| Analysis Date | 2014-10-31 20:05:39 |
|---|---|
| MD5 | c55d2df62b31a216c48612118d2d57a6 |
| SHA1 | fce717cf3ab12bf4518ab78e21b2ffc423adeae4 |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | .text md5: 7bf74ba9a723faaccb99cb6352b182b5 sha1: 8ed921a45a4c73595b906374cfabb82af72aa9f8 size: 121344 | |
| Section | .rsrc md5: 65a72cfcf93792cf1f4c4187b74703bf sha1: b6d1fbb6f1616986a160ee0b9f295774ab759d6f size: 18944 | |
| Timestamp | 2008-07-29 22:55:23 | |
| Version | LegalCopyright: Copyright (C) 2003-2008 InternalName: Freegate FileVersion: 0, 0, 0, 0 CompanyName: PrivateBuild: LegalTrademarks: Comments: ProductName: Freegate Application SpecialBuild: ProductVersion: 0, 0, 0, 0 FileDescription: Freegate Application OriginalFilename: freegate.EXE | |
| Packer | PeCompact 2.xx (Slim Loader) -> BitSum Technologies | |
| PEhash | 64887c7ee1731aeafc2fa19493371296e1e1c09e | |
| IMPhash | 09d0478591d4f788cb3e5ea416c25237 | |
| AV | 360 Safe | Trojan.GenericKD.1942458 |
| AV | Ad-Aware | Trojan.GenericKD.1942458 |
| AV | Alwil (avast) | no_virus |
| AV | Arcabit (arcavir) | no_virus |
| AV | Authentium | W32/Trojan.BLHE-4762 |
| AV | Avira (antivir) | BDS/Rogue.141312 |
| AV | BullGuard | Trojan.GenericKD.1942458 |
| AV | CA (E-Trust Ino) | no_virus |
| AV | CAT (quickheal) | no_virus |
| AV | ClamAV | no_virus |
| AV | Dr. Web | Trojan.Proxy.3764 |
| AV | Emsisoft | Trojan.GenericKD.1942458 |
| AV | Eset (nod32) | no_virus |
| AV | Fortinet | W32/Clack.K!tr.bdr |
| AV | Frisk (f-prot) | no_virus |
| AV | F-Secure | Trojan.GenericKD.1942458 |
| AV | Grisoft (avg) | BackDoor.Generic18.AZCH |
| AV | Ikarus | Backdoor.Win32.Clack |
| AV | K7 | no_virus |
| AV | Kaspersky | Backdoor.Win32.Clack.k |
| AV | MalwareBytes | Trojan.Agent |
| AV | Mcafee | Generic.dx |
| AV | Microsoft Security Essentials | no_virus |
| AV | MicroWorld (escan) | no_virus |
| AV | Norman | Trojan.GenericKD.1942458 |
| AV | Rising | no_virus |
| AV | Sophos | no_virus |
| AV | Symantec | no_virus |
| AV | Trend Micro | no_virus |
| AV | VirusBlokAda (vba32) | Trojan.Proxy |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
|---|---|
| Registry | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝ 5120 |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
| Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
| Creates File | PhysicalDrive0 |
| Creates File | PIPE\lsarpc |
| Creates File | \Device\Afd\Endpoint |
| Creates File | \Device\Afd\AsyncConnectHlp |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
| Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
| Creates Mutex | WininetConnectionMutex |
| Creates Mutex | c:!documents and settings!administrator!cookies! |
| Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Network Details:
| DNS | w62.ziyoulonglive.com Type: A |
|---|---|
| DNS | w63.ziyoulonglive.com Type: A |
| DNS | w64.ziyoulonglive.com Type: A |
| DNS | w65.ziyoulonglive.com Type: A |
| DNS | w61.ziyoulonglive.com Type: A |
| DNS | fcba435fd77918d53d0f1664b239c98c62f5848f.b05cb74db2f2347d2de0118d2c12959ba6a23fb9.4.ziyouforever.com Type: MX |
| DNS | 41244068cec62b155405ef36fb848063df6b87b8.a9e3848ddbf8cd2f645d5862c0a74e1600631909.4.ziyouforever.com Type: MX |
| DNS | a7658ee3f3313ef8ac6cac83f3e4579d392a4933.9414916023918e9a6c3d8f9ca84c782033edf553.4.ziyouforever.com Type: MX |
| DNS | 6907c9cb96e88d0e357b8578aae15aa2f7480e1b.f1cd2296ba86a761353882a39decfb093643c26f.4.ziyouforever.com Type: MX |
| DNS | 5c1502585434608d38bd73e0623e09bcc25ac588.3311cf15b74051f9fde7d1bd18ef6360aa07fa7c.4.ziyouforever.com Type: MX |
| DNS | a11085da87a475f1426ca90564471d683f5f420a.e081da69cd918b1cfb9ec56948b17f3a9eb07b2c.4.ziyouforever.com Type: MX |
| DNS | afe3f1179e67ee785103e4a1636c8fda31ac36c7.f94241e0defec6b8fcb557db76c55f30d31e8641.4.ziyouforever.com Type: MX |
| DNS | 715bcc819d00b8ef3e20e20de6d2d137ef140b51.fa251777b1ddc014790b09367abb1a4347003f53.4.ziyouforever.com Type: MX |
| Flows UDP | 192.168.1.1:1031 ➝ 38.99.76.229:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.35.193.158:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.65.238.191:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.121.7.4:53 |
| Flows UDP | 192.168.1.1:1031 ➝ 88.85.74.8:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.52.86.4:53 |
| Flows UDP | 192.168.1.1:1031 ➝ 211.115.66.121:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.90.52.20:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.8.89.139:53 |
| Flows UDP | 192.168.1.1:1031 ➝ 192.88.195.10:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.229.52.56:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.124.246.93:53 |
| Flows UDP | 192.168.1.1:1031 ➝ 202.27.17.253:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.169.113.191:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.255.164.59:53 |
| Flows UDP | 192.168.1.1:1031 ➝ 63.90.67.11:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.154.10.26:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.187.73.55:53 |
| Flows UDP | 192.168.1.1:1031 ➝ 209.191.16.131:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.31.161.238:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.108.170.121:53 |
| Flows UDP | 192.168.1.1:1031 ➝ 143.166.82.252:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.155.32.47:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.133.71.220:53 |
| Flows UDP | 192.168.1.1:1031 ➝ 38.99.76.229:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.188.56.178:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.210.125.75:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.211.181.4:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.104.12.145:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.227.90.71:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.189.151.150:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.148.218.131:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.33.166.85:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.41.255.155:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.181.225.55:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.64.8.106:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.244.140.201:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.138.151.88:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.27.124.220:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.48.17.114:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.45.90.86:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.60.92.227:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.190.71.167:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.204.197.183:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.205.131.63:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.151.54.94:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.129.129.247:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.25.142.242:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.14.38.100:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.2.148.17:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.78.223.129:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.209.105.242:53 |
| Flows UDP | 192.168.1.1:1032 ➝ 38.179.244.70:53 |
| Flows UDP | 192.168.1.1:1033 ➝ 38.99.76.229:53 |
| Flows UDP | 192.168.1.1:1033 ➝ 88.85.74.8:53 |
| Flows UDP | 192.168.1.1:1033 ➝ 211.115.66.121:53 |
| Flows UDP | 192.168.1.1:1033 ➝ 192.88.195.10:53 |
| Flows UDP | 192.168.1.1:1033 ➝ 202.27.17.253:53 |
| Flows UDP | 192.168.1.1:1033 ➝ 63.90.67.11:53 |
| Flows UDP | 192.168.1.1:1033 ➝ 209.191.16.131:53 |
| Flows UDP | 192.168.1.1:1033 ➝ 143.166.82.252:53 |
| Flows TCP | 192.168.1.1:1034 ➝ 175.181.101.252:443 |
| Flows TCP | 192.168.1.1:1035 ➝ 175.181.114.173:443 |
| Flows TCP | 192.168.1.1:1036 ➝ 1.161.151.225:443 |
| Flows TCP | 192.168.1.1:1037 ➝ 118.169.168.243:443 |
| Flows TCP | 192.168.1.1:1038 ➝ 122.121.11.111:443 |
| Flows TCP | 192.168.1.1:1039 ➝ 114.43.197.79:443 |
| Flows TCP | 192.168.1.1:1040 ➝ 114.27.38.18:443 |
| Flows TCP | 192.168.1.1:1041 ➝ 36.224.10.251:443 |
| Flows TCP | 192.168.1.1:1042 ➝ 64.235.32.206:53 |
| Flows TCP | 192.168.1.1:1043 ➝ 129.66.95.3:53 |
| Flows TCP | 192.168.1.1:1044 ➝ 141.151.0.68:53 |
| Flows TCP | 192.168.1.1:1045 ➝ 211.10.204.5:53 |
| Flows TCP | 192.168.1.1:1046 ➝ 64.80.255.251:53 |
| Flows TCP | 192.168.1.1:1047 ➝ 128.30.52.200:53 |
| Flows TCP | 192.168.1.1:1048 ➝ 208.101.39.236:53 |
Raw Pcap
0x00000000 (00000) 1603 .. 0x00000000 (00000) 1603 .. 0x00000000 (00000) 1603 .. 0x00000000 (00000) 1603 .. 0x00000000 (00000) 1603 .. 0x00000000 (00000) 1603 .. 0x00000000 (00000) 1603 .. 0x00000000 (00000) 1603 .. 0x00000000 (00000) 02 . 0x00000000 (00000) 02 . 0x00000000 (00000) 02 . 0x00000000 (00000) 02 . 0x00000000 (00000) 02 . 0x00000000 (00000) 02 . 0x00000000 (00000) 02 .
Strings
.
.-..
.
.
5.
x...
SC
;
..[
.
.
..
.
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
0D'rdyx
0kk=!q
-0u}%r
~188881~
%+(1HI
1Pk|q-K
1t-h,9
2D>F\yy7s
2Gje@C
2\<(-MUUVVVV
=~35\k-Lf
3CTc(y
3DfXN=
3PR_{GY1
4E@E6M
\(*4NV
56i$0i&
5Eb#g5
6DW=.>
*]#71gf
/7ju=jT
@7N[uPy
7s/uI`
~8880000/01
89]n\~
8aIydO
#8R>44
8V7}R5e
8;vLr2
8|xa1~9
9Dj#il
`%9mJ5
a5g9O;p
a{cA3{
A f'~
}~AG:C
a/jf1E
aKRXK#
AKXh4Pa
a-qy{q
A,^tvQx
>/AwuZ
$`b*!'
b)AW}k
b:f17^
|b[ ;r
bSjv?I
Bspr9a
By:B,&B
!c6E+E
^c7hOZ
c9dk}ft
C|\_e:uEvc\
C#I7oyl'4
c-iQ(Zg
;@ cO=
C-qx{m
c$V9Yp
&C|Vik
^!D75r
d)e&s-
~DiR?]
{;DMI@t'
D#M}VBZc
`d|n hu-
]D@TD,
DVTVU0"
\D<"W.
>E>6Eq
eCFNJE
}E=ja%
!:Ep6e
f18=c9
f31z{n
<F5C3wsJ
f{5Dj%56
fc3~\U
F#E5^E
fl~-qdn
Foazew
/fr$}d
FUyMHsT
FW=|)7G
+|fWP"
fxVW9{
FZ7toKqn
G''+9T
GDi/>L
gDjADV
G @EQt`
GetProcAddress
"gG QUs
:g<]h|
$gn%*A
GRH[`b
`!GT,wF
GXg>;O
H3*v&ct
$h8jg{
hA:}Zv
hdWTZis
|/;!h!p`
hy|E)v
'hYH$
`If/3*z
>@[IHQ
iIH1+\~j
ikw?8`
i)oGb<
i@@@,-P
Ip~Q&*f
iQ`hsE
It_ {v
^(]I-u
i@;ZYd
!J&2UV
%}+J(V
j|Y)4I
-k2sh<
k3JV+4v
kernel32.dll
KGq-xv6n 2
KP*pm:M
'kR2|/
Krs9^.
{Kve7<
L^2 $k
'Lly Yu
LoadLibraryA
?lP~h'O
}ly/nG
~#m{,A
maeW9F4
MB!<N(
mJ 6)G
m<je|z
MLKDc:
>m$Nd_j
mOR_3dB
m?/qQRl
^mS.:Y
M;t&kXQ
:MV &s(
N34;2#
n;_`5b
%<nfLh)
NH xjC
Nu8$SJ
Nvm0ow
"Nw/'0
(o1U*l-i
!(O\>e
.OE5U*
oF?L |<Q
OHk9,>]
O)!\w7
[OXo,3l
oxu#\`
>P60dw7
PEC2=O
p-gd:9
P-@U@VAVX
QSz:Jh"
QX]kfmgzC
*Q,XYAT
]}@~ )'r
r3b+F_
r9hP']@
rB3uc6F|I
rBLUu5
R-_D8K8
RqjDA,
r&}>sp
rw@Ig:{
R'y3=%
r>zZ|u
&S/.<.,
s'0vc,
S7}'fe
s.g{BT
sGmu0D
sJ)S7>n[U
([S_-K4
S)}@NF
S;-+P5**
(s$`W3
S$wDDc-
SZi2;5
t@1( ;
}tE9Vd]
!This program cannot be run in DOS mode.
TmVLzCD
(tOs*p
TU"|/
?TY)3' 3
_)U]@`
u6g@YL
`uCWI-
U-E MG
Uf(U}$
uG&l;6
uGlgEk
uhX{R2
u-iHN.
ulEGf6
>um.%;V
umxxmu
uNR8ow
U"o[~z
>uPxq&
USQWVR
uv3`jS
UVVVWX
Ux^!tZ^
[%V*2)
V$F`PW
VirtualAlloc
VirtualFree
vjBI\B
@#VluK
"vQel=O:
({v#w$
W3R{(`$
W7'po/
#wemSg
<Wj6 BW
w'PJ5)
W#~RLC
wv/=Gz
wx(V,@
.^{xe^^
xpI3Ug
xRWs~ZD8
xUf{g.
- Y1)q
Yot #sb
*yP0xw
YrPpgI/
YYu|9E
`Z^)JNA
z=kA;i
/ZlgX8:
{zp\sL
`Zqd}yH
ZXb^U-
zXsuDJ
Z^_Y[]
Z/y&`?(E