Section.rsrc md5: 1649fccfdafafe1c73f9ec752fb74097 sha1: bf6fc45456818dc48287c0e64c8d84d2f602666c size: 14848
Timestamp2008-03-25 14:56:23
VersionLegalCopyright: Copyright (C) 2003-2008
InternalName: Freegate
FileVersion: 0, 0, 0, 0
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Freegate Application
SpecialBuild:
ProductVersion: 0, 0, 0, 0
FileDescription: Freegate Application
OriginalFilename: freegate.EXE
PackerPeCompact 2.xx (Slim Loader) -> BitSum Technologies
PEhashf38bec1264f73e72a5145e5e3a6d687f750180ba
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.957526
AVAlwil (avast)OnLineGames-FDX [Trj]
AVArcabit (arcavir)Trojan.Generic.957526
AVAuthentiumW32/Proxy.EXSM-3129
AVAvira (antivir)TR/Rogue.150528.17
AVBullGuardTrojan.Generic.957526
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Proxy.3292
AVEmsisoftTrojan.Generic.957526
AVEset (nod32)no_virus
AVFortinetW32/Agent.BK!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.957526
AVGrisoft (avg)no_virus
AVIkarusVirus.Win32.Agent
AVK7Backdoor ( 04c4c8501 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeProxy-Agent.bk
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.Generic.957526
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Proxy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
5120
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSd2253bea69eb934ed1936319f4ed20935e0a.1.ziyouforever.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
DNS57c3f92ecf6619ef1318a2e412799fdb794a.1.ziyouforever.com
Type: A
DNSw63.ziyoulonglive.com
Type: A
DNSc7f4a4ad556711b937464fefe306ee60638f.1.ziyouforever.com
Type: A
DNSw64.ziyoulonglive.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
DNSf48612fdc2940b340b8d1a200487f93bbb60.1.ziyouforever.com
Type: A
DNSc924458fb72f995a606313c948c1b8e61794.1.ziyouforever.com
Type: A
DNS51d92f56d987dac833bc5f5942506fc4c97a.1.ziyouforever.com
Type: A
DNS86b10307a0a5d38ac8c877d92eba23a9f9ad.1.ziyouforever.com
Type: A
DNS7371c87d92666537e23d8382ef05c415b619.1.ziyouforever.com
Type: A
DNS2c991016d987112caba8682d2025d850f308.1.ziyouforever.com
Type: A
DNS11dab4b5e4719792009c45e9c07bc10d850a.1.ziyouforever.com
Type: A
DNS723c714e20b0b9e2bf064164891da7a49e5c.1.ziyouforever.com
Type: A
DNS8971f7da5e60acc197b3b76568a42b7e9e40.1.ziyouforever.com
Type: A
DNS9204a10971797d6b5048cdb961565134cd46.1.ziyouforever.com
Type: A
DNS41d81bf7726713438d02099a791502e5ec8b.1.ziyouforever.com
Type: A
DNS1420da51b21e9b7a1bd6a34bc083f4d3d3d3.1.ziyouforever.com
Type: A
DNS11d6346b23b766f83ed16109c8e5e67a3e00.1.ziyouforever.com
Type: A
Flows UDP192.168.1.1:1031 ➝ 205.240.70.176:53
Flows UDP192.168.1.1:1032 ➝ 205.240.70.176:53
Flows UDP192.168.1.1:1033 ➝ 205.19.127.196:53
Flows UDP192.168.1.1:1033 ➝ 205.25.32.238:53
Flows UDP192.168.1.1:1031 ➝ 64.235.32.200:53
Flows UDP192.168.1.1:1032 ➝ 64.235.32.200:53
Flows UDP192.168.1.1:1033 ➝ 205.223.100.194:53
Flows UDP192.168.1.1:1031 ➝ 128.171.1.1:53
Flows UDP192.168.1.1:1033 ➝ 205.194.231.90:53
Flows UDP192.168.1.1:1032 ➝ 128.171.1.1:53
Flows UDP192.168.1.1:1033 ➝ 205.103.233.103:53
Flows UDP192.168.1.1:1033 ➝ 205.203.109.91:53
Flows UDP192.168.1.1:1033 ➝ 205.183.239.8:53
Flows UDP192.168.1.1:1033 ➝ 205.152.82.6:53
Flows UDP192.168.1.1:1031 ➝ 195.42.172.3:53
Flows UDP192.168.1.1:1032 ➝ 195.42.172.3:53
Flows UDP192.168.1.1:1033 ➝ 205.116.200.216:53
Flows UDP192.168.1.1:1031 ➝ 64.80.255.251:53
Flows UDP192.168.1.1:1032 ➝ 64.80.255.251:53
Flows UDP192.168.1.1:1033 ➝ 205.75.221.22:53
Flows UDP192.168.1.1:1033 ➝ 205.44.184.140:53
Flows UDP192.168.1.1:1031 ➝ 202.153.97.2:53
Flows UDP192.168.1.1:1032 ➝ 202.153.97.2:53
Flows UDP192.168.1.1:1033 ➝ 205.171.38.85:53
Flows UDP192.168.1.1:1033 ➝ 205.130.75.251:53
Flows UDP192.168.1.1:1031 ➝ 206.114.174.10:53
Flows UDP192.168.1.1:1032 ➝ 206.114.174.10:53
Flows UDP192.168.1.1:1033 ➝ 205.246.174.169:53
Flows UDP192.168.1.1:1033 ➝ 205.57.23.242:53
Flows UDP192.168.1.1:1031 ➝ 205.240.70.176:53
Flows UDP192.168.1.1:1033 ➝ 205.161.56.45:53
Flows UDP192.168.1.1:1033 ➝ 205.230.99.22:53
Flows UDP192.168.1.1:1033 ➝ 205.175.11.46:53
Flows UDP192.168.1.1:1033 ➝ 205.176.240.7:53
Flows UDP192.168.1.1:1033 ➝ 205.143.232.118:53
Flows UDP192.168.1.1:1033 ➝ 205.174.33.180:53
Flows UDP192.168.1.1:1033 ➝ 205.108.81.129:53
Flows UDP192.168.1.1:1033 ➝ 205.104.172.82:53
Flows UDP192.168.1.1:1033 ➝ 205.18.129.88:53
Flows UDP192.168.1.1:1033 ➝ 205.107.55.208:53
Flows UDP192.168.1.1:1033 ➝ 205.248.185.252:53
Flows UDP192.168.1.1:1033 ➝ 205.30.69.235:53
Flows UDP192.168.1.1:1033 ➝ 205.172.136.142:53
Flows UDP192.168.1.1:1033 ➝ 205.204.8.113:53
Flows UDP192.168.1.1:1033 ➝ 205.229.219.83:53
Flows UDP192.168.1.1:1033 ➝ 205.195.194.50:53
Flows UDP192.168.1.1:1033 ➝ 205.235.184.110:53
Flows UDP192.168.1.1:1033 ➝ 205.144.93.50:53
Flows UDP192.168.1.1:1033 ➝ 205.168.69.148:53
Flows UDP192.168.1.1:1033 ➝ 205.5.92.94:53
Flows UDP192.168.1.1:1033 ➝ 205.111.1.25:53
Flows UDP192.168.1.1:1033 ➝ 205.91.107.73:53
Flows UDP192.168.1.1:1033 ➝ 205.254.111.12:53
Flows UDP192.168.1.1:1033 ➝ 205.52.139.237:53
Flows UDP192.168.1.1:1033 ➝ 205.149.160.129:53
Flows UDP192.168.1.1:1033 ➝ 205.160.187.18:53
Flows UDP192.168.1.1:1033 ➝ 205.164.191.237:53
Flows UDP192.168.1.1:1033 ➝ 205.179.52.189:53
Flows UDP192.168.1.1:1033 ➝ 205.201.221.63:53
Flows UDP192.168.1.1:1033 ➝ 205.12.36.215:53
Flows UDP192.168.1.1:1033 ➝ 205.72.96.157:53
Flows UDP192.168.1.1:1033 ➝ 205.125.181.110:53

Raw Pcap

Strings
.~4..
..
Ae.>..
$
.0.
7
.,9i..
$
.H
g
!
..
....
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
`\	|:00*
%08@BO@'
0	<8/Q
#0@gI\
0kJ1V5eo
0oX	XkA
0WAwRHt
@0Z'(=
~188881~
;1O'tr
1qhxsh`E
'1w<l ZG$JI.
2JkQTS{
2\<(-MUUVVVV
2P<#Uh
 3\'+r
4~)$5j
49	8@I
4DJdQ:
;4IGYB!
4_Jb!(#9
4SM"p-
4,?uNS_
*4X`RJ
5678&9
5n9H-m
5]q$"9
5y@5YlaE
5=Y"JT
6@3aA7
#6DR`n
(+$^;7
76R862
7(iF-u
<7:t G
~8880000/01
,8P.<x
8upMSVCR
+9d1@1
9JPnm`
9ubrie
%=A[0i
a hp-Q
aPdR2!+[
=apXD	
AQqr_'
*/\;(ars
a(shFs
aV' Hs1
<a~WQhDq
AxxsG0w#pto
b231u/n
<b%31d%
)B'?3X
b8t88)<
b9"@0^
|b>)aX"W
b_:bO+
.BdH0e
]	bdUD
(b:EL$8
BJ$Ba}%Z
[BJjhell
@brthlnk.$
~,%B*(S
Bt3 &@  
buEDNfu
"Bx3?,m
(C)20eOV6-
cAb	a(\%
'!!cB^p$
CD`(<Pp 
 #CKcd
CloseHan`
ClosHa
CNutahs
.CSn-W
,cVF:)J
cVXa)b
CYrHoKy
d|0}t	
D4>]`N
dC@S8I$C
D\Dpn(
\dhJME
(DI)5c
<DJhkQ
Dou#$$
D#pM=?A
dQUqVAB
D,T^X)
D%	VRSW
+D!V ru
//-D\wd
<D,Z\]
>E>6Eq
E6WO^"
E<D)p:
EF.4DS
Ej0:H/
eLKx'=
E#OK,\
#e"R$R
esTf\S
,?\eTB
e&@tfd
et$ks.a$<#1px? 
ExitProcess
'E]~XJN
EZhD+	
(:f'8	
(FawId
fe_p?h
FGJKLMNOP
F,gW	Zd
FHF\	x
f{H(Q,nW
fH{u	 
Foun&bip 
FU0VtX60
f-v%%7
'f'vjT
{fzbRW
\g2E*rr
$g2fKx4^
G''+9T
gBEl=t
GetModul
GetProcAddress
ghl .d
|gltSsz\
gLvh&&
gQ=U!?
 Gy#s	
.HBkM]
)]/HBM
h-CQ<A
hdWTZis
h@E:!e
Hfn 6|
-H"GC:Xj
-h%],h
hlp!tx|
h`QnGB]
h|sZVS4
&H+> v
}I2	r4`.u
I86@~A
i:bi)H
ICM70]i
_IFW~)
@^I]	[H
IjrTil
i@@@,-P
iT;V%EZh
i@;ZYd
j_]2a!
J[6Tyq
 jAR0`
JeH<OV
(jkp,Q
Jno1`^{
JT8Agh
jTK,&4
 K(1&a
k9(),BwR
Kb/2WD-
KdBUT%
kernel32.dll
kHGaVDN0
(kH<hU
KKy#N`(
kl+6ri
$L)2#apL 
ld3Eb_
LdntI-~Q
le'vj0M
~	l^H2
l?i@8(
lNE4Ix1
LoadLibraryA
LQ^14N
L[V:2|
LXJIDf~aG
m0 9 '
M9iByR
`_M'$A
mb'ZPX
M(_D-9S
;M{E0Q
* ,me "f@
	m*h*9kB
MHJu7NFAig1nx
.Mk}%x
MLGb,L
MLKDc: 
m))/]O
N1xNTTQ
N34;2#
Na8mN[
Nf}I]< n
nghuor/dl
ngpObj
nicmp@
N"jDa)
Nt{_-I
Ny&LI)P
OFQVRW0
oijXpuLP
Ol{:?VM
oMA<XBS
p2APGd
p5	F4"
p9XHGHW8
pa,MQ^)
Pd[`fo
p(dqW^
PE HML
PG)@?{
PhmpEQ
PhysPal/
pIo	n@
`	pJ!>s
plmVq<
pokdL(
PRpwr+
P-@U@VAVX
pV'&%1AbBcCJ
p ]Y!+d_q
q"{.9%@G
qBY(1/
	qf&23q@
Q,!/!(f8
Qj,e3Y
"Q'pdu
qQju%Vg
~QV*P-$
QX]kfmgzC
qy')Y7
r05_!{s
",>Rdt
 RI!C G
.riIQ"
R,	jH"
+rKpHa
rl"+pB^{
'|RSd W
( RSj-
RSTUVW@
S$2tp	
S6Jnpe
sIf	_\
sk ifcloe
#S``kv
S;-+P5**
'spt	ux
Ssz|%"$0
 SVkiF
SWb5O,
sx%b-(
s(y\R$O
)szD1p
T(0TgExs
t>Ahdvl
!t_B|}
tB^dZL
t\cv|'
Th{dI?
!This program cannot be run in DOS mode.
:THVdr
t+?>i'
tK9-X+h
@tkernel32
(TkF4W |lRU+
t|oJ[K
Tt	m@~z
 T:VGe(
tWdG_$
twip01@gD
u4%`'#
u4tVNN
U}"Avru
UBIC"-/
umxxmu
$-U%P$
UP,3TE-
UpC,P]
USQWVR
uTZ [d	]Y1
UVVVWX
uvwxyz/p
uwVj 4
}uzA$;(
+UZj!y
V6]|=0
V89+1'
v[,APR
}=;<vi
VirtualAlloc
VirtualFree
VirtualProtect
vjBI\B
V};(J$t
vkiuxo
VLGMx1
VojrcXd
,+\vRb
!.W%}!
@Wb{1{
wB6Q#V
WBjP[n
w_,bNd
@[W`^!k
W<$KB>!>_B!
w-l`_I
workPa
WP;7dOW
)wR`hS+q'
w>RWhC
-wsZE	
wX-PowH
X0R)Jf
&x8p*q
xav TI
x%D@~	_Jl%
x]D)V@
)xf _n	
xFR;/f
xj:_@LN
xn@`PB
Xye64D0*
]X/yK<
XZn#W&
]YdUsS
Y[i2@;O
yoQfwz
Z	dlt|
>zNoKW
(+=Z=t
ZT"'_h	
ZVtIo_x
Z^_Y[]
ZY8ofZ
ZZ>@(,