Analysis Date2014-10-08 18:50:21
MD52ae4b62823b0a4c7a7eb62353ca94c08
SHA1fc21dbfa2ccf8b65469668df7501fba15839b337

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 32f60f1e70f003aba6176282da4fb8d5 sha1: c710d2dea6fb93eb0090907ef85a277d43d86fd3 size: 141824
Section.rsrc md5: 9147b66d06dc5fca22359ce417f28828 sha1: 266de1baeeb93c6107c196a4e557fce1d5682b84 size: 17920
Timestamp2008-07-29 22:55:23
VersionLegalCopyright: Copyright (C) 2003-2008
InternalName: Freegate
FileVersion: 0, 0, 0, 0
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Freegate Application
SpecialBuild:
ProductVersion: 0, 0, 0, 0
FileDescription: Freegate Application
OriginalFilename: freegate.EXE
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhashf24e68fd9fcbede89761801d247e927db6beda34
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Proxy.3764
AVEmsisoftno_virus
AVEset (nod32)no_virus
AVFortinetPossibleThreat.vw
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7no_virus
AVKasperskyBackdoor.Win32.Clack.k
AVMalwareBytesTrojan.Agent
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVNormanno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Proxy
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
5120
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
DNSw63.ziyoulonglive.com
Type: A
DNSw64.ziyoulonglive.com
Type: A
DNS8e0e9720c00fbf0086ac9dabc7e0cd5080bc6401.f73244fb11368e72c8a94591456095707472ce72.4.ziyouforever.com
Type: MX
DNSd289ea931e01b3c3caf73d5fba07db39dc3b19b2.293c48385d6d2e86b54e53f84212800f41042305.4.ziyouforever.com
Type: MX
DNS100cc6b865f990a4263d7dd0dd6a8c9c1ebe3599.52c46b5fb1a76e09d223045dc3b09709f8f5a942.4.ziyouforever.com
Type: MX
DNSc44c538c1e25466f1c5aedf57fc5897acafea0ad.2918bd948bc0fe2c708c01bb10202d673f20b30a.4.ziyouforever.com
Type: MX
DNSc3bfcd82060a93ece0f64cf3cfe6c81fcd0d3ea3.31376817776c5f2ac0af40de900e173bf2d4d344.4.ziyouforever.com
Type: MX
DNS704a86b35888ac09890e53dd3b7651637ef87592.6fb557f21e944004343fd9a20428654b53a8573f.4.ziyouforever.com
Type: MX
DNS8483007925f43559accafa6bf50911278a31f358.12c9cea23b50e9b2fa4099e6b4e1bb5da67b107b.4.ziyouforever.com
Type: MX
DNS6781c862b23f3f84deee3de39dd9346569333b43.8502c47f49742e3a9290bca42526467cc654827f.4.ziyouforever.com
Type: MX
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.35.193.158:53
Flows UDP192.168.1.1:1032 ➝ 38.65.238.191:53
Flows UDP192.168.1.1:1031 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1032 ➝ 38.121.7.4:53
Flows UDP192.168.1.1:1032 ➝ 38.52.86.4:53
Flows UDP192.168.1.1:1031 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1032 ➝ 38.90.52.20:53
Flows UDP192.168.1.1:1032 ➝ 38.8.89.139:53
Flows UDP192.168.1.1:1031 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1032 ➝ 38.229.52.56:53
Flows UDP192.168.1.1:1032 ➝ 38.124.246.93:53
Flows UDP192.168.1.1:1031 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1032 ➝ 38.169.113.191:53
Flows UDP192.168.1.1:1032 ➝ 38.255.164.59:53
Flows UDP192.168.1.1:1032 ➝ 38.154.10.26:53
Flows UDP192.168.1.1:1031 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1032 ➝ 38.187.73.55:53
Flows UDP192.168.1.1:1032 ➝ 38.31.161.238:53
Flows UDP192.168.1.1:1031 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1032 ➝ 38.108.170.121:53
Flows UDP192.168.1.1:1032 ➝ 38.155.32.47:53
Flows UDP192.168.1.1:1031 ➝ 143.166.82.252:53
Flows UDP192.168.1.1:1032 ➝ 38.133.71.220:53
Flows UDP192.168.1.1:1032 ➝ 38.188.56.178:53
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.210.125.75:53
Flows UDP192.168.1.1:1032 ➝ 38.211.181.4:53
Flows UDP192.168.1.1:1032 ➝ 38.104.12.145:53
Flows UDP192.168.1.1:1032 ➝ 38.227.90.71:53
Flows UDP192.168.1.1:1032 ➝ 38.189.151.150:53
Flows UDP192.168.1.1:1032 ➝ 38.148.218.131:53
Flows UDP192.168.1.1:1032 ➝ 38.33.166.85:53
Flows UDP192.168.1.1:1032 ➝ 38.41.255.155:53
Flows UDP192.168.1.1:1032 ➝ 38.181.225.55:53
Flows UDP192.168.1.1:1032 ➝ 38.64.8.106:53
Flows UDP192.168.1.1:1032 ➝ 38.244.140.201:53
Flows UDP192.168.1.1:1032 ➝ 38.138.151.88:53
Flows UDP192.168.1.1:1032 ➝ 38.27.124.220:53
Flows UDP192.168.1.1:1032 ➝ 38.48.17.114:53
Flows UDP192.168.1.1:1032 ➝ 38.45.90.86:53
Flows UDP192.168.1.1:1032 ➝ 38.60.92.227:53
Flows UDP192.168.1.1:1032 ➝ 38.190.71.167:53
Flows UDP192.168.1.1:1032 ➝ 38.204.197.183:53
Flows UDP192.168.1.1:1032 ➝ 38.205.131.63:53
Flows UDP192.168.1.1:1032 ➝ 38.151.54.94:53
Flows UDP192.168.1.1:1032 ➝ 38.129.129.247:53
Flows UDP192.168.1.1:1032 ➝ 38.25.142.242:53
Flows UDP192.168.1.1:1032 ➝ 38.14.38.100:53
Flows UDP192.168.1.1:1032 ➝ 38.2.148.17:53
Flows UDP192.168.1.1:1032 ➝ 38.78.223.129:53
Flows UDP192.168.1.1:1032 ➝ 38.209.105.242:53
Flows UDP192.168.1.1:1032 ➝ 38.179.244.70:53
Flows UDP192.168.1.1:1033 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1033 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1033 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1033 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1033 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1033 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1033 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1033 ➝ 143.166.82.252:53
Flows TCP192.168.1.1:1034 ➝ 64.235.32.206:53
Flows TCP192.168.1.1:1035 ➝ 129.66.95.3:53
Flows TCP192.168.1.1:1036 ➝ 141.151.0.68:53
Flows TCP192.168.1.1:1037 ➝ 211.10.204.5:53
Flows TCP192.168.1.1:1038 ➝ 64.80.255.251:53
Flows TCP192.168.1.1:1039 ➝ 128.30.52.200:53
Flows TCP192.168.1.1:1040 ➝ 208.101.39.236:53

Raw Pcap
0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .

0x00000000 (00000)   02                                    .


Strings
#
.
1
.
.
J?
..
E
Y
id
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
#;([^"
#}0boD
.0Cy3K
}0=)JymXE
[0K>8_
0l1R8[R
0lxf<"1
%0Q<B#p
0R9}pY
\0	w}{"
~188881~
1Kun` 
1nnHr-
1}t%e_
2}?}1xI
26-Odyxk*
2\<(-MUUVVVV
2rcaRR,
2xQzZLe
#:;3%{
|3eN3|
3HvY]:
3l'#ZW_?E
4,!4I5
4unM~#
5$eb;G
! [>5lu
5 T=~V
:$65Tc
$68Kk<|j
6d%Q^NbF
79-'p*
'7g+%K
7H_mH?0
{7iB~,
,81>p,6
~8880000/01
,.8[F/
8iV2Lj
$9=,@%A
+9&j	)
^(9NGi
9|Rk|zH
9uU\Yiy,C
9 v8ztCG
)9ZeK~
a'=2%]
a3=U6*G
;AILey
A[,M`G
A_"N4s]
>AS6{/
B17RbQ*
\B6|?s
!B&9>eMt
)bl'sr
*BmRr7C
bo|q?K 
c6eP]{
C"7+-^
'[C9.a-
ca'LKO
{cbD"Kf
}C*f~v=DT
\c{OvFC
C's"Ni8
]C;#u6k(q)~
)?D-2`
(d4Kqd
D-9E(v
dar	X%
d>F-w[m
dj&0	<
dj`6c)
DK umE
D/M(tk
d*PENR,dG 
}d@QSH
d#QVJr+
D~VeO-
>E>6Eq
%e7&J[
EAi3GJ
eh=ljX
eMSF\7
E*^qD{Ge
>Ey'+]
E>}ym:
@f6`@#
>f9%qy
+ Fj"T
fj>z1!
FN`#5.
F$NWr 
-F/pT0
fRT!Fk
f.S3&OW
{*F,yI
^g6D[ME
G8n_%t
G''+9T
G}?)EBo
GetProcAddress
GJl,xSj
GL]ew;
-g [*oK
#)>~gp
'`GR 0B
GV+g@f
/:^G-w
gxNE~T
,h7HqW
h8Pu/T 
hdWTZis
@-hFz1}
[hkI g0
HKugg!
HnU\hx
>%ho]8
]H</v{
HV^r&\
~'HW"o
I6"61t
I6a:j)
IJoN y
i@@@,-P
iRmI"mi
i@;ZYd
J %1bx
J	2[F"
J2>Pzs
J,8v7`V4m
j9ROn[
J[a;pXC
j+K"RG
JO{Ve{$
.J^Uq$
K^6qkY2I
K6x;l^
k+?"\c
Ke|35 
kernel32.dll
kJ*%S7
k*l8tq
kQ}o/.
_`Krl;h
&kXob(
LKMe;*n8
l.()LUl
LoadLibraryA
{L?(za
M|(0k]
@m"	7C
Mj~q%O
MLKDc: 
=M}=m$Q,
&[m.s8
m(SM(	
MWS	hy
*MzhRt
N34;2#
[N6\/m_
N^Q6SDH,H
n`u_1u
$nxKwEm7
Ny{8Y4vp&
nzG-lRu[-5
O2rctp
o%}7btq
o\8|YF
_OCxyr
Oh>w)a|
oM#yA>a
OnPyB+M>w
[*^opI
O[Qtk$hG
o>+SgQ
PEC2=O
PECompact2
@pqF(cq
P-@U@VAVX
pxqL9<
$|q	^4E'
Q4s1QV
qe\flww
?QKAfX;(
QlP8	z
QX]kfmgzC
qZ,Q.j
*R0	7d
R:^0N4
R8{KL 
R9(~_1
_r,~d{e
RF;b8r
r	G$-i>:n
&rHH_>:v
^RIR2T
`Rs-A8d
S,5.?Au
",S\/d{
{S\~F7v
sfl'HSD0SO3
S;MQTy
S;-+P5**
:sqo{d
ss$FH a`
]s.tT;l
sVCLzC^
t3i?{	?
"]TCgQ
te1@05F`
;	TE&h
tg.3F"
!This program cannot be run in DOS mode.
T HMP[G
TmD	cv
tPIFOm
?_TRfv
t=&,S`
tuC+"0
tX6;<?t
:$T=/Y
-]u;]}
u4t]Xe
	u/$8P
uBh1`7
U\)[H7
Um-RYo
umxxmu
UqWV*O
USQWVR
UVVVWX
.,U[w"l
Ux,U:	
]']v"2
VAw5!5
Vd(CO|r
ViE	Af[
-vI]g*
VirtualAlloc
VirtualFree
vjBI\B
V]-=oq
@'vqi`
v_tHC&
_vTI&_7(
?vuB^~
"W:?)	
w9% ~\N
#WhD^+
WOVQC'
WQ`*S<
:?x4h6
Xe(J*;
XIht_N
:XK3	8
\:x'R7
x S_cX
x'u1w@B
Y49M+6
ygyd{[9
yk}.+w
y%sWj:
)\Y'&y
 @-\Z>
|zAj2/
{zAxN"
ZmO-W`j
ZN$8y6%
Zt!Xa{
Z^_Y[]
]zzD}'rz