Analysis Date2015-01-27 06:24:04
MD536533d39059ffe0306667fd498d47051
SHA1970c36532295cfc5a3ac7200800ee29b5067514c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d447852e92e7a92adc5b69a99b7e624b sha1: 89c8327fb1254e7256c03c323864a5bb3a93159f size: 136192
Section.rsrc md5: c8b547273142d0629a18801877e0efb3 sha1: 23859eda404000e1fb17db5ad076becb5e754089 size: 17408
Timestamp2008-07-29 22:55:23
VersionLegalCopyright: Copyright (C) 2003-2008
InternalName: Freegate
FileVersion: 0, 0, 0, 0
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Freegate Application
SpecialBuild:
ProductVersion: 0, 0, 0, 0
FileDescription: Freegate Application
OriginalFilename: freegate.EXE
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhashb153d3a5065bc474c06f4e0b941f781de0d6f18e
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 Safeno_virus
AVAd-AwareBackdoor.Generic.941588
AVAlwil (avast)no_virus
AVArcabit (arcavir)Backdoor.Generic.941588
AVAuthentiumW32/Backdoor.XVST-6914
AVAvira (antivir)BDS/Rogue.154624.1
AVBullGuardBackdoor.Generic.941588
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Proxy.3764
AVEmsisoftBackdoor.Generic.941588
AVEset (nod32)no_virus
AVFortinetPossibleThreat.vw
AVFrisk (f-prot)no_virus
AVF-SecureBackdoor.Generic.941588
AVGrisoft (avg)BackDoor.Generic_c.ADUQ
AVIkarusBackdoor.Win32.Clack
AVK7Backdoor ( 04c4c5c21 )
AVKasperskyBackdoor.Win32.Clack.k
AVMalwareBytesTrojan.Agent
AVMcafeeRDN/Generic BackDoor!bbl
AVMicrosoft Security EssentialsError Scanning File
AVMicroWorld (escan)Backdoor.Generic.941588
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Proxy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
5120
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
DNSw63.ziyoulonglive.com
Type: A
DNSw64.ziyoulonglive.com
Type: A
DNS731cbbfe1eff04c02a37b1c84a80de649f7021cf.1e95745e0df067c4a72b617070c9a45cdcceec5b.4.ziyouforever.com
Type: MX
DNS5eb83673054852e27cc8d3e1daadd248b2d4ac42.0522227c5b0f05ed37066d5c035caf072db56f52.4.ziyouforever.com
Type: MX
DNS34ea2838d54e80cc15fbc9bd16795fc2d886b209.d524f052323c1fb1fbd2e0d6d61c90753e6dd430.4.ziyouforever.com
Type: MX
DNS599dc9120b5c4080f4445d77d89a9ad5b5f15323.0b36301ed3838b7b353125c108545a3698d3e953.4.ziyouforever.com
Type: MX
DNSad5974fb451099c4cfb00ad0307375ee4135eeca.457ae95ae877dcdcddd8cafa58b1620286a57705.4.ziyouforever.com
Type: MX
DNS7a6f33ae02b5fc956be442c67fe6baf19603a99f.02df8c0b4c2394ca924d05e560ca4e6da52aa322.4.ziyouforever.com
Type: MX
DNS1e849e7e4660cbf1f1ae43d9e605ddb6f2e8044f.460abb6fd66995d50bae62a223afb973fe77790c.4.ziyouforever.com
Type: MX
DNSa56ff0241e58153c5a9f08c3ce75568d49036a15.1e3265a27d58decf23dee99968f55b4df46e7944.4.ziyouforever.com
Type: MX
Flows UDP192.168.1.1:1032 ➝ 38.35.193.158:53
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.65.238.191:53
Flows UDP192.168.1.1:1031 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1032 ➝ 38.121.7.4:53
Flows UDP192.168.1.1:1032 ➝ 38.52.86.4:53
Flows UDP192.168.1.1:1031 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1032 ➝ 38.90.52.20:53
Flows UDP192.168.1.1:1032 ➝ 38.8.89.139:53
Flows UDP192.168.1.1:1032 ➝ 38.229.52.56:53
Flows UDP192.168.1.1:1031 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1032 ➝ 38.124.246.93:53
Flows UDP192.168.1.1:1032 ➝ 38.169.113.191:53
Flows UDP192.168.1.1:1031 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1032 ➝ 38.255.164.59:53
Flows UDP192.168.1.1:1031 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1032 ➝ 38.154.10.26:53
Flows UDP192.168.1.1:1032 ➝ 38.187.73.55:53
Flows UDP192.168.1.1:1031 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1032 ➝ 38.31.161.238:53
Flows UDP192.168.1.1:1032 ➝ 38.108.170.121:53
Flows UDP192.168.1.1:1031 ➝ 143.166.82.252:53
Flows UDP192.168.1.1:1032 ➝ 38.155.32.47:53
Flows UDP192.168.1.1:1032 ➝ 38.133.71.220:53
Flows UDP192.168.1.1:1032 ➝ 38.188.56.178:53
Flows UDP192.168.1.1:1032 ➝ 38.210.125.75:53
Flows UDP192.168.1.1:1032 ➝ 38.211.181.4:53
Flows UDP192.168.1.1:1032 ➝ 38.104.12.145:53
Flows UDP192.168.1.1:1032 ➝ 38.227.90.71:53
Flows UDP192.168.1.1:1032 ➝ 38.189.151.150:53
Flows UDP192.168.1.1:1032 ➝ 38.148.218.131:53
Flows UDP192.168.1.1:1032 ➝ 38.33.166.85:53
Flows UDP192.168.1.1:1032 ➝ 38.41.255.155:53
Flows UDP192.168.1.1:1032 ➝ 38.181.225.55:53
Flows UDP192.168.1.1:1032 ➝ 38.64.8.106:53
Flows UDP192.168.1.1:1032 ➝ 38.244.140.201:53
Flows UDP192.168.1.1:1032 ➝ 38.138.151.88:53
Flows UDP192.168.1.1:1032 ➝ 38.27.124.220:53
Flows UDP192.168.1.1:1032 ➝ 38.48.17.114:53
Flows UDP192.168.1.1:1032 ➝ 38.45.90.86:53
Flows UDP192.168.1.1:1032 ➝ 38.60.92.227:53
Flows UDP192.168.1.1:1032 ➝ 38.190.71.167:53
Flows UDP192.168.1.1:1032 ➝ 38.204.197.183:53
Flows UDP192.168.1.1:1032 ➝ 38.205.131.63:53
Flows UDP192.168.1.1:1032 ➝ 38.151.54.94:53
Flows UDP192.168.1.1:1032 ➝ 38.129.129.247:53
Flows UDP192.168.1.1:1032 ➝ 38.25.142.242:53
Flows UDP192.168.1.1:1032 ➝ 38.14.38.100:53
Flows UDP192.168.1.1:1032 ➝ 38.2.148.17:53
Flows UDP192.168.1.1:1032 ➝ 38.78.223.129:53
Flows UDP192.168.1.1:1032 ➝ 38.209.105.242:53
Flows UDP192.168.1.1:1032 ➝ 38.179.244.70:53
Flows UDP192.168.1.1:1033 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1033 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1033 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1033 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1033 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1033 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1033 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1033 ➝ 143.166.82.252:53

Raw Pcap

Strings
..-
..
.
.5.
x...
SC
;.
..[
..
.
..
X.
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
0D'rdyx
0kk=!q
-0u}%r
~188881~
%+(1HI
1Pk|q-K
2D>F\yy7s
2Gje@C
2\<(-MUUVVVV
=~35\k-Lf
3CTc(y
3DfXN=
3^p*IW':c^lduQs
3PR_{GY1
4E@E6M
\(*4NV
56i$0i&
5Eb#g5
6DW=.>
*]#71gf
/7ju=jT
@7N[uPy
7s/uI`
~8880000/01
89]n\~
8aIydO
#8R>44
8V7}R5e
8;vLr2
8|xa1~
9Dj#il
`%9mJ5
a5g9O;p
a{cA3{
A	f'~	
}~AG:C
a/jf1E
aKRXK#
AKXh4Pa
Ap licat
>/AwuZ
$`b*!'
b:f17^
|b[ ;r
bSjv?I
Bspr9a
By:B,&B
!c6E+E
^c7hOZ
c9dk}ft
C|\_e:uEvc\
C#I7oyl'4
c-iQ(Zg
C;]Lxy
C-qx{m
c$V9Yp
&C|Vik
$;d Dt>
d)e&s-
~DiR?]
{;DMI@t'
`d|n hu-
]D@TD,
DVTVU0"
\D<"W.
>E>6Eq
eCFNJE
}E=ja%
!:Ep6e
f18=c9
f31z{n
<F5C3wsJ
f{5Dj%56
fc3~\U
F#E5^E
fl~-qdn
Foazew
/fr$}d
FUyMHsT
FW=|)7G
+|fWP"
fxVW9{
FZ7toKqn
G''+9T
GDi/>L
gDjADV
G	@EQt`
GetProcAddress
"gG	QUs
$gn%*A
GRH[`b
`!GT,wF
GXg>;O
H3*v&ct
$h8jg{
hA:}Zv
hdWTZis
|/;!h!p`
hy|E)v
 'hYH$
`If/3*z
>@[IHQ
iIH1+\~j
ikw?8`
i)oGb<
i@@@,-P
Ip~Q&*f
iQ`hsE
irtualA
^(]I-u
i@;ZYd
%}+J(V
j|Y)4I
-k2sh<
k3JV+4v
K4z/"!
kernel32.dll
KGq-xv6n 2
KP*pm:M
'kR2|/
Krs9^.
{Kve7<
'Lly	Yu
LoadLibraryA
?lP~h'O
Ls^1}(K
~#m{,A
MB!<N(
mJ	6)G
m<je|z
MLKDc: 
mOR_3dB
^mS.:Y
:MV	&s(
N34;2#
n;_`5b
%<nfLh)
NH xjC
%	N%N#j
Nu8$SJ
Nvm0ow
"Nw/'0
(o1U*l-i
!(O\>e
.OE5U*
oF?L	|<Q
OHk9,>]
O)!\w7
[OXo,3l
oxu#\`
>P60dw7
PEC2=O
PECompact2
p-gd:9
P-@U@VAVX
QSz:Jh"
QX]kfmgzC
*Q,XYAT
r3b+F_
r9hP']@
rBLUu5
R-_D8K8
RqjDA,
r&}>sp
rw@Ig:{
R'y3=%
r>zZ|u
&S/.<.,
s'0vc,
s.g{BT
sJ)S7>n[U
([S_-K4
S)}@NF
S;-+P5**
(s$`W3
S$wDDc-
SZi2;5
t@1( ;
}tE9Vd]
!This program cannot be run in DOS mode.
TmVLzCD
(tOs*p
TU"|/	
?TY)3' 3
_)U]@`
u6g@YL
uc6F|I
`uCWI-
U-E	MG
Uf(U}$
uG&l;6
uGlgEk
u-iHN.
ulEGf6
>um.%;V
umxxmu
uNR8ow
U"o[~z
>uPxq&
USQWVR
uv3`jS
UVVVWX
Ux^!tZ^
[%V*2)
V$F`PW
VirtualAlloc
VirtualFree
vjBI\B
@#VluK
W3R{(`$
W7'po/
#wemSg
<Wj6 BW
w'PJ5)
W#~RLC
wv/=Gz
wx(V,@
.^{xe^^
xpI3Ug
xRWs~ZD8
xUf{g.
- Y1)q
/y&`?(E
Yot #sb
*yP0xw
`Z^)JNA
z=kA;i
{zp\sL
`Zqd}yH
ZXb^U-
Z^_Y[]
Z(ZX(t