Analysis Date2014-12-19 14:34:36
MD5d4c8415221ad8dc465f8b6dbec4716be
SHA15f138001ebef9be230480cb3736c29f70365991b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d6ea154fe3f7ecdaff5e4c8cf587f93a sha1: b60d456631ae1ded7acbf1f66ba234f0c78a222e size: 158208
Section.rsrc md5: accca93d1bf051eb433d3c50d44064b6 sha1: 02caa681068e06c33d659f2d726215201c7d88a8 size: 16896
Timestamp2008-07-29 22:55:23
VersionLegalCopyright: Copyright (C) 2003-2008
InternalName: Freegate
FileVersion: 0, 0, 0, 0
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Freegate Application
SpecialBuild:
ProductVersion: 0, 0, 0, 0
FileDescription: Freegate Application
OriginalFilename: freegate.EXE
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhash8305490adbd7a8b922178c0767b529a0eecb4242
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Proxy.BIGK-0001
AVAvira (antivir)no_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Backdoor.Clack.r2
AVClamAVno_virus
AVDr. WebTrojan.Proxy.3764
AVEmsisoftno_virus
AVEset (nod32)no_virus
AVFortinetW32/Clack.K!tr.bdr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusBackdoor.Win32.Clack
AVK7Riskware ( 0040eff71 )
AVKasperskyBackdoor.Win32.Clack.k
AVMalwareBytesTrojan.Agent
AVMcafeeProxy-Agent.bk
AVMicrosoft Security EssentialsTrojan:Win32/Malagent!gmb
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Proxy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
5120
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw63.ziyoulonglive.com
Type: A
DNSw64.ziyoulonglive.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
DNS0e85ac0c2d0ee1a0806ffa732229c8062d913ba1.045498369a8c5699004d5ef4dc0ea060d1b9e44e.4.ziyouforever.com
Type: MX
DNS6c15fcc431536c50325dbd26e6e8fb314f016b69.180915c628be11ccc48c6dc3711c7a27cbb90306.4.ziyouforever.com
Type: MX
DNS75df0d85a0862cd1bb2292cef708ee4a56cb9a28.89dc5547a1c13e24d56c78b82171080d9dbd626b.4.ziyouforever.com
Type: MX
DNS89c79a2bae2dc9fb88c1d78c4229961faad30d86.8777b06d92227b66604d00ed4726d4101d013252.4.ziyouforever.com
Type: MX
DNS31d5f7be4c5c2a172bf5842bf94cf92d12c16013.65065381311628c1db286fdfd7b2b57459d75102.4.ziyouforever.com
Type: MX
DNS68ad2e1fdd03c3d6f00d40ea546ea42b4bb9b9b2.f459ba40eaeeec00760a32d9f9617975ef619717.4.ziyouforever.com
Type: MX
DNS5e6bf2c4cdeca0b5c212d961bbb8f49b7d7f6569.e4b6d923d8f1758b99dc62699a538c587acac978.4.ziyouforever.com
Type: MX
DNS9c62142f825264ed1cf2c05fc9f63af7bf768382.ab081d7b06116cb5eb92ac05a171bc02c794b43c.4.ziyouforever.com
Type: MX
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.35.193.158:53
Flows UDP192.168.1.1:1032 ➝ 38.65.238.191:53
Flows UDP192.168.1.1:1031 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1032 ➝ 38.121.7.4:53
Flows UDP192.168.1.1:1032 ➝ 38.52.86.4:53
Flows UDP192.168.1.1:1031 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1032 ➝ 38.90.52.20:53
Flows UDP192.168.1.1:1032 ➝ 38.8.89.139:53
Flows UDP192.168.1.1:1031 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1032 ➝ 38.229.52.56:53
Flows UDP192.168.1.1:1032 ➝ 38.124.246.93:53
Flows UDP192.168.1.1:1031 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1032 ➝ 38.169.113.191:53
Flows UDP192.168.1.1:1032 ➝ 38.255.164.59:53
Flows UDP192.168.1.1:1031 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1032 ➝ 38.154.10.26:53
Flows UDP192.168.1.1:1032 ➝ 38.187.73.55:53
Flows UDP192.168.1.1:1031 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1032 ➝ 38.31.161.238:53
Flows UDP192.168.1.1:1032 ➝ 38.108.170.121:53
Flows UDP192.168.1.1:1031 ➝ 143.166.82.252:53
Flows UDP192.168.1.1:1032 ➝ 38.155.32.47:53
Flows UDP192.168.1.1:1032 ➝ 38.133.71.220:53
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.188.56.178:53
Flows UDP192.168.1.1:1032 ➝ 38.210.125.75:53
Flows UDP192.168.1.1:1032 ➝ 38.211.181.4:53
Flows UDP192.168.1.1:1032 ➝ 38.104.12.145:53
Flows UDP192.168.1.1:1032 ➝ 38.227.90.71:53
Flows UDP192.168.1.1:1032 ➝ 38.189.151.150:53
Flows UDP192.168.1.1:1032 ➝ 38.148.218.131:53
Flows UDP192.168.1.1:1032 ➝ 38.33.166.85:53
Flows UDP192.168.1.1:1032 ➝ 38.41.255.155:53
Flows UDP192.168.1.1:1032 ➝ 38.181.225.55:53
Flows UDP192.168.1.1:1032 ➝ 38.64.8.106:53
Flows UDP192.168.1.1:1032 ➝ 38.244.140.201:53
Flows UDP192.168.1.1:1032 ➝ 38.138.151.88:53
Flows UDP192.168.1.1:1032 ➝ 38.27.124.220:53
Flows UDP192.168.1.1:1032 ➝ 38.48.17.114:53
Flows UDP192.168.1.1:1032 ➝ 38.45.90.86:53
Flows UDP192.168.1.1:1032 ➝ 38.60.92.227:53
Flows UDP192.168.1.1:1032 ➝ 38.190.71.167:53
Flows UDP192.168.1.1:1032 ➝ 38.204.197.183:53
Flows UDP192.168.1.1:1032 ➝ 38.205.131.63:53
Flows UDP192.168.1.1:1032 ➝ 38.151.54.94:53
Flows UDP192.168.1.1:1032 ➝ 38.129.129.247:53
Flows UDP192.168.1.1:1032 ➝ 38.25.142.242:53
Flows UDP192.168.1.1:1032 ➝ 38.14.38.100:53
Flows UDP192.168.1.1:1032 ➝ 38.2.148.17:53
Flows UDP192.168.1.1:1032 ➝ 38.78.223.129:53
Flows UDP192.168.1.1:1032 ➝ 38.209.105.242:53
Flows UDP192.168.1.1:1032 ➝ 38.179.244.70:53
Flows UDP192.168.1.1:1033 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1033 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1033 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1033 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1033 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1033 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1033 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1033 ➝ 143.166.82.252:53
Flows TCP192.168.1.1:1034 ➝ 64.235.32.206:53
Flows TCP192.168.1.1:1035 ➝ 129.66.95.3:53
Flows TCP192.168.1.1:1036 ➝ 141.151.0.68:53
Flows TCP192.168.1.1:1037 ➝ 211.10.204.5:53
Flows TCP192.168.1.1:1038 ➝ 64.80.255.251:53
Flows TCP192.168.1.1:1039 ➝ 128.30.52.200:53
Flows TCP192.168.1.1:1040 ➝ 208.101.39.236:53

Raw Pcap
0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .


Strings
.
.
.
j
`#7
8c7
.
\r.
.
\.
..
..
..
...
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
&~@"-|
0BOY($
0D27R6:
0{o`1?
0.P)br
~188881~
' ;2?\~G@ci
2Jq.i+
2\<(-MUUVVVV
.{2QR28=
360v@b
]3G=/Fl:F
3hoy?)
3RE2m|ZplL
3VMtFPr
44JCcEA
4@6fBL
47!V3B6G
}4DBC4
_4utgW.
5G;l )
5$h>L_H
	5p#bp2
 ]5v|Q.BiH
_6aEyg
`6d	f1d
	6Fse`c
6o0,o8
6QA|R	
6u`RI@
7!2r6X
{747Nj
@7a0z\
'7NW{~
+7ZoSg
'87F=O
~8880000/01
8%h	T"
8o%;VlG
8sz{e|"Uf'E
8v];al
8Z3LjBV
}[9dNW
9n!1/FPh
aBJuTy
'ADq&D
|A@f_4
AGProtR
A%luu 
Applica
:.+<aPT
"aRetxQb
As&Ma0
?$->aY
B9#PbC
b#~ay1
?b`I?c
<bkVPU
;!`bn*
+	bw*-
!,&#C	
C	2#B#1#3#
CiCc>:v
cj|EIHv
c(jewK1
cKYX#@
CloseHandle
cn_DTqF)
corrupt.
cT}FAE
.cXQ	4
%czo+)
d`**8[
# {DBS
D~Dl<d
D I,djMW
D]+Ptn
e}1 EU*5E
>E>6Eq
\e82eF
Ea*NV&V
]e|'!aQ
!e_Bl	
ed in the DLL %s4ordinal %U
|~EeJX
ef2e2e
eL3e3eh3
&Ep`VF[r
E#pzDcex{h
'eR*`*
etModul
eTU X]%Z
eUXCUX$	x
eV:del
F3E*9Nc
}f^@8n\ E
	+Fbt]#F
_fD	>5 
]%fedg
$F(->FH
f~He>\
\f{~^kf
FoS'@u
fpjJ{[
`fRHot
Fr=Nuxb
/fvE"Eq
|F(wS}
g0h,?Uf
g5}=>3
G''+9T
GbU8`V-$
G<c&G*W
	G\eI0
GetProcAddress
g.?I]A
&Gj2:1H
$<GJs!
GTMG<6
Gx;a4Q
H0d]A$0 
h$0h1L
ha'RPA
hdWTZis
h IMuZ
hLr!-|
H.LWT$
%HPJ6(
h/-Wd=
HWUy_D
 H/zf}
i9MWtu
I'E]K+v
IKPu/u
IlLMjN	
I [o7&
i@@@,-P
"Ip57$
IsDebuggerPresent
i@;ZYd
J0#@/1
*J0~h+
j3{R\[
j5NZFh
j7U*N[
J:aRg,
\JBg"!
`j dbD
J~##*i
@JIBMe
:jmNrQU
j%QT1>x
jsFuAtR:
[jX['uV
k0FQg]
K4PE52
k5tg(u8
KC<03*
K-DC@"
kE4gBB
kernel32
kernel32.dll
kp^y1H
lCZH b+B
lgb^-}
L/^M/j>:nz
LoadLibraryA
LQ@7jecn
lrt2vr
 LYFod
M	5%bN
MB=?;)
m]E!e	U>0
MessageBoxA
,%M)Gpl
MLKDc: 
mLLo#hD
mQ>[Z>[
msvbvmU
MyYtDr
N34;2#
:n5}>.
N9-Ae`
.N:b5Y
nOJ-,M
~:Ns%`
**NSiUn
Nw Pq_
NY0.@"
Nya)hE
N@/YEC
NYu{;r
o:i!n:	
Op-wzf
osoSCm'{~=
=	P5L_
\p8V:J
PaU8,[L
PEC2=O
PECompact2
PEiAcy
(PHP0:
P\/%J4
+<+@pjO
P,n%	"
~$Poa 
 procedure %s could not be locat
P-@U@VAVX
py,]lh
_QBv@1
qcZe{E
QE#e`RbI
qEj'R}
QF+`HuV+
QNRUvi
-Q)Q>2
qUUfE*
QX]kfmgzC
QzREtAt[
=r|,1jI
 r8mo{!$PN
rJ6J*B
ry8vfx
S&5SQ4
S+A5u&
[>SB.a
SD&-2Q
s^EQVp
S'|'jOp'N
s^.j~Z.E
S;-+P5**
S+q4hX
s/w))x
sZ%\dJXI
T">/'^
T1% py
t,a2/L
tBk_Q~
tgerJM
TGFlY1
!This program cannot be run in DOS mode.
tion error
% t|OK
T^Ra^(
ty0X~Y1
(u`1`1
+#	U5v
u9iHFq
>u',AJ
uBQQT9
ucg=Q[
([u%f5
[uj@W(
)uLB)l9>
ULPE(]
umxxmu
UON~W,
"$%,uP
UQ7BGF
user32
*us`ID}
USQWVR
UVVVWX
V4C*PYU
vHls;@#&
Virtual
VirtualAlloc
VirtualFree
vjBI\B
(VLVE~
Vti{	U
@w3b/%
w`BBxK
Wd4qB0
wMo-i$
!wqA(lH90
WR``+K} 
wsprintfA
#X}ge8
X.GTL:
X	\JD%
XlRGh_
<XoHPq
XU|`T@8
Y0V*)=
;Y{FS~
yGeV8v_k
'yi:0k
Y	oQvA
yq*&%9i
yvN kO g
Z -@fR
Z&j#S	_=
zKT]j.
Z RTPQDP
Zsj~J-
ztkj@#;(
$zUT+i
Z^_Y[]