| Analysis Date | 2014-09-02 12:45:58 |
|---|---|
| MD5 | b94913e9238fcac57d7249864b4b6251 |
| SHA1 | 9785f493eca0cea3d06c8c99b49a2cba2d98294c |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | .text md5: 09b54deda43f9deba414879662cae309 sha1: e54bd7fd3176986b91a763f7aaa18a802d4ff2f7 size: 136192 | |
| Section | .rsrc md5: 4f10455fcc4032b847910264257cc3b1 sha1: c3769391442411f99f82b72d48ea14efc6cacb51 size: 16896 | |
| Timestamp | 2008-07-29 22:55:23 | |
| Version | LegalCopyright: Copyright (C) 2003-2008 InternalName: Freegate FileVersion: 0, 0, 0, 0 CompanyName: PrivateBuild: LegalTrademarks: Comments: ProductName: Freegate Application SpecialBuild: ProductVersion: 0, 0, 0, 0 FileDescription: Freegate Application OriginalFilename: freegate.EXE | |
| Packer | PeCompact 2.xx (Slim Loader) -> BitSum Technologies | |
| PEhash | 0be8f498669dbfe699076dcbf9bbcaaf89b9b14c | |
| IMPhash | 09d0478591d4f788cb3e5ea416c25237 | |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
|---|---|
| Registry | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝ 5120 |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
| Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
| Creates File | PhysicalDrive0 |
| Creates File | PIPE\lsarpc |
| Creates File | \Device\Afd\Endpoint |
| Creates File | \Device\Afd\AsyncConnectHlp |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
| Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
| Creates Mutex | WininetConnectionMutex |
| Creates Mutex | c:!documents and settings!administrator!cookies! |
| Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Network Details:
| DNS | w61.ziyoulonglive.com Type: A |
|---|---|
| DNS | w62.ziyoulonglive.com Type: A |
| DNS | w63.ziyoulonglive.com Type: A |
| DNS | w64.ziyoulonglive.com Type: A |
| DNS | w65.ziyoulonglive.com Type: A |
| DNS | 3e373a5f1a55ea8bb6ef1f3a70fe023972e5880f.f9a89d549de3eb753df55e6e3c010e495bd8874c.4.ziyouforever.com Type: MX |
| DNS | 66942e4dd38dce107013aba955f7bfc72a469c1d.3070b9cf5b1f5fe618fce39050d5f279e244ae4b.4.ziyouforever.com Type: MX |
| DNS | 100cda8cb57bb487ce62f498ada6be595cde68dc.5686c358e56e00d7e0ade20ea4c3f007945b303c.4.ziyouforever.com Type: MX |
| DNS | 24ae58cfb67847ebdb958034ca73e85b687cea9f.55853034f099747b8778b40cedf14c5ee4e79675.4.ziyouforever.com Type: MX |
| DNS | 46bcc4923af4b9c43e78e0d8c4428cb90a6e76c2.d909ce1b157414978949d0ee2a835848f5221406.4.ziyouforever.com Type: MX |
| DNS | 2264bda45435327eb512c14e209a34bdb115732b.14b49a02e1c1967db24ecb965d9d5745118c580f.4.ziyouforever.com Type: MX |
| DNS | 9056e7d1f1abd468ca7d6010c2e1ea580327295e.b12a7c149eae37235035157375109c4b37287a42.4.ziyouforever.com Type: MX |
| DNS | 0a04068f13630e1fcfccc184a3b6a3ce9975c800.53e2a6639b1f96b731625ce575f07a202dbafb31.4.ziyouforever.com Type: MX |
| Flows UDP | 192.168.1.1:1031 ➝ 38.99.76.229:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.35.193.158:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.65.238.191:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.121.7.4:53 |
| Flows UDP | 192.168.1.1:1031 ➝ 88.85.74.8:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.52.86.4:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.90.52.20:53 |
| Flows UDP | 192.168.1.1:1031 ➝ 211.115.66.121:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.8.89.139:53 |
| Flows UDP | 192.168.1.1:1031 ➝ 192.88.195.10:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.229.52.56:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.124.246.93:53 |
| Flows UDP | 192.168.1.1:1031 ➝ 202.27.17.253:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.169.113.191:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.255.164.59:53 |
| Flows UDP | 192.168.1.1:1031 ➝ 63.90.67.11:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.154.10.26:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.187.73.55:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.31.161.238:53 |
| Flows UDP | 192.168.1.1:1031 ➝ 209.191.16.131:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.108.170.121:53 |
| Flows UDP | 192.168.1.1:1031 ➝ 143.166.82.252:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.155.32.47:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.133.71.220:53 |
| Flows UDP | 192.168.1.1:1031 ➝ 38.99.76.229:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.188.56.178:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.210.125.75:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.211.181.4:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.104.12.145:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.227.90.71:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.189.151.150:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.148.218.131:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.33.166.85:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.41.255.155:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.181.225.55:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.64.8.106:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.244.140.201:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.138.151.88:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.27.124.220:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.48.17.114:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.45.90.86:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.60.92.227:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.190.71.167:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.204.197.183:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.205.131.63:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.151.54.94:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.129.129.247:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.25.142.242:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.14.38.100:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.2.148.17:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.78.223.129:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.209.105.242:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.179.244.70:53 |
| Flows UDP | 192.168.1.1:1033 ➝ 38.99.76.229:53 |
| Flows UDP | 192.168.1.1:1033 ➝ 88.85.74.8:53 |
| Flows UDP | 192.168.1.1:1033 ➝ 211.115.66.121:53 |
| Flows UDP | 192.168.1.1:1033 ➝ 192.88.195.10:53 |
| Flows UDP | 192.168.1.1:1033 ➝ 202.27.17.253:53 |
| Flows UDP | 192.168.1.1:1033 ➝ 63.90.67.11:53 |
| Flows UDP | 192.168.1.1:1033 ➝ 209.191.16.131:53 |
| Flows UDP | 192.168.1.1:1033 ➝ 143.166.82.252:53 |
| Flows TCP | 192.168.1.1:1034 ➝ 175.181.101.252:443 |
| Flows TCP | 192.168.1.1:1035 ➝ 175.181.114.173:443 |
| Flows TCP | 192.168.1.1:1036 ➝ 1.161.151.225:443 |
| Flows TCP | 192.168.1.1:1037 ➝ 118.169.168.243:443 |
| Flows TCP | 192.168.1.1:1038 ➝ 122.121.11.111:443 |
| Flows TCP | 192.168.1.1:1039 ➝ 114.43.197.79:443 |
| Flows TCP | 192.168.1.1:1040 ➝ 114.27.38.18:443 |
| Flows TCP | 192.168.1.1:1041 ➝ 36.224.10.251:443 |
| Flows TCP | 192.168.1.1:1042 ➝ 64.235.32.206:53 |
| Flows TCP | 192.168.1.1:1043 ➝ 129.66.95.3:53 |
| Flows TCP | 192.168.1.1:1044 ➝ 141.151.0.68:53 |
| Flows TCP | 192.168.1.1:1045 ➝ 211.10.204.5:53 |
| Flows TCP | 192.168.1.1:1046 ➝ 64.80.255.251:53 |
| Flows TCP | 192.168.1.1:1047 ➝ 128.30.52.200:53 |
| Flows TCP | 192.168.1.1:1048 ➝ 208.101.39.236:53 |
Raw Pcap
0x00000000 (00000) 1603 .. 0x00000000 (00000) 1603 .. 0x00000000 (00000) 1603 .. 0x00000000 (00000) 1603 .. 0x00000000 (00000) 1603 .. 0x00000000 (00000) 1603 .. 0x00000000 (00000) 1603 .. 0x00000000 (00000) 1603 .. 0x00000000 (00000) 02 . 0x00000000 (00000) 02 . 0x00000000 (00000) 02 . 0x00000000 (00000) 02 . 0x00000000 (00000) 02 . 0x00000000 (00000) 02 . 0x00000000 (00000) 02 .
Strings
..-
..
.
.5.
x...
SC
;.
..[
..
.
..
...
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
0D'rdyx
0kk=!q
-0u}%r
~188881~
%+(1HI
1Pk|q-K
2D>F\yy7s
2Gje@C
2\<(-MUUVVVV
=~35\k-Lf
3CTc(y
3DfXN=
3PR_{GY1
4E@E6M
\(*4NV
56i$0i&
5Eb#g5
6DW=.>
*]#71gf
/7ju=jT
@7N[uPy
7s/uI`
~8880000/01
89]n\~
8aIydO
#8R>44
8V7}R5e
8;vLr2
8|xa1~
9Dj#il
]$:9gF
`%9mJ5
a5g9O;p
a{cA3{
A f'~
}~AG:C
a/jf1E
aKRXK#
AKXh4Pa
>/AwuZ
$`b*!'
b:f17^
|b[ ;r
bSjv?I
Bspr9a
By:B,&B
B|ZbOc4
!c6E+E
^c7hOZ
c9dk}ft
C|\_e:uEvc\
C#I7oyl'4
c-iQ(Zg
C-qx{m
c&$%>S
c$V9Yp
&C|Vik
d)e&s-
~DiR?]
{;DMI@t'
`d|n hu-
]D@TD,
DVTVU0"
\D<"W.
>E>6Eq
eCFNJE
}E=ja%
!:Ep6e
f18=c9
f31z{n
<F5C3wsJ
f{5Dj%56
fc3~\U
F#E5^E
fl~-qdn
Foazew
/fr$}d
FUyMHsT
FW=|)7G
+|fWP"
fxVW9{
FZ7toKqn
G''+9T
GDi/>L
gDjADV
G @EQt`
GetProcAddress
"gG QUs
$gn%*A
GRH[`b
`!GT,wF
GXg>;O
H3*v&ct
$h8jg{
hA:}Zv
hdWTZis
|/;!h!p`
hy|E)v
'hYH$
`If/3*z
>@[IHQ
iIH1+\~j
ikw?8`
i)oGb<
i@@@,-P
Ip~Q&*f
iQ`hsE
irtualA
^(]I-u
i@;ZYd
%}+J(V
j|Y)4I
-k2sh<
k3JV+4v
kernel32.dll
KGq-xv6n 2
KjPd,>
KP*pm:M
'kR2|/
Krs9^.
{Kve7<
'Lly Yu
LoadLibraryA
?lP~h'O
~#m{,A
MB!<N(
mJ 6)G
m<je|z
MLKDc:
mOR_3dB
^mS.:Y
:MV &s(
N34;2#
n;_`5b
%<nfLh)
NH xjC
Nu8$SJ
Nvm0ow
"Nw/'0
(o1U*l-i
!(O\>e
.OE5U*
oF?L |<Q
OHk9,>]
OJpVH9
O)!\w7
[OXo,3l
oxu#\`
>P60dw7
PEC2=O
p-gd:9
P-@U@VAVX
Q$RVZk
QSz:Jh"
QX]kfmgzC
*Q,XYAT
r3b+F_
r9hP']@
rBLUu5
R-_D8K8
RqjDA,
r&}>sp
rw@Ig:{
R'y3=%
r>zZ|u
&S/.<.,
s'0vc,
s.g{BT
sJ)S7>n[U
([S_-K4
S)}@NF
S;-+P5**
(s$`W3
S$wDDc-
SZi2;5
t@1( ;
}tE9Vd]
!This program cannot be run in DOS mode.
TmVLzCD
(tOs*p
TU"|/
?TY)3' 3
_)U]@`
u6g@YL
uc6F|I
`uCWI-
U-E MG
Uf(U}$
uG&l;6
uGlgEk
u-iHN.
ulEGf6
>um.%;V
umxxmu
uNR8ow
U"o[~z
>uPxq&
USQWVR
uv3`jS
UVVVWX
Ux^!tZ^
[%V*2)
V$F`PW
VirtualAlloc
VirtualFree
vjBI\B
@#VluK
W3R{(`$
W7'po/
#wemSg
<Wj6 BW
w'PJ5)
W#~RLC
wv/=Gz
wx(V,@
.^{xe^^
_^_xH;
xpI3Ug
xRWs~ZD8
xUf{g.
- Y1)q
/y&`?(E
Yot #sb
*yP0xw
`Z^)JNA
z=kA;i
{zp\sL
`Zqd}yH
ZXb^U-
Z^_Y[]