Analysis Date2014-12-09 23:48:11
MD50cbc037fa2cdb003abaa386828f4ef83
SHA1470b435fd7a2a807218d44b03c0191c173b983bb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 22d3c47a1d6944bc71ffc5e9f578f25c sha1: bc92d1d18798347d5ea7e52d94ac653747542d38 size: 119808
Section.rsrc md5: 29b44dbac05218c1b6cd0e99ad84161a sha1: 7bd5a961bb2cec63bcd285cd62ab27377240650e size: 16384
Timestamp2006-11-09 06:45:02
VersionLegalCopyright: Copyright (C) 2003
InternalName: freegate
FileVersion: 1, 0, 0, 1
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: freegate Application
SpecialBuild:
ProductVersion: 1, 0, 0, 1
FileDescription: freegate MFC Application
OriginalFilename: freegate.EXE
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhashf3fc460c9828529637331865302f6f3d3edac519
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 SafeTrojan.Generic.12107369
AVAd-AwareTrojan.Generic.12107369
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardTrojan.Generic.12107369
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebBackDoor.Zhou
AVEmsisoftTrojan.Generic.12107369
AVEset (nod32)no_virus
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.12107369
AVGrisoft (avg)Proxy.ACRX
AVIkarusVirus.Win32.Agent
AVK7Backdoor ( 04c51b4d1 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.Generic.12107369
AVRisingTrojan.Mnless.mgg
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)BackDoor.Zhou

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
49152
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File\Device\Netbios
Creates FilePhysicalDrive0
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\AsyncSelectHlp
Creates File\Device\Afd\Endpoint
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw62.ziyoulonglive.com
Type: A
DNSw63.ziyoulonglive.com
Type: A
DNSw64.ziyoulonglive.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
Flows UDP192.168.1.1:1031 ➝ 210.101.84.11:53
Flows UDP192.168.1.1:1031 ➝ 207.217.126.41:53
Flows UDP192.168.1.1:1031 ➝ 203.231.231.1:53
Flows UDP192.168.1.1:1031 ➝ 216.95.221.11:53
Flows UDP192.168.1.1:1031 ➝ 207.46.150.10:53
Flows UDP192.168.1.1:1031 ➝ 210.101.84.11:53

Raw Pcap

Strings
.Q
..O
.
....
3..V...
l....
K
`
.
..
.
040904b0
1, 0, 0, 1
Comments
CompanyName
Copyright (C) 2003
FileDescription
FileVersion
freegate
freegate Application
freegate.EXE
freegate MFC Application
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
`0(fx%y
,	0x55s!z
|)12(_g
13S6`]
~188881~
196+hS
~1E@5:
1frACe
~1pTk ]SX8
;/|_(2
`;2=2P+ 
,2Bkh_
2\<(-MUUVVVV
`3*0GF?
4G]VRe3R
.4VO/V
(,\/5",
5,Jk,)x
6"'>eq8
6uB]DT
7).qmy
7rCc9d8
7U92#(
7x@%pC
;8(6Wus
~8880000/01
8Fy+X_
#%9n#j#6#
AGR2	a
AJ-`&B
AkpnR`snlwExitP
'A?m }
aM^JUm
Aplicats{
aVyP/H!
B[34)c
b&9dj+
;<@bAj}
"/BA`u
|b*F7,
bfv(;\;
B N- p
C`| ,!
,/C4 ;
c8?DuD
c9h#F"
*_CbgI
cpX3KK
cQ)0#KY
cVI]WE)
CwN	a	m
d1C:3l
D5./k6
 \Dd![XRV
D;vBVR
D@'zQv
dzr5W&
`e(2I[
>E>6Eq
E?p:fi
EYIRo]
,F0RA,@
F6*srnV
f95FP<=
f/	Bop
FSU#d0|
=fZ&5@
G''+9T
Gelcn u
GetProcAddress
,GKH4n
&Gn`lv
GV(hTZ
"h4h@5
hB`d<Z
hdWTZis
H)gL0(
HjE/4T
$Hw8@>
# iBT;
i@@@,-P
i( SBP}
Is=,Z2
IWl@	6
i@;ZYd
J3FilS
@J Gi#
jk$$JX
j?SCwzr"
(jVctL
#JWcWJ
K0:$6T
Ka[|L"
kernel32.dll
kF@A@E~
KH|SlL
-K	(jL
kSL\{V
*k	zM,
^L+>aA
lLbdx]
+!!lO3
LoadLibraryA
@M06l0
m2u	vc,
MA'Nb	.
M!d7eBV
@mD#f#`
MLKDc: 
mmMQBp3
mnBn"R
N34;2#
N	6B_nRY+\
]nt"M]pW6	
n,w	f.r
o  1J]
o[6i^SDL
oBEj V
Oi7B7>
PECompact2
pN( Q	
	pp}dw
P@?Re*0
psDqocO9
''ps=r
pSs)t`[
@^p)uT3
P-@U@VAVX
!{PWQS
%:]\Q-
*Q8;\o
:Q8y9oO{
QC	d(j
q|\ot%
_Q*P_AZ
Q=}rq,!,:
quq_CJ
 qv%,'
Qw5%+?
QX]kfmgzC
r5BJQq`4
rG.5xd,al 
%_RichG
|]R=J6
r+#lT4
	(rmKm
r$`p$*$
R&Pt9Z
,{R\Xp+EW*#
sA;	(.
;sDbug
}Sf*S-S&,
(S"%l<
S;-+P5**
S"v A8
@,sW[u
):{t9b
t{DfU8
Tf<X }%(
!This program cannot be run in DOS mode.
TM=.J9
T	mp10
T,(S@c*3
=U3hh&+9
%U8r,!
U9b'WH!
uik( Y
&UM|I&
umxxmu
u"@Ol,
Upp`}$[
UPSVa3
&UQ#~Q
urF'p~a"
USQWVR
UVVVWX
u)Zq%,E
	V4<`$e
ve-'.AE
VirtualAlloc
VirtualFree
vjBI\B
vSj:VQ
Vx$@?s
W5NBERT
w5O $<
[W|5$s
wBF[Y:
wGOv6D
WK`RA@
@WnXTl<^
xagBoxA*ct
xbwbvB@
Xh2)6T
xi'$h/
xS v&o
XTHUm2:G
Y<-_0`
yfziy0
YK/;wg
@y&PRI
Z-`P0n
Z^_Y[]