Analysis Date2015-02-01 02:16:24
MD5e44dfc748213ed7e61b756752e61e430
SHA1c999e6660c9976e839b4e799aea1ba6f728000a6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c387cdb5b385c8a500051e4d3ff4d7b3 sha1: 5dbfa6dc1c704b3d6123493a44241dd03fe9b9a7 size: 140288
Section.rsrc md5: 98b981f047e0204528cb1088701d5d96 sha1: a22bd7a20a0a9e3a1f0cada4a5fb63ec6739b46f size: 14848
Timestamp2008-01-31 02:47:00
VersionLegalCopyright: Copyright (C) 2003
InternalName: freegate
FileVersion: 1, 0, 0, 1
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: freegate Application
SpecialBuild:
ProductVersion: 1, 0, 0, 1
FileDescription: freegate MFC Application
OriginalFilename: freegate.EXE
PackerPeCompact 2.xx (Slim Loader) -> BitSum Technologies
PEhash590eed93e9a2f443e80462f1f491847c48c86f3b
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.12610973
AVAlwil (avast)no_virus
AVArcabit (arcavir)Trojan.Generic.12610973
AVAuthentiumW32/Proxy.EDHG-7529
AVAvira (antivir)no_virus
AVBullGuardTrojan.Generic.12610973
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Proxy.3290
AVEmsisoftTrojan.Generic.12610973
AVEset (nod32)no_virus
AVFortinetW32/Agent.BK!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.12610973
AVGrisoft (avg)no_virus
AVIkarusGeneric.Mitglied
AVK7Backdoor ( 04c4de821 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeProxy-Agent.bk
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingTrojan.Spy.Win32.Undef.ade
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Proxy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
37888
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw63.ziyoulonglive.com
Type: A
DNSw64.ziyoulonglive.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
Flows UDP192.168.1.1:1031 ➝ 195.133.91.136:53
Flows UDP192.168.1.1:1032 ➝ 195.102.98.252:53
Flows UDP192.168.1.1:1032 ➝ 195.108.61.214:53
Flows UDP192.168.1.1:1031 ➝ 198.32.252.58:53
Flows UDP192.168.1.1:1032 ➝ 195.170.121.250:53
Flows UDP192.168.1.1:1032 ➝ 195.183.250.98:53
Flows UDP192.168.1.1:1032 ➝ 195.18.244.95:53
Flows UDP192.168.1.1:1031 ➝ 153.19.102.182:53
Flows UDP192.168.1.1:1032 ➝ 195.190.112.99:53
Flows UDP192.168.1.1:1032 ➝ 195.194.242.48:53
Flows UDP192.168.1.1:1031 ➝ 64.71.218.3:53
Flows UDP192.168.1.1:1032 ➝ 195.237.79.62:53
Flows UDP192.168.1.1:1031 ➝ 83.234.232.1:53
Flows UDP192.168.1.1:1032 ➝ 195.1.213.224:53
Flows UDP192.168.1.1:1031 ➝ 141.151.128.68:53
Flows UDP192.168.1.1:1032 ➝ 195.62.192.46:53
Flows UDP192.168.1.1:1032 ➝ 195.89.165.180:53
Flows UDP192.168.1.1:1031 ➝ 81.19.69.17:53
Flows UDP192.168.1.1:1032 ➝ 195.222.59.109:53
Flows UDP192.168.1.1:1032 ➝ 195.247.86.195:53
Flows UDP192.168.1.1:1031 ➝ 211.63.185.180:53
Flows UDP192.168.1.1:1032 ➝ 195.131.179.145:53
Flows UDP192.168.1.1:1032 ➝ 195.76.10.202:53
Flows UDP192.168.1.1:1031 ➝ 195.133.91.136:53
Flows UDP192.168.1.1:1032 ➝ 195.212.37.21:53
Flows UDP192.168.1.1:1032 ➝ 195.147.126.46:53
Flows UDP192.168.1.1:1032 ➝ 195.218.22.22:53
Flows UDP192.168.1.1:1032 ➝ 195.197.237.63:53
Flows UDP192.168.1.1:1032 ➝ 195.250.245.78:53
Flows UDP192.168.1.1:1032 ➝ 195.219.60.140:53
Flows UDP192.168.1.1:1032 ➝ 195.29.177.106:53
Flows UDP192.168.1.1:1032 ➝ 195.103.156.96:53
Flows UDP192.168.1.1:1032 ➝ 195.30.42.232:53
Flows UDP192.168.1.1:1032 ➝ 195.141.164.196:53
Flows UDP192.168.1.1:1032 ➝ 195.107.88.211:53
Flows UDP192.168.1.1:1032 ➝ 195.217.149.182:53
Flows UDP192.168.1.1:1032 ➝ 195.185.21.73:53
Flows UDP192.168.1.1:1032 ➝ 195.144.198.107:53
Flows UDP192.168.1.1:1032 ➝ 195.182.223.10:53
Flows UDP192.168.1.1:1032 ➝ 195.158.165.86:53
Flows UDP192.168.1.1:1032 ➝ 195.229.64.10:53
Flows UDP192.168.1.1:1032 ➝ 195.221.88.172:53
Flows UDP192.168.1.1:1032 ➝ 195.112.65.102:53
Flows UDP192.168.1.1:1032 ➝ 195.26.28.33:53
Flows UDP192.168.1.1:1032 ➝ 195.46.118.113:53
Flows UDP192.168.1.1:1032 ➝ 195.139.114.52:53
Flows UDP192.168.1.1:1032 ➝ 195.65.150.213:53
Flows UDP192.168.1.1:1032 ➝ 195.224.189.185:53
Flows UDP192.168.1.1:1032 ➝ 195.213.166.42:53
Flows UDP192.168.1.1:1032 ➝ 195.209.162.213:53
Flows UDP192.168.1.1:1032 ➝ 195.198.41.133:53
Flows UDP192.168.1.1:1032 ➝ 195.188.192.7:53
Flows UDP192.168.1.1:1032 ➝ 195.121.57.239:53
Flows UDP192.168.1.1:1032 ➝ 195.61.125.165:53
Flows UDP192.168.1.1:1032 ➝ 195.8.168.86:53
Flows TCP192.168.1.1:1033 ➝ 66.204.193.26:53
Flows TCP192.168.1.1:1034 ➝ 134.241.1.3:53
Flows TCP192.168.1.1:1035 ➝ 220.73.138.221:53
Flows TCP192.168.1.1:1036 ➝ 88.212.196.88:53
Flows TCP192.168.1.1:1037 ➝ 151.198.0.68:53
Flows TCP192.168.1.1:1038 ➝ 216.240.136.65:53
Flows TCP192.168.1.1:1039 ➝ 61.115.192.18:53

Raw Pcap
0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .


Strings
].K.p 
S.@.
...
2
./.^..../!.
..
j.
.-S.1..
.
..
.
u.
l.u..).h.
.. 
~.cm5B..
.
.g.
.
..
..
040904b0
1, 0, 0, 1
ain 
Brow
Comments
CompanyName
Copyright (C) 2003
FileDescription
FileVersion
freegate
freegate Application
freegate.EXE
freegate MFC Application
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
Rest
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
=_-?.&%
)@@*(,(
0123456789abcdefj}m@k
: %02X-
: :((0l
0N.eYou may visit any o
0/P/w/Jy
0QRu9u
#}0RQ$bi
0,(XX/
{0ZHO _UK}
~188881~
1B),FX
@1%c%C%s
1Cgate.i
1der+%s^wrong
1TickCouy>
/1uww3L02y/view}
.218.110
@21. T
!24.)"
2\<(-MUUVVVV
#2NOkO
2tians
2zQgm8Q
*'(3#~
3,3h=!U,3%P
3,BE"d
3hfIQfq
3.minghui.org/dl/getlinks.aspx?
3Script{
3S%cv(
3too low, *aga\
_^4@!,
4.01 Hi5
4bbc.co
5!"f84BKS
5LPQpjPh
\5\MSN
;5uKC H9
5=V)WE
6paaa9w
7.0.0.1:8567UB
7078/g`,,,
7\$0SQRE
<7:t F
7TGPuokUoK
~8880000/01
8B&j$R1q
/8/`/h/
	8j6jn e
8OWP\3
8Q2PUPq
/8%s&hint=%x-%s-
9<t	7"G<
9VF;WT
/ /(/a
A_app_type
abczr5
aboluowan
_access
AdaptersInfo
address b
_adjust_fdiva#
.ads.adb
(<a href="#E
al//EN">
andStr@
, andx
a nL"use"></a
aPb;mo
a\\.\Phys
: applW/x-www-form-u
#Ask if 
as websites thr
athFromIDLiyy
at memory
au7 of
authen
Auto Prefer Mode -"r
]=Aw>hp
A,(X' 
A!x@s}
a.youtub5rfa/
<A|(<Z
a(z(>(a\
.a|(<z.l.aY
b]!&$"
B{70V95}3
+b8+@+
B{9?4g
+ba;a;)V
%b-%d-%H:%M:%S
Be"c_.
.BfMi6
)b/G/Q
?b?hard
B,in0/+
bipk?;]QauDns
Bluff3
bm<7YN
B-M}>zg
<body 
*bPA?D?
$#bP p
[~b!q(W
B%;S+a
bt3H_30_B
 Build %d+Use#p
by>follow
 'c0'p
 -C,1F
C2$5Co
(Can not do
c/atom
C!Ba/8
cb.tw/
C,cpcO
CdDeEfFghijklmnoprstuvwxyz
<CENTER><h2><
;(CFu7
Chenrg
chunkei
Classi
=Client0
CloseHandle
CMingHui#
>cNo<zW
{]cN@t
codedC
C"OK, 
CONNECTED
CPionPag@_V
C:\Program 
/c|=;R
@_cSet\&ices\Tcpip\
Ctrl-Alt-Z
Curren
CursorA
__CxxFr
,)</D/
D (0x%08x
&d2.j)
dajiyua
DaXue\Cha
dE,$=9
Decryp2
Delet*
-Desktop
DeviceIoC
d?<find som
d_ip@earU
dit-inc.usV
`DLj P
__dllonexit
\DMoh<
\$dmtI
  Double clicklu
D$|PQh 
Dq"P"N
dtwip001@g
=[\dURLs
|DWg]&f
D$XaL$P
Dynawe
dynet_[B
>E>6Eq
;EC4W3
'e'['D
e+HTTP+S"
`EiN,j
E{lkE8z
=_eL`w
e; MSIE 6.0; 
Enablel
EnhMeta
Enough b.,
.epochTs
E!PQ#$
}EQ7:R
_e~qpq,
-equiv=
<Es f.s\n
Esw=%s&num=-
esyndic
eTempPathA
etween
_except_h
e=X[eQ
ExitPr
ExitPro;
e%Xo!Fi[
(Ex?Ph
F3~yA0
f@5_uv
_fach 
family:
FangWangZaiShoPfwzE
/favic
f-E{=I
fghelpK
 finish
Firs0WININETn
FkVe^b
Flex DNSbc~E
FontInd#
/fort7j
`forum
Forwar
F`PhPx
%F *PN:
FreeLibrar
from CD d
fwrite
;_g)}"
G4[8UM3
G''+9T
GateSheet
=gb2312t/m
#GDOCo
@Ged-By: PHP/4.3.4
get MAC 
__getmai
GetNetworkParams
GetProcAddress
GetSystemDefaultLC
? 'g('K
GlobalUn
=gooQQ
(goouooC
@#GShX#GsR
gT()Ksy
 Guide
_?gunexp
gWPh~f
h4 ) <
H5<PvUd
&'Half
hdWTZis
HeadersA
hEt%qK
H]etR_~-
hEvent
h	g!eT
H</h3H)4>1.
h$jXxO
://hothuati.dont
}h<PP&
HQ|PQV
$hRjR)X?a
Ht6Ht Ht
Ht?Hu1
http://media
hus at aub
'HvG#b
Hw|mO*/*
h@$*Xj
i;8#Q,
;I,APuE*
IE Detec
IEFRAME
IE. If you use o6
igUrl=
%@Ijh, 
IK[K(P
I?La<|
images
img1}%net-ad-van
Initializ
_initO
InsertMe
inshijue:alsaha.fareCC
 in socket(),
Instanu:
InternetGetConnectedStateEx
,ion.s()
i@@@,-P
ip 7There are e
IP() FAIL-
iphlpapi.dll
IPIjE(
IP (%s) 
irecto
I(RPUQ
isxdigit
+itCE$
ItemIB
,ivQtye
i@;ZYd
J)1Wk3
j8vM\m8
=$ jH7
j@hQjl
jIWdJ	
Jq,ul#
jtG/rUi
JWU!	Q
/@/K`a
kb:L(VPW
`KBUTTON
K#DriveTy
 [k%e_
kernel32
kernel32.dll
kj5jMSN
Kksk0P
k_ kW(
ktognb
L$0uw$
L!1##/-
\L`AS,8
LastError
late_p?hl=en&langpair=en|zh-CN&u
lBE,tW
L"d"|`
LeaveCriticalSecz;E~
libssl
lipboardData
LIQhxM
L$<jQ 
!L$lPQh
LoadLibraryA
/loc/phome.#`I
lphQhy
L$|Qh@W
[ltect
?l?Ut&
lverDlg
#l$X28
Manual InputX
manywayc
MapDialog
Mc"b"$wa
 md5sumw:Pfg%s
memmove
M?@	ErZ
methods:
mEt-t^
MFC42.DLL
MHHongFp
;MHHuaBa
`+MHJueXing
mhzb_fuP
_mkdir
mkThankn
MLKDc: 
mMessag
-Modifio
M>/'Q/4
mtoqID
MultiByte0
\(\mYY\
N34;2#
^n/4R#
)n6Tou
nate@@YAXXZ
NbAoG?
new FGp%W^K
]nH&ii
nLen < 0
NMRHr,gO
N,o#0u
{nO<hhr
NoKeyNoVer() f
no need
nrQhPLC
ntdtv!
$,nXMi
o0mo>moLmoZm
oAirtua
OCTYPE HTML PUBLIC "-//W3C//DTDd}
'OFF$#Ru
#og.txt-
^+O*$K
-('oldG
#olume
on.ico
/O&NZXXXX'
O`Oh/S |(
o=ooKooYoo
oo!oo/oP
+!o$oX-V
Opub.cOera
or unsuppod
OS: %d.%d Plat
 osS[Sj
OutputDeR
OvopWh)Bk
p3P	LD
#pagead2.googl
\PbkGr
Pc/7Z_
PD"."VQ	<	/
PEQRUh
_P_[_f
PGeodul
php?v=6.7
P'i`@,
p,IEXPLORE.EXWs)R
PjO#`O 
p)!m]'
$PN `b
PN+j]-P
p+NO E
Poqxdaily
.po/Vc
PQhX*F
PrivateProfileStringA
P~Technology (DIT) IncE
_purecall
PUT	T	
P-@U@VAVX
PVQVSR
P+"W,]
 PWWQW
pWXohoj
/P/Xgc 
'p'XXX
Q8Y]E&
Q9@b	g
'qDelo
}QhpbU
Qht(=N
(Qhx2/ZqW
QKRK0M
QL9:u?
QNAME 
{Qua0d"
QX]kfmgzC
QXXinW
r  1:rv$. l
ReadFile
realloc
Redraw
RegisterHotKey
Release!
renminba7qxbbs
{ReqgDX
 research 
respons7+cb
'&Rest
right USA
RJMU{i
Rm#!=O`<[E
RoutineCheck
$@;RPh ^G{
RPhHU)f
^RPht+
RPQh<L
/r/publi
rqGLUGH
RSTUVWXYZWM
rU Baz
running. After
%s%02d:
/s1/adfYL?(
*s5ie	
s-Agen
%s(%c) 
+Scsi%dEHU
SCSIDISK
 %s (e
secretchina
Security Alert
Select
SendRequestA
 Server2
SetOptionA
SetTh	Locale
SettingswLv
 set to
Set up IE
__setusermau
S	gsQE
Shell]uteA
[%s] id=[%ul]
SizeofResource
$SjZhZ
SkDSCHQ
# sKed UDP & TCP Node
sM+ % Explore
Sn-analyticB
S_Notify
s NT 5.1; SV1)
SOCKS5, 
`!SOFTWARE
Software\$\$\Mai
S:okieA
!So!W_
S;-+P5**
SPJQRh
sPo_oj
s, pp0
sprintf
;S!sWn
stentp
strchr
_strnicm
stunnel-4.00.exew
subscribe
 succee
SU;:EP
surfyb
SVHt(i#
SVO$RPUB ;M
SVWh0u
SysTab,r
SYSTEM\)
t0.80. *
t1 S}. B,r
t4m\@E
T$4Rh?
?T8/)'
T8 WCo(u7b
tag,Rl
Talk i
tartupTA
tb@>{&D'M
.T[B_Q
:T*!;C
t(dt `
T__DtK
tech5+O
?termi
="text/[; charset
tF?-RUz1
!This program cannot be run in DOS mode.
thoriz
%T $iC;
#|#t,J
<\t	j\fN#
=tK9-T
TLial Numb
&T<@M($
tmB~3"
T!MMg5
t More Fake IPv8
t: Mozilla/4.0 (Fatiblv
 To%_div}
tolowe
topf+%s al^
toupper
ToWideChar
TqeTgex
t&qVSX,_
Transfer-Enco
triggers: Good$Num[%d]
\ts?D[
tT$0RK
@tt'tA
$ttw||
t(U	_'
t)UWSSSSVh
Ty:d:&
u2. IE
u,2T$4;
UABCDEFGHIJKLMNOPQXYZ
U(C)2002-2008+8
UCCCapture
ucC*KH<
uD,o-Au
uD,OP'{
u(FUh@
UgSL::#u
u#jR'nB
um'>@j
umxxmu
unj!BH
UpgradeF
uP/@/H/
UPQhD(
~UQh|t
UrlCache
urned off`
urs.microsoft!:443/8.86 
;Use choose
User defS
uSh .C
us.i1.y
USQWVR
~usuall
Ut'e=q
uTxV$C2
{uuqj!nB
UVVVWX
UVWPj5
UWQh@M
uXa' '
uXAG@'8'` 
V57TV:
Valuet
v(d)2/ReM:
Vd:OcG9V
verisignAurl=
Versio
VirtualAlloc
VirtualFree
vjBI\B
\V jZj
v =NOT
voanew
VOForegrou
v=oZG=
VWh `D
V Wj?R
w61.ziyoulonglivX
(W6@'K
WaitForSingleObjdc0
@wb 8881
wBase64De
wdqorqo
weed.xr
=will?
-WindowsD
WinExec
\Winhlp32
winio.sy
with bad
w.kanzhongguo.com/
wn/LI{
wnload index 
/WP/0'x
WPRrp-
 Wr: %s
wseForFolderA
w%T$8j	
]W<^<?)?U
WW.bq 4M;
w%xWNSRR l
WZzWhz7vzbQ
x6PrRM7
+x76x7Ax
x	AE)h@
_XcptFilt
#XiangQ
xK__p__commode-
X(@|L$
@x	MHZongGuanTianXia3gtx
xML$SR
 @xMW 
'?	X/O
X'^Pn*
Xu?`GSP
(XX7@/Hq
XXXX?P?X?`?<
_XXXXP_X_c_qG
Y6R0R(
y existsg
.yieldmanager%/+
) y:iF-
yion:H
}YOzh<
YP`UO+
Y)}size sp.length
+YWPQU
Z7 %s via
Z8)QP)
Z8Z/D$
=ZH-CN style='font-
/zhengjianO
zI{qsc
zjweekl
ZJZhouKa
zmailc
ZQQ}_U
)#zs-2.
ZWdwEEr
\z  Wh
zWT_3N_0
Z^_Y[]