Analysis Date2015-01-27 09:44:47
MD5430af8ec39c561f9633185ea868c5117
SHA17aa2a6fd64af3052f37cf01571373545ad25370d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4b5492ada67126e852bdb533b657f6f8 sha1: a04527109875801110b1ab2d0a1f07a1ea5644fa size: 115712
Section.rsrc md5: a08af31a4bbae6a33a36d836b9f254de sha1: 31345ef54f2f3fc37793e441d2751acca9d4f8ea size: 16896
Timestamp2008-01-31 02:47:00
VersionLegalCopyright: Copyright (C) 2003
InternalName: freegate
FileVersion: 1, 0, 0, 1
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: freegate Application
SpecialBuild:
ProductVersion: 1, 0, 0, 1
FileDescription: freegate MFC Application
OriginalFilename: freegate.EXE
PackerPeCompact 2.xx (Slim Loader) -> BitSum Technologies
PEhashdac12c22169185ef347c09cbb5ee5afa7265cbf4
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.12543482
AVAlwil (avast)Proxy-AB [Trj]
AVArcabit (arcavir)Trojan.Generic.12543482
AVAuthentiumW32/Risk.KFBB-8983
AVAvira (antivir)TR/Rogue.133632.22
AVBullGuardTrojan.Generic.12543482
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Proxy.3290
AVEmsisoftTrojan.Generic.12543482
AVEset (nod32)no_virus
AVFortinetno_virus
AVFrisk (f-prot)W32/MalwareS.JHT
AVF-SecureTrojan.Generic.12543482
AVGrisoft (avg)no_virus
AVIkarusGeneric.Mitglied
AVK7Backdoor ( 04c4de821 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.Generic.12543482
AVRisingTrojan.Spy.Win32.Undef.ade
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Proxy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
37888
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw62.ziyoulonglive.com
Type: A
DNSw63.ziyoulonglive.com
Type: A
DNSw64.ziyoulonglive.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
Flows UDP192.168.1.1:1031 ➝ 195.133.91.136:53
Flows UDP192.168.1.1:1032 ➝ 195.102.98.252:53
Flows UDP192.168.1.1:1032 ➝ 195.108.61.214:53
Flows UDP192.168.1.1:1032 ➝ 195.170.121.250:53
Flows UDP192.168.1.1:1031 ➝ 198.32.252.58:53
Flows UDP192.168.1.1:1032 ➝ 195.183.250.98:53
Flows UDP192.168.1.1:1031 ➝ 153.19.102.182:53
Flows UDP192.168.1.1:1032 ➝ 195.18.244.95:53
Flows UDP192.168.1.1:1032 ➝ 195.190.112.99:53
Flows UDP192.168.1.1:1032 ➝ 195.194.242.48:53
Flows UDP192.168.1.1:1031 ➝ 64.71.218.3:53
Flows UDP192.168.1.1:1032 ➝ 195.237.79.62:53
Flows UDP192.168.1.1:1031 ➝ 83.234.232.1:53
Flows UDP192.168.1.1:1032 ➝ 195.1.213.224:53
Flows UDP192.168.1.1:1032 ➝ 195.62.192.46:53
Flows UDP192.168.1.1:1031 ➝ 141.151.128.68:53
Flows UDP192.168.1.1:1032 ➝ 195.89.165.180:53
Flows UDP192.168.1.1:1032 ➝ 195.222.59.109:53
Flows UDP192.168.1.1:1031 ➝ 81.19.69.17:53
Flows UDP192.168.1.1:1032 ➝ 195.247.86.195:53
Flows UDP192.168.1.1:1031 ➝ 211.63.185.180:53
Flows UDP192.168.1.1:1032 ➝ 195.131.179.145:53
Flows UDP192.168.1.1:1032 ➝ 195.76.10.202:53
Flows UDP192.168.1.1:1032 ➝ 195.212.37.21:53
Flows UDP192.168.1.1:1031 ➝ 195.133.91.136:53
Flows UDP192.168.1.1:1032 ➝ 195.147.126.46:53
Flows UDP192.168.1.1:1032 ➝ 195.218.22.22:53
Flows UDP192.168.1.1:1032 ➝ 195.197.237.63:53
Flows UDP192.168.1.1:1032 ➝ 195.250.245.78:53
Flows UDP192.168.1.1:1032 ➝ 195.219.60.140:53
Flows UDP192.168.1.1:1032 ➝ 195.29.177.106:53
Flows UDP192.168.1.1:1032 ➝ 195.103.156.96:53
Flows UDP192.168.1.1:1032 ➝ 195.30.42.232:53
Flows UDP192.168.1.1:1032 ➝ 195.141.164.196:53
Flows UDP192.168.1.1:1032 ➝ 195.107.88.211:53
Flows UDP192.168.1.1:1032 ➝ 195.217.149.182:53
Flows UDP192.168.1.1:1032 ➝ 195.185.21.73:53
Flows UDP192.168.1.1:1032 ➝ 195.144.198.107:53
Flows UDP192.168.1.1:1032 ➝ 195.182.223.10:53
Flows UDP192.168.1.1:1032 ➝ 195.158.165.86:53
Flows UDP192.168.1.1:1032 ➝ 195.229.64.10:53
Flows UDP192.168.1.1:1032 ➝ 195.221.88.172:53
Flows UDP192.168.1.1:1032 ➝ 195.112.65.102:53
Flows UDP192.168.1.1:1032 ➝ 195.26.28.33:53
Flows UDP192.168.1.1:1032 ➝ 195.46.118.113:53
Flows UDP192.168.1.1:1032 ➝ 195.139.114.52:53
Flows UDP192.168.1.1:1032 ➝ 195.65.150.213:53
Flows UDP192.168.1.1:1032 ➝ 195.224.189.185:53
Flows UDP192.168.1.1:1032 ➝ 195.213.166.42:53
Flows UDP192.168.1.1:1032 ➝ 195.209.162.213:53
Flows UDP192.168.1.1:1032 ➝ 195.198.41.133:53
Flows UDP192.168.1.1:1032 ➝ 195.188.192.7:53
Flows UDP192.168.1.1:1032 ➝ 195.121.57.239:53
Flows UDP192.168.1.1:1032 ➝ 195.61.125.165:53
Flows UDP192.168.1.1:1032 ➝ 195.8.168.86:53

Raw Pcap

Strings
..Z
..C
h.
,
.&
.
Nw).w.
~l
..
..
.
040904b0
1, 0, 0, 1
Comments
CompanyName
Copyright (C) 2003
FileDescription
FileVersion
freegate
freegate Application
freegate.EXE
freegate MFC Application
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
0M|~-5QO@
0$U'G,
0Zbv4gQX
0zrOw`
~188881~
#1Da#s
22dD>%
2\<(-MUUVVVV
2V3Bpo
]34&Pp
3\9~YS
'-3erd
]<3f%%
3VirtualFree
4|);0=
;4WbJA
58L8%*#
59`Q\ 
5?C0 Ca
5Dy7%y
5eh!TqB
5g , o
5X9;)m
6^_:EN
6IVsG5
6|^P	Xz
7 A3DA
]7}}IT
!7iZ/$
7Jm^"v0
~8880000/01
8dP}Mx
8myKLjl
8N!!^Q
8VuF+?y
9EK^om/
 9SbXy
A=\0$$
a4u.Zff
~A^6%W?
an457\
	!$_Arb
]a:S/?
asdfZ^
atu)|GC
	>be!cV
<{<BM{
B#ue5T
byjho%x
^by!&U(
(CB@1;[
C	<|dK2
C:i5:(
CloseHandle
c'muuV
cPXGuV7
|c%"RKb
cVrr0gU
cXapn0$Oh
'c*zjS
DB;bdZ9s
DIh_^]
doTZxr
D's<eA
#!E4nq
'e5Bx%=#
>E>6Eq
e6LI	@
,	{eAK
EEE"lQ
{ES`@,
eVf#Cs
ExitProcess
eXOLcZ
/F4BN~
:#F4Gv
fBsfZAqs;
/^F@I_
F"K-`pb
fo%svE
g0FnX<iv
g%:4(!.
,=!G7e
G''+9T
GetModul
GetProcAddress
Gf{Cc.
G>#G]0
G;H^.d
"GhN+LB
~ G%<.p
Gr@C[kz
GtSWn%
gVZq	'H
h6]+MTK
hbS7Dn
hdWTZis
{hE2h3
H$EHd'
`HE:K~l
HgzYHf
'}Hn?}|	
)H|>}w
i'^gU7[
I.jqjk
[I:&.K
i@@@,-P
itco2E>
i@;ZYd
j5vrHgB
$J"b^b
{jf:/PV1a
|J[\%p>
k5W>$/
kernel32.dll
KlqpN@T<
 ?KREb
(Ks9EX;^|^
KTCFa&
=K \V%
>K(Yo"
^|l9)$8
L[9*lM
:L*I"$
L@Ix,~
)LlZy)7<N
LoadLibraryA
lt/PP<"
+l*{Y\@
@lYf>,K
m`CNkr
?Mc~'P
Mf{M*A
/:M,(hg
%mIg94
MLKDc: 
M^q#Agf8
mTo5NW
mVugLT
MxT?v>l
N34;2#
^nb>BY;
NHM_&v
;NhN7pe)
N[jtld
ns}1k	#
nUk4]VW
nx=W\d(
O^2hc$
[OB#a+
O>bq\7
OG0Ir;
(ose^SD
OS&o8D
O{T?-wRhr{
o	YKzIs
p4sg8qp
\$`p5U
p8us-;
/]p=-A
pa=Tz-
_-p}iOR
|p$IU;
.pPfIH
Protect
P#	}Seg
P-@U@VAVX
&&`pWa8
Py88D>
q`$>5L
Qd(/J[
$Qg?uB
qL OI!
QmqIZLy
@Q^m	S\
QoE_vA
q`}\R'JH
QTTCjt
$,QV{p
QX]kfmgzC
,-R'^.
r1paZ3
R6_	,E
RaIo>P
Rb5`hu
rC}N~'c
_R_E>!
rHqPjH
RI+gX+
"_rSRM
rU<hLL
rzjE2U
)SHj@)
S;-+P5**
SYot^n
\$T;\$
t1*O>Pb
	\t4pUr
T$H9T$T
!This program cannot be run in DOS mode.
$tM9bZv
/tsi<j?
t^xk.g
;u1dn3z6
UDWZ=#c6
`!)uJX
umxxmu
uS'E{U
USQWVR
U.<+Ul@
U<`]vb
u.>V-`K
UVVVWX
.<V*?f
v*	fQp4
VirtualAlloc
VirtualFree
vjBI\B
VL.S-G
vmy>?o
Vs}r_B
vZ|]Gn
)#\:W&
W&JA+{
W(qD=TS
^wV1@D
\xf.{&L
xP:BcJ
~+;Y(>
yd+P+t
YFDoif
Yge#J-'
%YL4Au
? Ync;
*Y!t"$
Yt"P;~G
yyq0y=
Z=apx2hG
zdjw5&/
ZeVgv@I.3
(]Z|)G
$Z'm_t	%U
ZN1m_s
z+ sI$
z"(tvX
Z^_Y[]
zy5uW1