Analysis | #totalhash

Analysis Date	2014-08-30 22:30:40
MD5	18357620987262da2885358505e61f09
SHA1	c964dd81de5cdd3672ba64d2aa8fea2d99d896ba

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 27572020621616c03caeb0067574c802 sha1: df3fcb50f3b040b0091b1fd90062d59308ce58ca size: 120832
Section	.rsrc md5: daa41411610dd9a27115e38807fe5feb sha1: 01dba6af74ccd7e71028925db4f187a17fc482ff size: 17408
Timestamp	2008-07-26 21:24:57
Version	LegalCopyright: Copyright (C) 2003-2008 InternalName: Freegate FileVersion: 0, 0, 0, 0 CompanyName: PrivateBuild: LegalTrademarks: Comments: ProductName: Freegate Application SpecialBuild: ProductVersion: 0, 0, 0, 0 FileDescription: Freegate Application OriginalFilename: freegate.EXE
Packer	PECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhash	72a2e7c3700f659ed313f1d4d9b224f96843a2a6
IMPhash	09d0478591d4f788cb3e5ea416c25237

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL
Registry	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝ 5120
Creates File	C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File	C:\Documents and Settings\Administrator\Cookies\index.dat
Creates File	PhysicalDrive0
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates File	\Device\Afd\AsyncConnectHlp
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex	c:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex	WininetConnectionMutex
Creates Mutex	c:!documents and settings!administrator!cookies!
Creates Mutex	c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNS	w63.ziyoulonglive.com Type: A
DNS	w64.ziyoulonglive.com Type: A
DNS	w65.ziyoulonglive.com Type: A
DNS	w61.ziyoulonglive.com Type: A
DNS	w62.ziyoulonglive.com Type: A
DNS	22ef8d289eb7043d253073d530d19a7d1f88260d.b3aa51aebdeb4d250cab0895dec7925a512fae43.4.ziyouforever.com Type: MX
DNS	eb7166f3b00fd7ebd641338cf8097da1d616cdd6.9d1282784e9a0d7cc473ef493ea7d07560609b13.4.ziyouforever.com Type: MX
DNS	b14f45f1628308aa9d3316a225214fb88c28eed4.4f9e5d3905e82852195bdd503675c07b5d575533.4.ziyouforever.com Type: MX
DNS	3b90f858c3c3b49f29b3f8a1100be03206f7537d.eedee10cb168c6512c7172dacf53be3004fbea44.4.ziyouforever.com Type: MX
DNS	bdcbe6f8c109ed5c4c59249dddd6c7be80ac4ddd.ec14b8cfd4821a6de1ac55569e0b2f27943a9a52.4.ziyouforever.com Type: MX
DNS	d128189543d7b306d81810a1b008ba03ec4fb3b0.6ecae69540c32e518c7228eb806a644266a5eb2e.4.ziyouforever.com Type: MX
DNS	6598b81ada2862e90f70e9304052d62b58ff133f.f735377a97abd7c07c2844c3baa2d00ec465287b.4.ziyouforever.com Type: MX
DNS	a0bd80dc99934a59c254ba82431e73c29dda2bf9.b48e1fca5a8f84727f64e12a79022e09bbf15e23.4.ziyouforever.com Type: MX
Flows UDP	192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP	192.168.1.1:1032 ➝ 38.35.193.158:53
Flows UDP	192.168.1.1:1032 ➝ 38.65.238.191:53
Flows UDP	192.168.1.1:1032 ➝ 38.121.7.4:53
Flows UDP	192.168.1.1:1031 ➝ 88.85.74.8:53
Flows UDP	192.168.1.1:1032 ➝ 38.52.86.4:53
Flows UDP	192.168.1.1:1031 ➝ 211.115.66.121:53
Flows UDP	192.168.1.1:1032 ➝ 38.90.52.20:53
Flows UDP	192.168.1.1:1032 ➝ 38.8.89.139:53
Flows UDP	192.168.1.1:1031 ➝ 192.88.195.10:53
Flows UDP	192.168.1.1:1032 ➝ 38.229.52.56:53
Flows UDP	192.168.1.1:1032 ➝ 38.124.246.93:53
Flows UDP	192.168.1.1:1032 ➝ 38.169.113.191:53
Flows UDP	192.168.1.1:1031 ➝ 202.27.17.253:53
Flows UDP	192.168.1.1:1032 ➝ 38.255.164.59:53
Flows UDP	192.168.1.1:1031 ➝ 63.90.67.11:53
Flows UDP	192.168.1.1:1032 ➝ 38.154.10.26:53
Flows UDP	192.168.1.1:1032 ➝ 38.187.73.55:53
Flows UDP	192.168.1.1:1031 ➝ 209.191.16.131:53
Flows UDP	192.168.1.1:1032 ➝ 38.31.161.238:53
Flows UDP	192.168.1.1:1032 ➝ 38.108.170.121:53
Flows UDP	192.168.1.1:1031 ➝ 143.166.82.252:53
Flows UDP	192.168.1.1:1032 ➝ 38.155.32.47:53
Flows UDP	192.168.1.1:1032 ➝ 38.133.71.220:53
Flows UDP	192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP	192.168.1.1:1032 ➝ 38.188.56.178:53
Flows UDP	192.168.1.1:1032 ➝ 38.210.125.75:53
Flows UDP	192.168.1.1:1032 ➝ 38.211.181.4:53
Flows UDP	192.168.1.1:1032 ➝ 38.104.12.145:53
Flows UDP	192.168.1.1:1032 ➝ 38.227.90.71:53
Flows UDP	192.168.1.1:1032 ➝ 38.189.151.150:53
Flows UDP	192.168.1.1:1032 ➝ 38.148.218.131:53
Flows UDP	192.168.1.1:1032 ➝ 38.33.166.85:53
Flows UDP	192.168.1.1:1032 ➝ 38.41.255.155:53
Flows UDP	192.168.1.1:1032 ➝ 38.181.225.55:53
Flows UDP	192.168.1.1:1032 ➝ 38.64.8.106:53
Flows UDP	192.168.1.1:1032 ➝ 38.244.140.201:53
Flows UDP	192.168.1.1:1032 ➝ 38.138.151.88:53
Flows UDP	192.168.1.1:1032 ➝ 38.27.124.220:53
Flows UDP	192.168.1.1:1032 ➝ 38.48.17.114:53
Flows UDP	192.168.1.1:1032 ➝ 38.45.90.86:53
Flows UDP	192.168.1.1:1032 ➝ 38.60.92.227:53
Flows UDP	192.168.1.1:1032 ➝ 38.190.71.167:53
Flows UDP	192.168.1.1:1032 ➝ 38.204.197.183:53
Flows UDP	192.168.1.1:1032 ➝ 38.205.131.63:53
Flows UDP	192.168.1.1:1032 ➝ 38.151.54.94:53
Flows UDP	192.168.1.1:1032 ➝ 38.129.129.247:53
Flows UDP	192.168.1.1:1032 ➝ 38.25.142.242:53
Flows UDP	192.168.1.1:1032 ➝ 38.14.38.100:53
Flows UDP	192.168.1.1:1032 ➝ 38.2.148.17:53
Flows UDP	192.168.1.1:1032 ➝ 38.78.223.129:53
Flows UDP	192.168.1.1:1032 ➝ 38.209.105.242:53
Flows UDP	192.168.1.1:1032 ➝ 38.179.244.70:53
Flows UDP	192.168.1.1:1033 ➝ 38.99.76.229:53
Flows UDP	192.168.1.1:1033 ➝ 88.85.74.8:53
Flows UDP	192.168.1.1:1033 ➝ 211.115.66.121:53
Flows UDP	192.168.1.1:1033 ➝ 192.88.195.10:53
Flows UDP	192.168.1.1:1033 ➝ 202.27.17.253:53
Flows UDP	192.168.1.1:1033 ➝ 63.90.67.11:53
Flows UDP	192.168.1.1:1033 ➝ 209.191.16.131:53
Flows UDP	192.168.1.1:1033 ➝ 143.166.82.252:53
Flows TCP	192.168.1.1:1034 ➝ 64.235.32.206:53
Flows TCP	192.168.1.1:1035 ➝ 129.66.95.3:53
Flows TCP	192.168.1.1:1036 ➝ 141.151.0.68:53
Flows TCP	192.168.1.1:1037 ➝ 211.10.204.5:53
Flows TCP	192.168.1.1:1038 ➝ 64.80.255.251:53
Flows TCP	192.168.1.1:1039 ➝ 128.30.52.200:53
Flows TCP	192.168.1.1:1040 ➝ 208.101.39.236:53

Raw Pcap

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

Strings

E.x
.
8..
.....
u.....
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
-082ZE
)#08#x
$"@0o?
`11D-9
~188881~
1.aWPR
\1Nq4*43
1nRI{r
=1Qi>y
1tWH,,
=1"Tx:.
1u4J_G26
+1<XN>WZEo
20yy.J$?
2ftRA7,ac
*2I1EE
2l94m<
2\<(-MUUVVVV
[2UMCR
2-(Y8\2u
37/e\l
>|3\>lA
%3{R9v
3S-|mHY:mZ{M
@4B}k)
4%g{=u
\5oZ[9
6EZ.#s
6kzen[
6uB$?WW
7C"gh{
]7gJ_Uh
7(N-'k
~8880000/01
8avqdO
8h1B^=
!8=/#H1z
8/y@+#u
	9#2tz
9d-P6kK)p
A[5)la
A}A{N)
ABb_CaJo
/aKn_>[
aKQoJ9
a<"U$?:e-}
b[bI(	0
BgGBy?
bh=fKpj
b'(?}K
!/BX*Y
Cb`VX]
(cCd@s
Cj^&0g
,.CKO-
D3tu@gBc
D3/}:wm
[Dd5DRjn<Lm#
Dp2)B){`tL(y
D$t4|H	SUV
d>$Y71#QU
e@1E	^
>E>6Eq
~<e9J].*
$/EF6xZh&
_EmkOe
	)eNFg
:e<'Oe
[eRiex
e+!va :
F0t&_'
FABVzH
F+asPXG|
fB-q	>
FB>{`Xh
FIfAsf8
Fj2zW0
F!uwp*
.	fxB2
fXok^58_zk
g6hJR=
G''+9T
G}b,mlh
+GBTq9i
GetProcAddress
g>%GOzQB
|$ GlC
g!oP0Q
gQ7>rW)
gS+;#E
~}H,(>&0)
H2$cXg
"H]5NG
hb~!hngxD
hdrI|&
hdWTZis
hhiQ6,
H	 pKZS
iBc'D 
-I-@'H
i@@@,-P
irtualA
i@;ZYd
}j/<ac7b
jC>&rHL
j&,GIO<
jiYgdm
&\JLqPi
jS=^>rNPy
%JTw_(
kernel32.dll
Kh9Tt_
K;j*WD
kpAW<c
`KRZ5H
ksum on
/KZH<'
@L-!2+
]~)l;C
LdeG1;
(LdUtxR
;LlIuU
LoadLibraryA
lQ:B'U
m1:c|}
Mf@yJT
MLKDc: 
+`M{NGq
ms9vbu
mV	wmxdEl]
MWKjUV6W
!mz{"~1
N34;2#
n(<5A~
n5y'ID
nA:'x?5
	Nu1(*t&
^NwzFV
@%]^^o
o5I<1H
?&Obo?
oDd\[p`
[Ok-d`
oLLc&C<
o@pf8]
OqLHZ']B3c
oRNEpc
OUD=4:a
)-^%p`
p>1l0)
@p4lN?
PECompact2
p_hUVX
`;PIc)
PiC{oF
pP 2E0e
puBLM>I
P-@U@VAVX
	]'=pX
[Q8KkZh<
qefn&F{
QKW)6#
%%qLwt
{qmKY_\
qQ\=Zj
QX]kfmgzC
q/zrN$t
,.:!_r
@R01_t
r8$BP[
RB#t<U
RHR<U;
rl$`pt
rr7vX+
RUOqJ5
]\rv=F
S5<kdy
/]SBJlK2B
?sIT</b$Q!f
sMG} BUJ
:;Snio
SOosD/`J
S;-+P5**
~S&rDL
sXhkMY
%sy5_l3\bz 
)t`,3`H
{T|5L@
\^/+tC
TEbl:-
!This program cannot be run in DOS mode.
TiOzIq
<tLzWn
UEd-'J]
UF87D*
UG]#c.lX
umxxmu
&u#PA-
USQWVR
|]UvM/
UVVVWX
UwII$]3
VirtualAlloc
VirtualFree
"V=j1_
vjBI\B
vky<xBUs
 v!|\l
"_vQhF
`#.'(vs
w1I8DJw
w64zIf
(/W{}8
w'8N{>
wjqT,i
w	P+@G
W%??%q
$	WUx 
wXZ9bk
-Xn]/t\
![X O+
+xp]zED
Xwv*%g
(,XZ*pP
y3}r9%
Y)cVjb?
y`E7Y$
_yFlTTSg
y"hySO
yKRH{#
"yPcv5
Z4 f]-
.zBbms%
=z`f}E
\>zpY'
Z^_Y[]