Analysis Date2015-01-27 04:39:00
MD50cdc7688b62b8982558c785d1a618acd
SHA169a67f25de375c7e503f5bba344b3d77d7e95cc2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a17a9151b1eb3a1d5129925846dc6679 sha1: 7a2af72b6f631740337288ade54623b0169ded17 size: 158208
Section.rsrc md5: 3c7ed2a342e9e0f2837cd0e7f02dd188 sha1: 51f416dd1d5d12ce07b59e629ad48cc18897e9a8 size: 16384
Timestamp2008-07-29 22:55:23
VersionLegalCopyright: Copyright (C) 2003-2008
InternalName: Freegate
FileVersion: 0, 0, 0, 0
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Freegate Application
SpecialBuild:
ProductVersion: 0, 0, 0, 0
FileDescription: Freegate Application
OriginalFilename: freegate.EXE
PackerPeCompact 2.xx (Slim Loader) -> BitSum Technologies
PEhash46813f603bcafdf6748a09b14975e620e79453ab
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Proxy.3764
AVEmsisoftno_virus
AVEset (nod32)no_virus
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusBackdoor.Win32.Clack
AVK7no_virus
AVKasperskyBackdoor.Win32.Clack.k
AVMalwareBytesTrojan.Agent
AVMcafeeProxy-Agent.bk
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Proxy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
5120
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw64.ziyoulonglive.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
DNSw63.ziyoulonglive.com
Type: A
DNS2e4d551085ad28eaac2eeec6571fb83cfc8db61f.c6025935d3d07bb7848a4455f74f5a7ebda66806.4.ziyouforever.com
Type: MX
DNS8acf5ec9541a9f3ae3aaf8b8b212827e580fbdc6.17b5eee59c546dc961877e170f8dc4113a631163.4.ziyouforever.com
Type: MX
DNSb63ccef8c4ae74d1785a2514af30e49564fc2df7.8701050e07a4b0657ca518fc47aa687ce50f5a1e.4.ziyouforever.com
Type: MX
DNS667fa47f2a5bdb05549d293a9d399d51b4bf4770.69f4aada2b63bc4b4eac6138cd34b33772699422.4.ziyouforever.com
Type: MX
DNS029598ab8a0f39063907d23cb76d068ad0557ba4.c9a048d946f9474d64f8fae39d0bb87d9f52c15c.4.ziyouforever.com
Type: MX
DNSe2979baf3379ecbae7ff0c644342f18a305778a0.70d69d659801991590d70de3c246834d6b26802f.4.ziyouforever.com
Type: MX
DNS88277b344e9132ae52c30681a3ed9a665ae7983b.0d3e43712d3d93f07078660f2ebb1d7ee9619946.4.ziyouforever.com
Type: MX
DNSc1249ef4fce75e5e057abab72d337a7813e47dfb.bf482f817a842fc6fea686115198666b809e402a.4.ziyouforever.com
Type: MX
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.35.193.158:53
Flows UDP192.168.1.1:1032 ➝ 38.65.238.191:53
Flows UDP192.168.1.1:1031 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1032 ➝ 38.121.7.4:53
Flows UDP192.168.1.1:1032 ➝ 38.52.86.4:53
Flows UDP192.168.1.1:1031 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1032 ➝ 38.90.52.20:53
Flows UDP192.168.1.1:1032 ➝ 38.8.89.139:53
Flows UDP192.168.1.1:1031 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1032 ➝ 38.229.52.56:53
Flows UDP192.168.1.1:1032 ➝ 38.124.246.93:53
Flows UDP192.168.1.1:1031 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1032 ➝ 38.169.113.191:53
Flows UDP192.168.1.1:1032 ➝ 38.255.164.59:53
Flows UDP192.168.1.1:1031 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1032 ➝ 38.154.10.26:53
Flows UDP192.168.1.1:1032 ➝ 38.187.73.55:53
Flows UDP192.168.1.1:1031 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1032 ➝ 38.31.161.238:53
Flows UDP192.168.1.1:1032 ➝ 38.108.170.121:53
Flows UDP192.168.1.1:1031 ➝ 143.166.82.252:53
Flows UDP192.168.1.1:1032 ➝ 38.155.32.47:53
Flows UDP192.168.1.1:1032 ➝ 38.133.71.220:53
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.188.56.178:53
Flows UDP192.168.1.1:1032 ➝ 38.210.125.75:53
Flows UDP192.168.1.1:1032 ➝ 38.211.181.4:53
Flows UDP192.168.1.1:1032 ➝ 38.104.12.145:53
Flows UDP192.168.1.1:1032 ➝ 38.227.90.71:53
Flows UDP192.168.1.1:1032 ➝ 38.189.151.150:53
Flows UDP192.168.1.1:1032 ➝ 38.148.218.131:53
Flows UDP192.168.1.1:1032 ➝ 38.33.166.85:53
Flows UDP192.168.1.1:1032 ➝ 38.41.255.155:53
Flows UDP192.168.1.1:1032 ➝ 38.181.225.55:53
Flows UDP192.168.1.1:1032 ➝ 38.64.8.106:53
Flows UDP192.168.1.1:1032 ➝ 38.244.140.201:53
Flows UDP192.168.1.1:1032 ➝ 38.138.151.88:53
Flows UDP192.168.1.1:1032 ➝ 38.27.124.220:53
Flows UDP192.168.1.1:1032 ➝ 38.48.17.114:53
Flows UDP192.168.1.1:1032 ➝ 38.45.90.86:53
Flows UDP192.168.1.1:1032 ➝ 38.60.92.227:53
Flows UDP192.168.1.1:1032 ➝ 38.190.71.167:53
Flows UDP192.168.1.1:1032 ➝ 38.204.197.183:53
Flows UDP192.168.1.1:1032 ➝ 38.205.131.63:53
Flows UDP192.168.1.1:1032 ➝ 38.151.54.94:53
Flows UDP192.168.1.1:1032 ➝ 38.129.129.247:53
Flows UDP192.168.1.1:1032 ➝ 38.25.142.242:53
Flows UDP192.168.1.1:1032 ➝ 38.14.38.100:53
Flows UDP192.168.1.1:1032 ➝ 38.2.148.17:53
Flows UDP192.168.1.1:1032 ➝ 38.78.223.129:53
Flows UDP192.168.1.1:1032 ➝ 38.209.105.242:53
Flows UDP192.168.1.1:1032 ➝ 38.179.244.70:53
Flows UDP192.168.1.1:1033 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1033 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1033 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1033 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1033 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1033 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1033 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1033 ➝ 143.166.82.252:53
Flows TCP192.168.1.1:1034 ➝ 64.235.32.206:53
Flows TCP192.168.1.1:1035 ➝ 129.66.95.3:53
Flows TCP192.168.1.1:1036 ➝ 141.151.0.68:53
Flows TCP192.168.1.1:1037 ➝ 211.10.204.5:53
Flows TCP192.168.1.1:1038 ➝ 64.80.255.251:53
Flows TCP192.168.1.1:1039 ➝ 128.30.52.200:53
Flows TCP192.168.1.1:1040 ➝ 208.101.39.236:53

Raw Pcap
0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .


Strings
.
.
.
j
`#7
8c7
.
\r.
.
\.
..
..
..
.
.
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
&~@"-|
0BOY($
0D27R6:
0{o`1?
0.P)br
~188881~
' ;2?\~G@ci
2Jq.i+
2\<(-MUUVVVV
.{2QR28=
360v@b
]3G=/Fl:F
3hoy?)
3RE2m|ZplL
3VMtFPr
44JCcEA
4@6fBL
47!V3B6G
}4DBC4
_4utgW.
5Bkj@hQ
5G;l )
5$h>L_H
	5p#bp2
 ]5v|Q.BiH
_6aEyg
6CloseHandle
`6d	f1d
	6Fse`c
6o0,o8
6QA|R	
6u`RI@
7!2r6X
{747Nj
@7a0z\
'7NW{~
+7ZoSg
'87F=O
~8880000/01
8%h	T"
8o%;VlG
8sz{e|"Uf'E
8v];al
8Z3LjBV
}[9dNW
9n!1/FPh
aBJuTy
'ADq&D
|A@f_4
A%luu 
:.+<aPT
"aRetxQb
As&Ma0
?$->aY
B9#PbC
b#~ay1
?b`I?c
<bkVPU
;!`bn*
+	bw*-
!,&#C	
C	2#B#1#3#
CiCc>:v
cj|EIHv
c(jewK1
cKYX#@
cn_DTqF)
cT}FAE
.cXQ	4
%czo+)
d`**8[
# {DBS
D~Dl<d
D I,djMW
D]+Ptn
e}1 EU*5E
>E>6Eq
\e82eF
Ea*NV&V
]e|'!aQ
!e_Bl	
|~EeJX
ef2e2e
eL3e3eh3
&Ep`VF[r
E#pzDcex{h
'eR*`*
eTU X]%Z
eUXCUX$	x
eV:del
F3E*9Nc
}f^@8n\ E
	+Fbt]#F
_fD	>5 
]%fedg
$F(->FH
f~He>\
\f{~^kf
FoS'@u
fpjJ{[
`fRHot
Fr=Nuxb
/fvE"Eq
|F(wS}
g0h,?Uf
g5}=>3
G''+9T
GbU8`V-$
G<c&G*W
	G\eI0
GetProcAddress
g.?I]A
&Gj2:1H
$<GJs!
GTMG<6
Gx;a4Q
H0d]A$0 
h$0h1L
ha'RPA
hdWTZis
h IMuZ
hLr!-|
H.LWT$
%HPJ6(
h/-Wd=
HWUy_D
 H/zf}
i9MWtu
I'E]K+v
IKPu/u
IlLMjN	
I [o7&
i@@@,-P
"Ip57$
i@;ZYd
J0#@/1
*J0~h+
j3{R\[
j5NZFh
j7U*N[
J:aRg,
\JBg"!
`j dbD
J~##*i
@JIBMe
:jmNrQU
j%QT1>x
jsFuAtR:
[jX['uV
k0FQg]
K4PE52
k5tg(u8
KC<03*
K-DC@"
kE4gBB
kernel32
kernel32.dll
kp^y1H
lCZH b+B
lgb^-}
L/^M/j>:nz
LoadLibraryA
LQ@7jecn
lrt2vr
 LYFod
M	5%bN
MB=?;)
m]E!e	U>0
,%M)Gpl
MLKDc: 
mLLo#hD
mQ>[Z>[
msvbvm
MyYtDr
N34;2#
:n5}>.
N9-Ae`
.N:b5Y
nOJ-,M
~:Ns%`
**NSiUn
Nw Pq_
NY0.@"
Nya)hE
N@/YEC
NYu{;r
o:i!n:	
Op-wzf
osoSCm'{~=
=	P5L_
\p8V:J
PaU8,[L
PEC2=O
PEiAcy
(PHP0:
P\/%J4
+<+@pjO
P,n%	"
~$Poa 
P-@U@VAVX
py,]lh
_QBv@1
qcZe{E
QE#e`RbI
qEj'R}
QF+`HuV+
QNRUvi
-Q)Q>2
qUUfE*
QX]kfmgzC
QzREtAt[
=r|,1jI
 r8mo{!$PN
rJ6J*B
ry8vfx
S&5SQ4
S+A5u&
[>SB.a
SD&-2Q
s^EQVp
S'|'jOp'N
s^.j~Z.E
S;-+P5**
S+q4hX
s/w))x
sZ%\dJXI
T">/'^
T1% py
t,a2/L
tBk_Q~
tgerJM
TGFlY1
> t>Gp
!This program cannot be run in DOS mode.
% t|OK
tPrAddress
T^Ra^(
ty0X~Y1
(u`1`1
+#	U5v
u9iHFq
>u',AJ
uBQQT9
UccZP6$/
ucg=Q[
([u%f5
[uj@W(
)uLB)l9>
ULPE(]
umxxmu
UON~W,
UQ7BGF
*us`ID}
USQWVR
UVVVWX
V4C*PYU
vHls;@#&
VirtualAlloc
VirtualFree
vjBI\B
(VLVE~
Vti{	U
@w3b/%
w`BBxK
Wd4qB0
wMo-i$
!wqA(lH90
WR``+K} 
#X}ge8
X.GTL:
X	\JD%
XlRGh_
<XoHPq
XU|`T@8
Y0V*)=
;Y{FS~
yGeV8v_k
'yi:0k
Y	oQvA
yq*&%9i
yvN kO g
Z -@fR
Z&j#S	_=
zKT]j.
Z RTPQDP
Zsj~J-
ztkj@#;(
$zUT+i
Z^_Y[]