Analysis | #totalhash

Analysis Date	2014-11-01 22:02:19
MD5	649c42f1e0a5df7ac81ffd7d9e1668e9
SHA1	4eba823ab5bfa28375111c92525332f44ade0fcd

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: a4da48276ce10e6efd61c719065af7a2 sha1: 4481e688137fd5439d4d08649a1a48dbcd2c7d8e size: 121344
Section	.rsrc md5: c9a49466771fd00b4d7355658578b3ce sha1: a2d884e39370197b5b29ba20fd34e2b6c1889414 size: 17920
Timestamp	2008-07-29 22:55:23
Version	LegalCopyright: Copyright (C) 2003-2008 InternalName: Freegate FileVersion: 0, 0, 0, 0 CompanyName: PrivateBuild: LegalTrademarks: Comments: ProductName: Freegate Application SpecialBuild: ProductVersion: 0, 0, 0, 0 FileDescription: Freegate Application OriginalFilename: freegate.EXE
Packer	PECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhash	d7b3cd6ac5c5c0858dcc859cf8407937f457dcaa
IMPhash	09d0478591d4f788cb3e5ea416c25237
AV	360 Safe	Trojan.Generic.12007650
AV	Ad-Aware	Trojan.Generic.12007650
AV	Alwil (avast)	Malware-gen:Win32:Malware-gen
AV	Arcabit (arcavir)	no_virus
AV	Authentium	no_virus
AV	Avira (antivir)	no_virus
AV	BullGuard	Trojan.Generic.12007650
AV	CA (E-Trust Ino)	no_virus
AV	CAT (quickheal)	no_virus
AV	ClamAV	no_virus
AV	Dr. Web	Trojan.Proxy.3764
AV	Emsisoft	Trojan.Generic.12007650
AV	Eset (nod32)	no_virus
AV	Fortinet	W32/Clack.K!tr.bdr
AV	Frisk (f-prot)	no_virus
AV	F-Secure	Trojan.Generic.12007650
AV	Grisoft (avg)	no_virus
AV	Ikarus	Backdoor.Win32.Clack
AV	K7	Riskware ( 0040eff71 )
AV	Kaspersky	Backdoor.Win32.Clack.k
AV	MalwareBytes	Trojan.Agent
AV	Mcafee	Generic.dx
AV	Microsoft Security Essentials	no_virus
AV	MicroWorld (escan)	Trojan.Generic.12007650
AV	Norman	Trojan.Generic.12007650
AV	Rising	no_virus
AV	Sophos	no_virus
AV	Symantec	Trojan.Gen
AV	Trend Micro	no_virus
AV	VirusBlokAda (vba32)	Trojan.Proxy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL
Registry	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝ 5120
Creates File	C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File	C:\Documents and Settings\Administrator\Cookies\index.dat
Creates File	PhysicalDrive0
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates File	\Device\Afd\AsyncConnectHlp
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex	c:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex	WininetConnectionMutex
Creates Mutex	c:!documents and settings!administrator!cookies!
Creates Mutex	c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNS	w61.ziyoulonglive.com Type: A
DNS	w62.ziyoulonglive.com Type: A
DNS	w63.ziyoulonglive.com Type: A
DNS	w64.ziyoulonglive.com Type: A
DNS	w65.ziyoulonglive.com Type: A
DNS	86fba3d494df8972d8e01c1bc5bac65fab7a34b6.9773477f6a285bd5e9d07a8916989812add82708.4.ziyouforever.com Type: MX
DNS	b77f7102e2ad9973581388c73ba089ea9afee660.e101577eeadbcf0917ca353c19198a6e799d2d11.4.ziyouforever.com Type: MX
DNS	684fa9865dba0d7bf57acb9eb27de50e45ce3ee4.5e16c37647b28c509e1759d8175e134ce28d226c.4.ziyouforever.com Type: MX
DNS	3814b282d3c528f3ab351f21879575df159525e0.d069e6fe19fd58efabffc909302f8618514cac50.4.ziyouforever.com Type: MX
DNS	464ea51e8be3fe8ad9dbef8c7b8b648d6bcf327c.884f30876b13a84257e1d85b65676155a3080014.4.ziyouforever.com Type: MX
DNS	d8ad193efdcbdf54dfa02019e5cbaf5bf52c8e5c.fe6711596d6867d7c9a1138d7bec9c4bd75e845e.4.ziyouforever.com Type: MX
DNS	0f8ff24f12fca0e4542c40feb4c42f88220e652d.11506ee9e6e4073098ae935e0313fe27e332fb6f.4.ziyouforever.com Type: MX
DNS	5416cf44f0212aedd8c12fd678f662a079975826.f38de4e06a096818549cde76b2107a0fe01ad441.4.ziyouforever.com Type: MX
Flows UDP	192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP	192.168.1.1:1032 ➝ 38.35.193.158:53
Flows UDP	192.168.1.1:1032 ➝ 38.65.238.191:53
Flows UDP	192.168.1.1:1031 ➝ 88.85.74.8:53
Flows UDP	192.168.1.1:1032 ➝ 38.121.7.4:53
Flows UDP	192.168.1.1:1032 ➝ 38.52.86.4:53
Flows UDP	192.168.1.1:1031 ➝ 211.115.66.121:53
Flows UDP	192.168.1.1:1032 ➝ 38.90.52.20:53
Flows UDP	192.168.1.1:1032 ➝ 38.8.89.139:53
Flows UDP	192.168.1.1:1031 ➝ 192.88.195.10:53
Flows UDP	192.168.1.1:1032 ➝ 38.229.52.56:53
Flows UDP	192.168.1.1:1032 ➝ 38.124.246.93:53
Flows UDP	192.168.1.1:1031 ➝ 202.27.17.253:53
Flows UDP	192.168.1.1:1032 ➝ 38.169.113.191:53
Flows UDP	192.168.1.1:1032 ➝ 38.255.164.59:53
Flows UDP	192.168.1.1:1031 ➝ 63.90.67.11:53
Flows UDP	192.168.1.1:1032 ➝ 38.154.10.26:53
Flows UDP	192.168.1.1:1032 ➝ 38.187.73.55:53
Flows UDP	192.168.1.1:1031 ➝ 209.191.16.131:53
Flows UDP	192.168.1.1:1032 ➝ 38.31.161.238:53
Flows UDP	192.168.1.1:1032 ➝ 38.108.170.121:53
Flows UDP	192.168.1.1:1031 ➝ 143.166.82.252:53
Flows UDP	192.168.1.1:1032 ➝ 38.155.32.47:53
Flows UDP	192.168.1.1:1032 ➝ 38.133.71.220:53
Flows UDP	192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP	192.168.1.1:1032 ➝ 38.188.56.178:53
Flows UDP	192.168.1.1:1032 ➝ 38.210.125.75:53
Flows UDP	192.168.1.1:1032 ➝ 38.211.181.4:53
Flows UDP	192.168.1.1:1032 ➝ 38.104.12.145:53
Flows UDP	192.168.1.1:1032 ➝ 38.227.90.71:53
Flows UDP	192.168.1.1:1032 ➝ 38.189.151.150:53
Flows UDP	192.168.1.1:1032 ➝ 38.148.218.131:53
Flows UDP	192.168.1.1:1032 ➝ 38.33.166.85:53
Flows UDP	192.168.1.1:1032 ➝ 38.41.255.155:53
Flows UDP	192.168.1.1:1032 ➝ 38.181.225.55:53
Flows UDP	192.168.1.1:1032 ➝ 38.64.8.106:53
Flows UDP	192.168.1.1:1032 ➝ 38.244.140.201:53
Flows UDP	192.168.1.1:1032 ➝ 38.138.151.88:53
Flows UDP	192.168.1.1:1032 ➝ 38.27.124.220:53
Flows UDP	192.168.1.1:1032 ➝ 38.48.17.114:53
Flows UDP	192.168.1.1:1032 ➝ 38.45.90.86:53
Flows UDP	192.168.1.1:1032 ➝ 38.60.92.227:53
Flows UDP	192.168.1.1:1032 ➝ 38.190.71.167:53
Flows UDP	192.168.1.1:1032 ➝ 38.204.197.183:53
Flows UDP	192.168.1.1:1032 ➝ 38.205.131.63:53
Flows UDP	192.168.1.1:1032 ➝ 38.151.54.94:53
Flows UDP	192.168.1.1:1032 ➝ 38.129.129.247:53
Flows UDP	192.168.1.1:1032 ➝ 38.25.142.242:53
Flows UDP	192.168.1.1:1032 ➝ 38.14.38.100:53
Flows UDP	192.168.1.1:1032 ➝ 38.2.148.17:53
Flows UDP	192.168.1.1:1032 ➝ 38.78.223.129:53
Flows UDP	192.168.1.1:1032 ➝ 38.209.105.242:53
Flows UDP	192.168.1.1:1032 ➝ 38.179.244.70:53
Flows UDP	192.168.1.1:1033 ➝ 38.99.76.229:53
Flows UDP	192.168.1.1:1033 ➝ 88.85.74.8:53
Flows UDP	192.168.1.1:1033 ➝ 211.115.66.121:53
Flows UDP	192.168.1.1:1033 ➝ 192.88.195.10:53
Flows UDP	192.168.1.1:1033 ➝ 202.27.17.253:53
Flows UDP	192.168.1.1:1033 ➝ 63.90.67.11:53
Flows UDP	192.168.1.1:1033 ➝ 209.191.16.131:53
Flows UDP	192.168.1.1:1033 ➝ 143.166.82.252:53
Flows TCP	192.168.1.1:1034 ➝ 64.235.32.206:53
Flows TCP	192.168.1.1:1035 ➝ 129.66.95.3:53
Flows TCP	192.168.1.1:1036 ➝ 141.151.0.68:53
Flows TCP	192.168.1.1:1037 ➝ 211.10.204.5:53
Flows TCP	192.168.1.1:1038 ➝ 64.80.255.251:53
Flows TCP	192.168.1.1:1039 ➝ 128.30.52.200:53
Flows TCP	192.168.1.1:1040 ➝ 208.101.39.236:53

Raw Pcap

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

Strings

.
.-..
.
.
5.
x...
SC
;
..[
.
.
..
...
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
0D'rdyx
0kk=!q
-0u}%r
~188881~
%+(1HI
1Pk|q-K
2D>F\yy7s
2Gje@C
2\<(-MUUVVVV
=~35\k-Lf
3CTc(y
3DfXN=
3PR_{GY1
4E@E6M
\(*4NV
56i$0i&
5Eb#g5
6DW=.>
*]#71gf
/7ju=jT
@7N[uPy
7s/uI`
~8880000/01
89]n\~
8aIydO
#8R>44
8V7}R5e
8;vLr2
8|xa1~9
9Dj#il
`%9mJ5
a5g9O;p
a{cA3{
A	f'~	
}~AG:C
a/jf1E
aKRXK#
AKXh4Pa
Application e
a-qy{q
A,^tvQx
>/AwuZ
$`b*!'
b)AW}k
be located in the D
b:f17^
|b[ ;r
bSjv?I
Bspr9a
By:B,&B
!c6E+E
^c7hOZ
c9dk}ft
C|\_e:uEvc\
C#I7oyl'4
c-iQ(Zg
;@ cO=
corrupt.
C-qx{m
CRC32 Error
c$V9Yp
&C|Vik
^!D75r
d)e&s-
~DiR?]
{;DMI@t'
D#M}VBZc
`d|n hu-
]D@TD,
DVTVU0"
\D<"W.
E:4t>QV
>E>6Eq
ebuggerPresent
eCFNJE
}E=ja%
!:Ep6e
f18=c9
f31z{n
<F5C3wsJ
f{5Dj%56
fc3~\U
F#E5^E
fl~-qdn
Foazew
/fr$}d
FUyMHsT
FW=|)7G
+|fWP"
fxVW9{
FZ7toKqn
G''+9T
GDi/>L
gDjADV
G	@EQt`
GetModul
GetProcAddress
"gG	QUs
:g<]h|
$gn%*A
GRH[`b
`!GT,wF
G$%,uP
GXg>;O
H3*v&ct
$h8jg{
hA:}Zv
hdWTZis
hecksum on image did not match.
|/;!h!p`
hy|E)v
 'hYH$
`If/3*z
>@[IHQ
iIH1+\~j
ikw?8`
i)oGb<
i@@@,-P
Ip~Q&*f
iQ`hsE
It_	{v
^(]I-u
i@;ZYd
!J&2UV
%}+J(V
j|Y)4I
-k2sh<
k3JV+4v
kernel32
kernel32.dll
KGq-xv6n 2
KP*pm:M
'kR2|/
Krs9^.
{Kve7<
L^2 $k
LL %s4ordinal %dS
'Lly	Yu
LoadLibraryA
?lP~h'O
}ly/nG
~#m{,A
maeW9F4
MB!<N(
MessageBoxA
mJ	6)G
m<je|z
MLKDc: 
>m$Nd_j
mOR_3dB
msvbvmU
^mS.:Y
M;t&kXQ
:MV	&s(
N34;2#
n;_`5b
%<nfLh)
NH xjC
Nu8$SJ
Nvm0ow
"Nw/'0
(o1U*l-i
!(O\>e
.OE5U*
oF?L	|<Q
OHk9,>]
O)!\w7
[OXo,3l
oxu#\`
>P60dw7
PEC2=O
PECompact2
p-gd:9
Protect
P-@U@VAVX
QSz:Jh"
QX]kfmgzC
*Q,XYAT
]}@~ )'r
r3b+F_
r9hP']@
rB3uc6F|I
rBLUu5
RCloseHandle
R-_D8K8
RqjDA,
r&}>sp
rw@Ig:{
R'y3=%
r>zZ|u
&S/.<.,
s'0vc,
S7}'fe
s.g{BT
sGmu0D
sJ)S7>n[U
([S_-K4
S)}@NF
S;-+P5**
(s$`W3
S$wDDc-
SZi2;5
t@1( ;
}tE9Vd]
The procedure %s co
!This program cannot be run in DOS mode.
TmVLzCD
(tOs*p
TU"|/	
?TY)3' 3
_)U]@`
u6g@YL
`uCWI-
U-E	MG
Uf(U}$
uG&l;6
uGlgEk
uhX{R2
u-iHN.
ulEGf6
>um.%;V
umxxmu
uNR8ow
U"o[~z
>uPxq&
USQWVR
uv3`jS
UVVVWX
Ux^!tZ^
[%V*2)
V$F`PW
Virtual
VirtualAlloc
VirtualFree
vjBI\B
@#VluK
"vQel=O:
({v#w$
W3R{(`$
W7'po/
#wemSg
<Wj6 BW
w'PJ5)
W#~RLC
wsprintfA?
wv/=Gz
wx(V,@
.^{xe^^
xpI3Ug
xRWs~ZD8
xUf{g.
- Y1)q
Yot #sb
*yP0xw
YrPpgI/
ZHH^^Z
`Z^)JNA
z=kA;i
{zp\sL
`Zqd}yH
ZXb^U-
zXsuDJ
Z^_Y[]
Z/y&`?(E