Analysis Date2015-01-25 06:31:38
MD579f8bd330f806dd523ff043a0fa56cf4
SHA17ed009e5df1c959fb735eb5d245a9c4bddef8fe0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1f3ac6564379b7a132a2b9149d2f7113 sha1: e776838a61e5d75750872212705e4495ed8f6426 size: 111104
Section.rsrc md5: 4a79f93f1109ca484ab83cdfc4578e6e sha1: 599d2107226939dfe170d83e032e3d49c96125d3 size: 16384
Timestamp2007-11-19 01:00:20
VersionLegalCopyright: Copyright (C) 2003
InternalName: freegate
FileVersion: 1, 0, 0, 1
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: freegate Application
SpecialBuild:
ProductVersion: 1, 0, 0, 1
FileDescription: freegate MFC Application
OriginalFilename: freegate.EXE
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhash9c918a94de6101f243fdf786cc985a266783575e
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.12543945
AVAlwil (avast)no_virus
AVArcabit (arcavir)Trojan.Generic.12543945
AVAuthentiumno_virus
AVAvira (antivir)TR/Rogue.128512.26
AVBullGuardTrojan.Generic.12543945
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Proxy.3853
AVEmsisoftTrojan.Generic.12543945
AVEset (nod32)no_virus
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.12543945
AVGrisoft (avg)no_virus
AVIkarusVirus.Win32.Agent
AVK7Backdoor ( 04c4de821 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.Generic.12543945
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Proxy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
37888
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw63.ziyoulonglive.com
Type: A
DNSw64.ziyoulonglive.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
Flows UDP192.168.1.1:1031 ➝ 195.133.91.136:53
Flows UDP192.168.1.1:1032 ➝ 195.102.98.252:53
Flows UDP192.168.1.1:1032 ➝ 195.108.61.214:53
Flows UDP192.168.1.1:1031 ➝ 198.32.252.58:53
Flows UDP192.168.1.1:1032 ➝ 195.170.121.250:53
Flows UDP192.168.1.1:1032 ➝ 195.183.250.98:53
Flows UDP192.168.1.1:1031 ➝ 153.19.102.182:53
Flows UDP192.168.1.1:1032 ➝ 195.18.244.95:53
Flows UDP192.168.1.1:1032 ➝ 195.190.112.99:53
Flows UDP192.168.1.1:1031 ➝ 64.71.218.3:53
Flows UDP192.168.1.1:1032 ➝ 195.194.242.48:53
Flows UDP192.168.1.1:1032 ➝ 195.237.79.62:53
Flows UDP192.168.1.1:1031 ➝ 83.234.232.1:53
Flows UDP192.168.1.1:1032 ➝ 195.1.213.224:53
Flows UDP192.168.1.1:1031 ➝ 141.151.128.68:53
Flows UDP192.168.1.1:1032 ➝ 195.62.192.46:53
Flows UDP192.168.1.1:1032 ➝ 195.89.165.180:53
Flows UDP192.168.1.1:1031 ➝ 81.19.69.17:53
Flows UDP192.168.1.1:1032 ➝ 195.222.59.109:53
Flows UDP192.168.1.1:1032 ➝ 195.247.86.195:53
Flows UDP192.168.1.1:1031 ➝ 211.63.185.180:53
Flows UDP192.168.1.1:1032 ➝ 195.131.179.145:53
Flows UDP192.168.1.1:1032 ➝ 195.76.10.202:53
Flows UDP192.168.1.1:1031 ➝ 195.133.91.136:53
Flows UDP192.168.1.1:1032 ➝ 195.212.37.21:53
Flows UDP192.168.1.1:1032 ➝ 195.147.126.46:53
Flows UDP192.168.1.1:1032 ➝ 195.218.22.22:53
Flows UDP192.168.1.1:1032 ➝ 195.197.237.63:53
Flows UDP192.168.1.1:1032 ➝ 195.250.245.78:53
Flows UDP192.168.1.1:1032 ➝ 195.219.60.140:53
Flows UDP192.168.1.1:1032 ➝ 195.29.177.106:53
Flows UDP192.168.1.1:1032 ➝ 195.103.156.96:53
Flows UDP192.168.1.1:1032 ➝ 195.30.42.232:53
Flows UDP192.168.1.1:1032 ➝ 195.141.164.196:53
Flows UDP192.168.1.1:1032 ➝ 195.107.88.211:53
Flows UDP192.168.1.1:1032 ➝ 195.217.149.182:53
Flows UDP192.168.1.1:1032 ➝ 195.185.21.73:53
Flows UDP192.168.1.1:1032 ➝ 195.144.198.107:53
Flows UDP192.168.1.1:1032 ➝ 195.182.223.10:53
Flows UDP192.168.1.1:1032 ➝ 195.158.165.86:53
Flows UDP192.168.1.1:1032 ➝ 195.229.64.10:53
Flows UDP192.168.1.1:1032 ➝ 195.221.88.172:53
Flows UDP192.168.1.1:1032 ➝ 195.112.65.102:53
Flows UDP192.168.1.1:1032 ➝ 195.26.28.33:53
Flows UDP192.168.1.1:1032 ➝ 195.46.118.113:53
Flows UDP192.168.1.1:1032 ➝ 195.139.114.52:53

Raw Pcap

Strings
..
=
.
..
.5
..
.
...
d
.
.
.
..
.
040904b0
1, 0, 0, 1
Comments
CompanyName
Copyright (C) 2003
FileDescription
FileVersion
freegate
freegate Application
freegate.EXE
freegate MFC Application
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
@_\/{|-
03| ex
)057&c w
0LC/Wp
?0]qtjj
~188881~
1wy?mE
26(nt?
2gY(LV
:2Ix(>
2L`mD/w
2\<(-MUUVVVV
{2On8,$
%2ORE6V2
,2ykt&
3F7=8V
3i`h)!
3*p%K	-]
[4C m"
4h1#/A
/6e-Q(
6l] ){1
6S4c\}!
`#6W#P(
(7&-'`
"7AE -f
7De@bL
-7<='J
7UPnC,c
~8880000/01
~8d<Qj-"
%8GihZ
92RW}O
94ElM5
9?iAt*e
9L@c+:
-9u&a)g
9)v5T/
a7~UM0
Ac,$yr/XI
AGNttg
A#h[7\
Ai	fk1u9
*B0Rmi
B0}zvK
?`b2)>
b6F__'
>b8<k|
`bh?4t[
?BWr;UG
B-Zb3&D
C@5/vD
C,]6r@OAw
$C_A0"
_Ce=(}
CFLS~e
D	cnwxV
dG \QP
Dk9|zk
d.%qo"
~dz8l_
E=`0ny_
E1@z2N2
>E>6Eq
EcI+J]
~ECt<F&
EIW Nky
ekb*{=
*E-"{^N<
e`nRZ'
e=r	*0
erWVeF
Ev"y7[
F74huzqUYAP
Fe`5r"z{
F^hyp}=K
Fv?Q:p-
G]0:n/u
G''+9T
?geDX<8
GetProcAddress
GS5CD	
h>0pmvx
h5ppM	
hdWTZis
H.E&`KGT}X
!Hey3+(
H.:<Tm
i$}c~[*
icbCa=deZ
)id#;_,j[R
Ig?:uqP#b
iK1%[:
i@@@,-P
`Ixvz.~
i@;ZYd
]j1v|t
>:_jA_
Jqi]+0
`Jsa?=
#]%J/_x3
jy#<zwl
k2hSM7
k(B&n7
kernel32.dll
ki'eC9
k|||SU
'KtZ9|
<%kzna
^l24 z
_`L4L7
LAGOC&
LDk3zo
l;:E[`
lg@:]I;
lk*03L
L)*NM8
LoadLibraryA
MB]{Be
miZ/E1c
MLKDc: 
M{^>sL
N,03	_
N34;2#
#{\ND?b
njrGbiX
)'O8cg
+) O9(+
'o,K4[8E
OMZwjl_
%%oQ ;
P5@JmR
p6VXf7
PECompact2
Pe\V|V
PI\\@,
PIm-b-
pm0o/O
/$P-n	
p	Q*ucV.
P-@U@VAVX
Q;b6fm
Q]L#~M
QTu@ok
q'@X;G*
QX]kfmgzC
r4]AS7
RbWY9m
R"H)bg
R/:}<J
r:*J.P
rjy.y(
sc!vLI
SDD)Vq
SIUD20?
S^j0%n
S;-+P5**
}`SV6s
t8l?K$
tA6)|ChSL
!This program cannot be run in DOS mode.
tJmxaq
{)t!O>S
tQLBAf
tTGE&C
U~8NNhFE
Uj.Gi9t
(UlqQ+
umxxmu
USQWVR
UVVVWX
)]!"v#
)%v6-Z
{$/'|V7{f
 V-8V@
	v$eIF
VirtualAlloc
VirtualFree
vjBI\B
_=v{l\6
}vm+=Z
V>p\lx
v)q]\7r\
=!W %)
wdY4[x
%_.w'G 
W@M+O	
X?[0!:
]"X>Ch
XhmEz`<
xT72(]>
XV5A&K
`;X{Vy
x%?Y//
XZ{'+W
Y77pAd
YA5+'RppsF
yb^p~)
}yf?!C
Yg!]]A
Yju!^?
~YM	da
]$ysVE
YuLOXd
YX^\~8
Yy1${9
	Z3bI<WL
z6Bqf/
zA2nYH
=zBriz
ZIek|?
/Z&%nXN0>
zSg!sO|`
;^ZW| 
Z^_Y[]
@zZ~HD$