Analysis Date2014-11-20 09:56:27
MD5c98b30929fabb1c11558e75ba9294847
SHA14c72d586517e5b9fe1c85d301b759632cf826411

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4ffee33c6a4d7b31ad6fa082f33190f9 sha1: 25d6ba17c0e6162b3653678c2b0a1fd8a081241b size: 139776
Section.rsrc md5: 3efa51621694bf5aadea9b71b21773ea sha1: 6b9ff9dde8534b36b730e70c2926560dcd4c6260 size: 16384
Timestamp2008-07-29 22:55:23
VersionLegalCopyright: Copyright (C) 2003-2008
InternalName: Freegate
FileVersion: 0, 0, 0, 0
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Freegate Application
SpecialBuild:
ProductVersion: 0, 0, 0, 0
FileDescription: Freegate Application
OriginalFilename: freegate.EXE
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhasha35f3a930ed51b5535f6ea38a7dd4f01bc9f8ce8
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 SafeTrojan.GenericKD.1943380
AVAd-AwareTrojan.GenericKD.1943380
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.XPAH-0257
AVAvira (antivir)BDS/Rogue.157184
AVBullGuardTrojan.GenericKD.1943380
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Backdoor.Clack.r2
AVClamAVno_virus
AVDr. WebTrojan.Proxy.3764
AVEmsisoftTrojan.GenericKD.1943380
AVEset (nod32)no_virus
AVFortinetW32/Clack.K!tr.bdr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.1943380
AVGrisoft (avg)BackDoor.Generic_c.ACHI
AVIkarusBackdoor.Win32.Clack
AVK7Riskware ( 0040eff71 )
AVKasperskyBackdoor.Win32.Clack.k
AVMalwareBytesTrojan.Agent
AVMcafeeGeneric.dx
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.GenericKD.1943380
AVNormanTrojan.GenericKD.1943380
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Proxy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
5120
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw64.ziyoulonglive.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
DNSw63.ziyoulonglive.com
Type: A
DNS00a3dc576c6b591f68fd8b38815b44d3cf1f14ec.7ddbf7cfc679e5064fd3eaf5e37aa116c02a9071.4.ziyouforever.com
Type: MX
DNS904c5ae95f194f19a71683d5d544ba5c5ff09252.4ea9e1c90992edeb1bcc147a6fd1d02f9a329c0f.4.ziyouforever.com
Type: MX
DNSa3e2dd98806c6aa0748c9c0e779131fd6c5e1523.91dcc470da08f230b9199fdb3459e96c85788809.4.ziyouforever.com
Type: MX
DNS5a7c95a304bc7eb52b3cb8f9a3a7ed7595c05d18.150cd06585b8d6c76d2f4353fc0cbc453216b007.4.ziyouforever.com
Type: MX
DNS9785b49d3940694d9d588e6b021c919c58397c26.28f0c79d33dce055cc943fbaa7b4c1412c00b151.4.ziyouforever.com
Type: MX
DNS8bba6344c2341fe66893838eb742b2204406abff.d384b136c617edb079ca1c066d35b50ddc2f8f24.4.ziyouforever.com
Type: MX
DNSb4082751d2b0362f6812cb03cbdf7a987bb4efea.c30098ffc696a53d0557d4be1177f3603256be45.4.ziyouforever.com
Type: MX
DNS3d58a14207f0a51a094bb5037a3752fbf2e469f9.16400bcaa7cfdb3db4bffcdd1bb0a9784558df2b.4.ziyouforever.com
Type: MX
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.35.193.158:53
Flows UDP192.168.1.1:1032 ➝ 38.65.238.191:53
Flows UDP192.168.1.1:1031 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1032 ➝ 38.121.7.4:53
Flows UDP192.168.1.1:1032 ➝ 38.52.86.4:53
Flows UDP192.168.1.1:1031 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1032 ➝ 38.90.52.20:53
Flows UDP192.168.1.1:1032 ➝ 38.8.89.139:53
Flows UDP192.168.1.1:1031 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1032 ➝ 38.229.52.56:53
Flows UDP192.168.1.1:1032 ➝ 38.124.246.93:53
Flows UDP192.168.1.1:1031 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1032 ➝ 38.169.113.191:53
Flows UDP192.168.1.1:1032 ➝ 38.255.164.59:53
Flows UDP192.168.1.1:1031 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1032 ➝ 38.154.10.26:53
Flows UDP192.168.1.1:1032 ➝ 38.187.73.55:53
Flows UDP192.168.1.1:1031 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1032 ➝ 38.31.161.238:53
Flows UDP192.168.1.1:1032 ➝ 38.108.170.121:53
Flows UDP192.168.1.1:1031 ➝ 143.166.82.252:53
Flows UDP192.168.1.1:1032 ➝ 38.155.32.47:53
Flows UDP192.168.1.1:1032 ➝ 38.133.71.220:53
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.188.56.178:53
Flows UDP192.168.1.1:1032 ➝ 38.210.125.75:53
Flows UDP192.168.1.1:1032 ➝ 38.211.181.4:53
Flows UDP192.168.1.1:1032 ➝ 38.104.12.145:53
Flows UDP192.168.1.1:1032 ➝ 38.227.90.71:53
Flows UDP192.168.1.1:1032 ➝ 38.189.151.150:53
Flows UDP192.168.1.1:1032 ➝ 38.148.218.131:53
Flows UDP192.168.1.1:1032 ➝ 38.33.166.85:53
Flows UDP192.168.1.1:1032 ➝ 38.41.255.155:53
Flows UDP192.168.1.1:1032 ➝ 38.181.225.55:53
Flows UDP192.168.1.1:1032 ➝ 38.64.8.106:53
Flows UDP192.168.1.1:1032 ➝ 38.244.140.201:53
Flows UDP192.168.1.1:1032 ➝ 38.138.151.88:53
Flows UDP192.168.1.1:1032 ➝ 38.27.124.220:53
Flows UDP192.168.1.1:1032 ➝ 38.48.17.114:53
Flows UDP192.168.1.1:1032 ➝ 38.45.90.86:53
Flows UDP192.168.1.1:1032 ➝ 38.60.92.227:53
Flows UDP192.168.1.1:1032 ➝ 38.190.71.167:53
Flows UDP192.168.1.1:1032 ➝ 38.204.197.183:53
Flows UDP192.168.1.1:1032 ➝ 38.205.131.63:53
Flows UDP192.168.1.1:1032 ➝ 38.151.54.94:53
Flows UDP192.168.1.1:1032 ➝ 38.129.129.247:53
Flows UDP192.168.1.1:1032 ➝ 38.25.142.242:53
Flows UDP192.168.1.1:1032 ➝ 38.14.38.100:53
Flows UDP192.168.1.1:1032 ➝ 38.2.148.17:53
Flows UDP192.168.1.1:1032 ➝ 38.78.223.129:53
Flows UDP192.168.1.1:1032 ➝ 38.209.105.242:53
Flows UDP192.168.1.1:1032 ➝ 38.179.244.70:53
Flows UDP192.168.1.1:1033 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1033 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1033 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1033 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1033 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1033 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1033 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1033 ➝ 143.166.82.252:53

Raw Pcap

Strings
.
..
*..%V....`
.
,.
.
.
.
.<h.....
.
.
S>
z~
K.
..
..
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)_@~")
)@@*(,(
*=&}$!0`<
0:3<UP S(K,%
0"5D:?
07)Inp
0aIcm.
0@bXQ[
0dH2GT
"0dJ]@
("0D:J
0!FQWo
0hjiza
0!j@K-
0N~sVs
^0rn "
0RR$}Q
&0s8dl
0sXEnGuI
^0tF$;
@0_U&:A!P
\0UDk,
0(UTF*-8U
~188881~
1-_In}j!~
1sh G3
2/1lL(
!2_3r`
24L$T]
2Fn@8V
2HI~JN
@^2I]	[
2lwix`|{
2\<(-MUUVVVV
2	ofjYuD
 2 (+q
2<(]R0
2R3hk^
,2u9Fhx
2}V&AW
2zp+b@w'
3=/8r}6721
38X.&?{
39dap*
3D)/h-
3)|fzP
3gkIf%
%3JCXT
3lpAn3EH9mg
3p2<Au
3UNDaf
4@*`8,"RVg
	`*4,e
4,e2@ZQZ
4)h@(A
4>|O:8
4ue8-V
4@(VRSMW!*D
4w)0VL
4x<^*`
4yw{:.Xz
&/<'50$nE|Rj
56789abc
)5c]J?y@9
'5CWfR
=5K[Y2
@<5_)uv
61B2/=ST
64Ix}1:
$6 BF8/Z
	6"JD^r
&6J-<W
;6NMB(
6u|xP.
6ZE8] 
721j^^
 7d!@;
7lJQC|o
<7:t nGW
7VaPMulaAz
7-X	qT
\8	"1Br
8;2 9O
~8880000/01
8:{`bD#
,!8dxo#`
&8<$IX
8r1"s*
	;8`V\=
8z"HCDK
/91.k431?|*
9$5	f,~
9O|-JD6
9p"9C'
.9ph8?/
9UQ@Cu
A6\/:lA
a8zb_D
ABCDEFGH
ACProtect
AdHA`W
ahGETE
AL;IRF
al<KXZ
AN@;S+
Application e
aQhDh'
AR_1J]y
A>z>"A
!Azb8%
B *2:dJ
^(ba0)
)baL8q{x
&B)d<	6H0
BdQx+\Q
be located in the DL^
BExplv
<  bfN
bG b)u[
bIckQg
b^[j>B
Bk)TrDf
BO}iBt
BRJL2"
buRgjK
bv@r<8
b:(V_y ?
BXmdZ=4
||C*@ '
%\C6@'
C<#@d(7
#CDWdd
cD]YcP!0y
cF,gW<	Zeyo
C"/ic"
c IK8J
cIoI d
CloseHandle
corrupt.
CRC32 Erro
/C=;w(
@--|/d
D0V'hY
!d 10P)k
d>3@m"9
d4E8h#[_
[D8:))
\]!d<]"F
-df?%I
d`gx\Fp+8
)`dh]#
d@HoFp
diu)6>-
djy6)MHlBmh
++D"kDEt
D L!PQr
(":DN`
%D:n:[dp
*dNxf1
<!DOCTYP
"(dPLK
dQ$ E=
DrC'DL
@d`rh9p
D-RNPA.
d%RysI
dtwipq0
dv1M1O
@dv'-;Y
dw:~!c
:d-@x|
=dYeDc
d$+?YHy
)$}E0>o!
E`21e,e
<_e2Mb
E@5PH&=
>E>6Eq
e6h.z_E
'E8Rt\
 e[	\{(.b
EB?,49X
e`(bMKT
e-^C\#`Q`]%6-!,
E~H98_
 EMPF;
en<>1lcCM$
e`rL2gat
.ER|wH
E-TIB(fDQ
e/%x-C!
;EzHriS
(F !($
+f=`5~	
F6# D6w
%(f#B5J
fcAeb	a{("\DWR
$"fdE(
^"fDpz
[?FF,@
 F	<(F<3F<AF<OF<]F<kF<yF<
 F-<+F"6
F<+F<9F<GL
fFghij
F<,F<:V
fItkOx*
 F	iXar
FounB&bip
:Fq*_r
=,=fR(-iB
Fr`iga
FRJnb/fDZ
fRy7Fi
</f&T_
ft, Qg
G0,^`R~
G''+9T
geBoxA
GetModul
GetProcAddress
G(}gUhrt
gh b/-
+giYLE
G|J(	V(x
@go(P6o
GOq KpU
GS<[H0
GW<bZ9
Gx0q6S
h>2@eY
h3qU!=
H4|WD*
HaEr*#
 HC, xG|
h-CyQL<A
: HDSN=z
hdWTZis
hecksum on image did no
*#HE^jx
(/HeTxlH5
<HF<VF<dF)r
hgY6	.
Hh:LHd
hIa	Qy
"HIPHt
 =HJ NKtg
HJu37gK1
H ~NE3v
houKan
}:h<*p
H<QI|L
HR%!PA6
HSr%gJ
H+!t7?
HTzsS,
( H-(u
HY0ql;
hysPal
'\HZ~~
I1=l5df
I8G?Q 
Ia\vx*/
IbL'pA71WJv
i)fy(	US
iH$s.fl
iHsr-t|
)II|_vB
IJKLMNOP	QXYZ
ilEDf4O
ink_PM
iOH`"1
i@@@,-P
ISD<O 
I'xpG +
I%zD>	P
i@;ZYd
J$2ny2Ed
jb&	'_
j@!D4xvj
	jd"ExF
Jm4!$A
^Jnpey
?j:`oi
%jPVEF
jQ2GT_
j`Q_L 
J+rU	_
:Js.<!
'JSB`_
JWO}WPt
jX3pu$cQ
K)0DC'
k3dieL)8c
KA5, !
kb`6m M
KbPUR8_
#kD&H"P+
kernel32
kernel32.dll
K!h$^{m
kI`-nT
KLS1E>!)
KmLu,8
knBOB"
kpFr1r
ks.abpx?F 
K[_vBd#H>D0
K-vI^M
kWh0TB
L2!F	@$:H4
%l8G8B828381v
\Lc!*S
le(mJ2s k[^z2<]
" $,Lf	@@
l>+H8k
L<h:(Lg}
L({'@kxBd
LL?4v4
LLXJID
Lo(3:A
LoadLibraryA
LoOPgSV
L %s4ordinal %d
l+!yYx
m1iWiA_
(M8<bPz
MaRMx[ey;H<N
~mde&J@
 media;3.
}meg^C
m\lK8H
MLKDc: 
M)SN -
msvbvm
MSVCR&
`{("my|tt}
'N\1/S
N34;2#
n9r:[,8)"-C
N?bM0q+
n<B^O\
/:NF>\
ngTOb\j!
\NHIPIO9
nicmpp
NI.^]IK%
NrT&^>3.r
\nxyZxn(
!N^ZA"
OC]A`b}A
.~~{OH
,O);I'!
/O&N3ZX
'oR_1"
orVPU9
OT2#X&P$
otaS>8D
oW4:)y
OW6a"E
oW^\aqxd(
P~2( h)
p2Io	nO@
& P4#!
P_4,-&
^p5p6E7D
p-9fOIVI6
P"DD.$
PEC2=O
PECompact2
Pg8HW(
PGd'RL
PHPa)z
pMP,f9
#pn0@C
poFJ\'7
pOFQV&RW0{
$pqpZ@
P<R@<!X
P\'[$S
P`'U22
P_UNLOA
P-@U@VAVX
?	P@UxfK
PUYri4P
PV_d*b%sy^
p'^V"g
pxSf|J
pzD@ND
Q449d.
 |Qahfo=
q BI3]
Q~|irK
q:K]iTSB
?qKRtb
q>l.G_"
qN8oc=
QR4J)Q
QRkH{&/
Q{`R{r:d
qt3H)p
QX]kfmgzC
QxvuMNR
*r2,)pN
R30KD:!
R)5e$9	
;+rDdC']
r!eIE[iF
R]I|0+
R"IQ}\
RM[,D?
RP6nQ81l62
|rqH8e
r\rVV/_&
.R|Te/w
 rTp"r
R;VP{,_
r-	W pZ
S0-Wq2
{S2:$V;k*d>W
SAEiEv
**s_,B-
SeJnp9e
sE!U:d
sg Ec$
>s*HX5
SIJH[z}
sjA&nx
S&l	lc
S!NL	B7
S;-+P5**
)SP#"QR
S=P-S3HPmx
SrC9IDvpK
STUVWXYZK_
SVBwY\3
.sVm0E@
S{Zj(u
SZZ4Zb
_T4B\M
t7_)SF
t"9S6f
`#TaH;
t'&+cld
T#Dl9\
	TF #$
T]	fgs
The procedure %s cou
!This program cannot be run in DOS mode.
th'pI7
ti XOd.U
t"jD`L
TKUVd#
(tl1EPBxyF/
t match.
To(3_AQeQ
@tPE&MFd
<T)|Qe
tTfdgLh
tX6h0R
tYV~NA
>u"1:F
 u|91_
U99+_@
U)AD7&v$u
	ud94p
U@Dh$0;Z
(=uDRG
uK@]tOshD
u&L^I$
%@um[%
^uM3!]-|
umxxmu
%uQ [0M
<uS$-Ds
user32.dll
USQWVR
+`uT9uw
%~UUjE\
UVVVWX
uvwx8yz./
uwVj^ 
Uy]%]E\
V4^[WY
v9hXRw
/vA'Qva
vbeR6}7N4B
Virtual
VirtualAlloc
VirtualFree
|ViVvF|
'VJ*<;]}
vjBI\B
vjcYMb.DA
vlheHw
(v*NQY
VPBQR6
 VPS1o
/vtDYv
V Wj?tf
VWKlVd%
VxBr7(
	,V{Yszm
w42"e#
w,DDH!
WD-t4^
"wD|uM
wFh*us
@Wh`6k@
\w?II^
wIy3H{
wsprintfA*Z
=wT!6@
w)tWyR
WV<-$t
W^w[ip
~WXG*(-
`(wY)L,0
w*yN{-}U
x1W7IN
*x3Ff5
xb_`0V
^"XfPqR
X-Pow~
?,(x<PP
x$|rQe
%xx@LeI
xY ~r4
Xz'M^V
Y4bg7R
y9c_Y]= +]
{*YAt:
>Y-&|DD
Yf?bVw
y.m0j-
"yM0P%5{
YOh	KQ
ypK({F
.yQ=rRb6
Y^rSG#
YRUAzhdJ'L
@ySJf*
~z8Q)u
Z?bd1u
zI{"X 
Zn&o8-U	j
ZW,]ttt
^Z+<Xf
Z^_Y[]