Analysis Date2014-11-22 10:22:48
MD5e47e1e4b7bd7db25ad34d92b384ab713
SHA1d54d5a3b563fe69058e635a6e3b5e0a229a0e5ac

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7cdd7b4ea202e1b413b0dbfeb986b67d sha1: b731eb009c0c1ecf810cc57375c063df68e9d473 size: 140800
Section.rsrc md5: b9069280a0a4ddd783576796a89147ce sha1: 1aa6581597e9409ba6d3d91aba7c656d705dfdd8 size: 17920
Timestamp2008-07-29 22:55:23
VersionLegalCopyright: Copyright (C) 2003-2008
InternalName: Freegate
FileVersion: 0, 0, 0, 0
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Freegate Application
SpecialBuild:
ProductVersion: 0, 0, 0, 0
FileDescription: Freegate Application
OriginalFilename: freegate.EXE
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhash707ffc5ff3d4bf09190c5573ff9d51b359937f31
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Rogue.9678217
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Proxy.3764
AVEmsisoftno_virus
AVEset (nod32)no_virus
AVFortinetW32/Clack.K!tr.bdr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)BackDoor.Generic18.AXQN
AVIkarusBackdoor.Win32.Clack
AVK7Backdoor ( 04c4c5c21 )
AVKasperskyBackdoor.Win32.Clack.k
AVMalwareBytesTrojan.Agent
AVMcafeeGeneric.dx
AVMicrosoft Security EssentialsTrojan:Win32/Malagent!gmb
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Proxy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
5120
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw62.ziyoulonglive.com
Type: A
DNSw63.ziyoulonglive.com
Type: A
DNSw64.ziyoulonglive.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSe64ce6de959facfaf0561de13b9878da84933ed6.8268b0657ac46b7458bdd05728ed954b9398df61.4.ziyouforever.com
Type: MX
DNSee1a672a950f969d8dfad09e0a12ff828cc5bf22.82f88a020768a60b6937570fc4fd7848083c2806.4.ziyouforever.com
Type: MX
DNS76f60f38ac5d951d7f13ca9d09e4aa3e1429d730.bbaa8982f581bc086ac102b3e0e6f375e0628a4d.4.ziyouforever.com
Type: MX
DNS5b1ce4e5f04e621a1366bd48b79cbd6439c33ced.e7b97e8599f4cbddd4b915e9132b7b23840ea874.4.ziyouforever.com
Type: MX
DNS9bfcadbe30c5450ccf1bef45efacad5ff92375b6.27325993458999d08c8905d2d9c1a1072846b135.4.ziyouforever.com
Type: MX
DNSa7fefe40581f3aed543aebdb692ca378c5212648.4fe82672dea89d4e0a090bf59c77f012c4d72526.4.ziyouforever.com
Type: MX
DNSd936279bc34049aefd774951b4891c0fbbe9ff93.d4b7553177e53fc4d7acb482f0912e58853d5e18.4.ziyouforever.com
Type: MX
DNSbdc60b569b338e5d9b1b1915d158aac0df19d35e.8cc492c211896f80b27d024d2bb0bb0df1296161.4.ziyouforever.com
Type: MX
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.35.193.158:53
Flows UDP192.168.1.1:1032 ➝ 38.65.238.191:53
Flows UDP192.168.1.1:1031 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1032 ➝ 38.121.7.4:53
Flows UDP192.168.1.1:1032 ➝ 38.52.86.4:53
Flows UDP192.168.1.1:1031 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1032 ➝ 38.90.52.20:53
Flows UDP192.168.1.1:1032 ➝ 38.8.89.139:53
Flows UDP192.168.1.1:1031 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1032 ➝ 38.229.52.56:53
Flows UDP192.168.1.1:1032 ➝ 38.124.246.93:53
Flows UDP192.168.1.1:1031 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1032 ➝ 38.169.113.191:53
Flows UDP192.168.1.1:1032 ➝ 38.255.164.59:53
Flows UDP192.168.1.1:1031 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1032 ➝ 38.154.10.26:53
Flows UDP192.168.1.1:1032 ➝ 38.187.73.55:53
Flows UDP192.168.1.1:1031 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1032 ➝ 38.31.161.238:53
Flows UDP192.168.1.1:1032 ➝ 38.108.170.121:53
Flows UDP192.168.1.1:1031 ➝ 143.166.82.252:53
Flows UDP192.168.1.1:1032 ➝ 38.155.32.47:53
Flows UDP192.168.1.1:1032 ➝ 38.133.71.220:53
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.188.56.178:53
Flows UDP192.168.1.1:1032 ➝ 38.210.125.75:53
Flows UDP192.168.1.1:1032 ➝ 38.211.181.4:53
Flows UDP192.168.1.1:1032 ➝ 38.104.12.145:53
Flows UDP192.168.1.1:1032 ➝ 38.227.90.71:53
Flows UDP192.168.1.1:1032 ➝ 38.189.151.150:53
Flows UDP192.168.1.1:1032 ➝ 38.148.218.131:53
Flows UDP192.168.1.1:1032 ➝ 38.33.166.85:53
Flows UDP192.168.1.1:1032 ➝ 38.41.255.155:53
Flows UDP192.168.1.1:1032 ➝ 38.181.225.55:53
Flows UDP192.168.1.1:1032 ➝ 38.64.8.106:53
Flows UDP192.168.1.1:1032 ➝ 38.244.140.201:53
Flows UDP192.168.1.1:1032 ➝ 38.138.151.88:53
Flows UDP192.168.1.1:1032 ➝ 38.27.124.220:53
Flows UDP192.168.1.1:1032 ➝ 38.48.17.114:53
Flows UDP192.168.1.1:1032 ➝ 38.45.90.86:53
Flows UDP192.168.1.1:1032 ➝ 38.60.92.227:53
Flows UDP192.168.1.1:1032 ➝ 38.190.71.167:53
Flows UDP192.168.1.1:1032 ➝ 38.204.197.183:53
Flows UDP192.168.1.1:1032 ➝ 38.205.131.63:53
Flows UDP192.168.1.1:1032 ➝ 38.151.54.94:53
Flows UDP192.168.1.1:1032 ➝ 38.129.129.247:53
Flows UDP192.168.1.1:1032 ➝ 38.25.142.242:53
Flows UDP192.168.1.1:1032 ➝ 38.14.38.100:53
Flows UDP192.168.1.1:1032 ➝ 38.2.148.17:53
Flows UDP192.168.1.1:1032 ➝ 38.78.223.129:53
Flows UDP192.168.1.1:1032 ➝ 38.209.105.242:53
Flows UDP192.168.1.1:1032 ➝ 38.179.244.70:53
Flows UDP192.168.1.1:1033 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1033 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1033 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1033 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1033 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1033 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1033 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1033 ➝ 143.166.82.252:53
Flows TCP192.168.1.1:1034 ➝ 64.235.32.206:53
Flows TCP192.168.1.1:1035 ➝ 129.66.95.3:53
Flows TCP192.168.1.1:1036 ➝ 141.151.0.68:53
Flows TCP192.168.1.1:1037 ➝ 211.10.204.5:53
Flows TCP192.168.1.1:1038 ➝ 64.80.255.251:53
Flows TCP192.168.1.1:1039 ➝ 128.30.52.200:53
Flows TCP192.168.1.1:1040 ➝ 208.101.39.236:53

Raw Pcap
0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

Strings 
.
.
..
.
`#7
8c7
.e
\.
..
...
..
..
..
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
&~@"-|
0BOY($
0D27R6:
0{o`1?
0.P)br
~188881~
\1b;)r
' ;2?\~G@ci
2Jq.i+
2\<(-MUUVVVV
.{2QR28=
360v@b
]3G=/Fl:F
3hoy?)
3RE2m|ZplL
3VMtFPr
44JCcEA
4@6fBL
47!V3B6G
}4DBC4
_4utgW.
5G;l )
5}hHF	
5$h>L_H
	5p#bp2
 ]5v|Q.BiH
_6aEyg
`6d	f1d
	6Fse`c
6o0,o8
6QA|R	
6u`RI@
7!2r6X
{747Nj
@7a0z\
'7NW{~
[7Y|Q<tv
+7ZoSg
83<g9+Q
'87F=O
~8880000/01
8ed2V&
8%h	T"
.8KyLd
8NOp-wzf
8o%;VlG
8sz{e|"Uf'E
8TFp&:
8v];al
8Z3LjBV
}[9dNW
9n!1/FPh"
aBJuTy
'ADq&D
|A@f_4
Ahp2l!
A%luu 
:.+<aPT
"aRetxQb
As&Ma0
?$->aY
B9#PbC
b#~ay1
?b`I?c
]biM*\
<bkVPU
;!`bn*
|BOQ~Q
B	r)%2!B
+	bw*-
!,&#C	
CcWtA?
CiCc>:v
cj|EIHv
c(jewK1
cKYX#@
cn_DTqF)
*CS][)
cT}FAE
*~CUh7
cuzaBw}#
.cXQ	4
%czo+)
d`**8[
# {DBS
D~Dl<d
D I,djMW
D]+Ptn
e}1 EU*5E
E 2tM1U#
>E>6Eq
\e82eF
Ea*NV&V
]e|'!aQ
!e_Bl	
|~EeJX
ef2e2e
e$[i/E
el2e2e
eL3e3eh3
&Ep`VF[r
E#pzDcex{h
'eR*`*
eTU X]%Z
eUXCUX$	x
eV:del
F3E*9Nc
	+Fbt]#F
_fD	>5 
]%fedg
$F(->FH
!f~He>\
\f{~^kf
FoS'@u
fpjJ{[
`fRHot
Fr=Nuxb
/fvE"Eq
|F(wS}
g0h,?Uf
g5}=>3
G''+9T
GbU8`V-$
G<c&G*W
	G\eI0
GetProcAddress
g.?I]A
:G`__j
&Gj2:1H
$<GJs!
,GLi]*
GTMG<6
Gx;a4Q
H0d]A$0 
h$0h1L
ha'RPA
HAy>?3FK'
hdWTZis
h IMuZ
hLr!-|
H.LWT$
%HPJ6(
h/-Wd=
HWUy_D
 H/zf}
i9MWtu
I'E]K+v
IKPu/u
iKu2eds
IlLMjN	
I [o7&
i@@@,-P
"Ip57$
i@;ZYd
J0#@/1
*J0~h+
j3{R\[
j5NZFh
j7U*N[
J:aRg,
\JBg"!
`j dbD
J~##*i
@JIBMe
:jmNrQU
j%QT1>x
jsFuAtR:
[jX['uV
JytPrE
k0FQg]
K4PE52
k5tg(u8
KC<03*
K-DC@"
kE4gBB
kernel32.dll
kJP-O(z
k!Le>7
kp^y1H
`l5vdk
lCZH b+B
lgb^-}
L/^M/j>:nz
LoadLibraryA
LQ@7jecn
lrt2vr
 LYFod
M	5%bN
MB=?;)
mdGeC	2#B#1#3#
m]E!e	U>0
,%M)Gpl
MLKDc: 
mQ>[Z>[
MyYtDr
N34;2#
$_N43g
:n5}>.
N9-Ae`
.N:b5Y
nOJ-,M
~:Ns%`
**NSiUn
Nw Pq_
NY0.@"
Nya)hE
N@/YEC
NYu{;r
`O?#i3
o:i!n:	
osoSCm'{~=
=	P5L_
\p8V:J
PaU8,[L
PEC2=O
PECompact2
PEiAcy
(PHP0:
P\/%J4
+<+@pjO
P,n%	"
~$Poa 
<PRqW{
P-@U@VAVX
py,]lh
_QBv@1
qcZe{E
QE#e`RbI
qEj'R}
QF+`HuV+
QI*Q|#
qmLLo#hD
QNRUvi
-Q)Q>2
qUUfE*
QX]kfmgzC
QzREtAt[
,=r|,1jI
 r8mo{!$PN
rJ6J*B
]-RJb.
ry8vfx
S&5SQ4
S+A5u&
[>SB.a
SD&-2Q
s^EQVp
S'|'jOp'N
>S&JXP8
s^.j~Z.E
S;-+P5**
S+q4hX
S:t|V_
s/w))x
sZ%\dJXI
T">/'^
T1% py
t,a2/L
tBk_Q~
T,e&.4
tgerJM
TGFlY1
!This program cannot be run in DOS mode.
tjkxYW
% t|OK
}+TqCP
T^Ra^(
TSazQJ
ty0X~Y1
(u`1`1
+#	U5v
u9iHFq
>u',AJ
uBQQT9
ucg=Q[
UevEiA"
([u%f5
[uj@W(
)uLB)l9>
ULPE(]
umxxmu
UON~W,
UQ7BGF
*us`ID}
USQWVR
UVVVWX
uxBIw]
V4C*PYU
vHls;@#&
VirtualAlloc
VirtualFree
vjBI\B
(VLVE~h
Vti{	U
VW2VC/
;}`V~z
@w3b/%
w`BBxK
Wd4qB0
wMo-i$
!wqA(lH90
WR``+K} 
X^]E]yM
#X}ge8
X.GTL:
X	\JD%
X&j'q}f^@8n\ E
XlRGh_
<XoHPq
xpT60B
XU|`T@8
Y0V*)=
;Y{FS~
yGeV8v_k
'yi:0k
YN,JE*q
Y	oQvA
yq*&%9i
yvN kO g
YYu|9E
Z -@fR
Z&j#S	_=
zKT]j.
(zND{y
Z RTPQDP
Zsj~J-
ztkj@#;(
$zUT+i
Z^_Y[]