Analysis Date2015-01-30 10:49:59
MD5549a84d7f258c9cc9d66cb1a63f6be7e
SHA1fd0ddc2aaf621cfcacdcfab9697670ccd08d40e4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 395abb5abda9ffdeed485a9f3d03d6d5 sha1: 72a6a6a5e084eef38848a046cb2862e57adf76bb size: 107008
Section.rsrc md5: 9ae764925aec5a7b2d137277c20f0b6a sha1: 8585834b764a5b38152c79f17a83bc453f38a349 size: 16896
Timestamp2008-03-25 14:56:23
VersionLegalCopyright: Copyright (C) 2003-2008
InternalName: Freegate
FileVersion: 0, 0, 0, 0
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Freegate Application
SpecialBuild:
ProductVersion: 0, 0, 0, 0
FileDescription: Freegate Application
OriginalFilename: freegate.EXE
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhash25a842cfdbd602db94346359780a8952610f327e
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.12585716
AVAlwil (avast)no_virus
AVArcabit (arcavir)Trojan.Generic.12585716
AVAuthentiumW32/Trojan.GFKE-6343
AVAvira (antivir)TR/Proxy.124928
AVBullGuardTrojan.Generic.12585716
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Proxy.3292
AVEmsisoftTrojan.Generic.12585716
AVEset (nod32)no_virus
AVFortinetPossibleThreat
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.12585716
AVGrisoft (avg)no_virus
AVIkarusVirus.Win32.Agent
AVK7Backdoor ( 04c4c8501 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeGeneric.dx
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Proxy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
5120
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSf6f71516d2a7200871bb9eb99ea0e21ff27f.1.ziyouforever.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
DNS45ed16d2c4a7351255fcd6af3bda7f378f9f.1.ziyouforever.com
Type: A
DNSw63.ziyoulonglive.com
Type: A
DNSw64.ziyoulonglive.com
Type: A
DNS92d1d4daae487ce979e52994036945f4b42b.1.ziyouforever.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
DNSf3fa14a662aba7a5b1b39eee1418da8daf68.1.ziyouforever.com
Type: A
DNS1ca3ef4715fa0e917c58c91ac7199892c717.1.ziyouforever.com
Type: A
DNS8e892888cb199bddc66dad1e6d748fe67326.1.ziyouforever.com
Type: A
DNS840fae211e72099adf860eee0fdba8c7bdab.1.ziyouforever.com
Type: A
DNSba9d09a343a2e9572d65f305955c720294a3.1.ziyouforever.com
Type: A
DNS7b0bdb1b82b72096f5e6a2c0c10d438c43b1.1.ziyouforever.com
Type: A
DNS6e05e82431c20155456350f5aadfbc7ed160.1.ziyouforever.com
Type: A
DNSe2ed84344745b07be5d98e7ee9ed5b573434.1.ziyouforever.com
Type: A
DNS7c65c2c11bff7eddeaf23ba7c8c40856a01e.1.ziyouforever.com
Type: A
DNSa2e01c5779a77c980db617153e885ae61bf4.1.ziyouforever.com
Type: A
DNSb330e482d3b77780c939047e2e4894922c21.1.ziyouforever.com
Type: A
DNS06bc9cdf7268af6c8a8f6d7cc2add1c8204d.1.ziyouforever.com
Type: A
DNS3ce360d07e06005ae3a289c4cf7662bd23da.1.ziyouforever.com
Type: A
Flows UDP192.168.1.1:1031 ➝ 205.240.70.176:53
Flows UDP192.168.1.1:1032 ➝ 205.240.70.176:53
Flows UDP192.168.1.1:1033 ➝ 205.19.127.196:53
Flows UDP192.168.1.1:1033 ➝ 205.25.32.238:53
Flows UDP192.168.1.1:1031 ➝ 64.235.32.200:53
Flows UDP192.168.1.1:1033 ➝ 205.223.100.194:53
Flows UDP192.168.1.1:1032 ➝ 64.235.32.200:53
Flows UDP192.168.1.1:1033 ➝ 205.194.231.90:53
Flows UDP192.168.1.1:1031 ➝ 128.171.1.1:53
Flows UDP192.168.1.1:1032 ➝ 128.171.1.1:53
Flows UDP192.168.1.1:1033 ➝ 205.103.233.103:53
Flows UDP192.168.1.1:1033 ➝ 205.203.109.91:53
Flows UDP192.168.1.1:1033 ➝ 205.183.239.8:53
Flows UDP192.168.1.1:1033 ➝ 205.152.82.6:53
Flows UDP192.168.1.1:1031 ➝ 195.42.172.3:53
Flows UDP192.168.1.1:1032 ➝ 195.42.172.3:53
Flows UDP192.168.1.1:1033 ➝ 205.116.200.216:53
Flows UDP192.168.1.1:1031 ➝ 64.80.255.251:53
Flows UDP192.168.1.1:1032 ➝ 64.80.255.251:53
Flows UDP192.168.1.1:1033 ➝ 205.75.221.22:53
Flows UDP192.168.1.1:1033 ➝ 205.44.184.140:53
Flows UDP192.168.1.1:1031 ➝ 202.153.97.2:53
Flows UDP192.168.1.1:1033 ➝ 205.171.38.85:53
Flows UDP192.168.1.1:1032 ➝ 202.153.97.2:53
Flows UDP192.168.1.1:1033 ➝ 205.130.75.251:53
Flows UDP192.168.1.1:1031 ➝ 206.114.174.10:53
Flows UDP192.168.1.1:1032 ➝ 206.114.174.10:53
Flows UDP192.168.1.1:1033 ➝ 205.246.174.169:53
Flows UDP192.168.1.1:1033 ➝ 205.57.23.242:53
Flows UDP192.168.1.1:1031 ➝ 205.240.70.176:53
Flows UDP192.168.1.1:1033 ➝ 205.161.56.45:53
Flows UDP192.168.1.1:1033 ➝ 205.230.99.22:53
Flows UDP192.168.1.1:1033 ➝ 205.175.11.46:53
Flows UDP192.168.1.1:1033 ➝ 205.176.240.7:53
Flows UDP192.168.1.1:1033 ➝ 205.143.232.118:53
Flows UDP192.168.1.1:1033 ➝ 205.174.33.180:53
Flows UDP192.168.1.1:1033 ➝ 205.108.81.129:53
Flows UDP192.168.1.1:1033 ➝ 205.104.172.82:53
Flows UDP192.168.1.1:1033 ➝ 205.18.129.88:53
Flows UDP192.168.1.1:1033 ➝ 205.107.55.208:53
Flows UDP192.168.1.1:1033 ➝ 205.248.185.252:53
Flows UDP192.168.1.1:1033 ➝ 205.30.69.235:53
Flows UDP192.168.1.1:1033 ➝ 205.172.136.142:53
Flows UDP192.168.1.1:1033 ➝ 205.204.8.113:53
Flows UDP192.168.1.1:1033 ➝ 205.229.219.83:53
Flows UDP192.168.1.1:1033 ➝ 205.195.194.50:53
Flows UDP192.168.1.1:1033 ➝ 205.235.184.110:53
Flows UDP192.168.1.1:1033 ➝ 205.144.93.50:53
Flows UDP192.168.1.1:1033 ➝ 205.168.69.148:53
Flows UDP192.168.1.1:1033 ➝ 205.5.92.94:53
Flows UDP192.168.1.1:1033 ➝ 205.111.1.25:53
Flows UDP192.168.1.1:1033 ➝ 205.91.107.73:53
Flows UDP192.168.1.1:1033 ➝ 205.254.111.12:53
Flows UDP192.168.1.1:1033 ➝ 205.52.139.237:53
Flows UDP192.168.1.1:1033 ➝ 205.149.160.129:53
Flows UDP192.168.1.1:1033 ➝ 205.160.187.18:53
Flows UDP192.168.1.1:1033 ➝ 205.164.191.237:53
Flows UDP192.168.1.1:1033 ➝ 205.179.52.189:53
Flows UDP192.168.1.1:1033 ➝ 205.201.221.63:53
Flows UDP192.168.1.1:1033 ➝ 205.12.36.215:53
Flows UDP192.168.1.1:1033 ➝ 205.72.96.157:53
Flows UDP192.168.1.1:1033 ➝ 205.125.181.110:53

Raw Pcap

Strings
/
..r
V$
I
%4
o
.
...t
./
..
..
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
)@@*(,(
0mLGz]
0q&nnC
!1^-$[
	1~(||
~188881~
1+/d(`
	1|MZ|2
+*&1;-;o
&1xP>N
2cq`&w
2File corrupt.
2irt`1
2\<(-MUUVVVV
%2Y~j,
]3yFt_
4rX]4Z
4v-zREB
#5\`F2w
5h)6g?
5S]Gje
5TpWlp
@`;:5X}X
6YD'Pch
7apN_}_
7G	mK^>G"
~8880000/01
(8@bCd9a
/8Xc8]
9cBD/X}
9@tbmI
a6I<,P
a~icgxX/.}
Application error
+A.R/{
a['vbC
|AXj;L+#
A&Z6yz
B$'_36y
BdAM	|
Bpf]49
C0X	}#
_Cj\B,
CloseHandle
$CrScV,g
+CV,/E
[CWxZ+
C;Y}7T
_d6hz3W
D*8dnn
D*BrD@
^|.dE,
D!:nLz
|DNM<x}EZ
D$QHgN
]Ds-Qd
D$<SUV
>E>6Eq
ed in the DLL %s.4ordinal %d
F)1CcS
f:DO&?v
}+f+E?U
/f*;"H1z}]
fN-	Mt$
f*N:WKF<:
fp,fhO$
FRX	`!
F):Y-0
(FY}3,Rc
fYc@`r`
G''+9T
${gb:V
GetModul
GetProcAddress
g*ML le
G!-*`r
GraC=z
]G{s96
 Gz/ "U
h2W6UF
hdWTZis
H[Kv0}
h]"QW@
h"WWsltPeT
'I08Im
i0t<c	A
I"]K*"
i@@@,-P
irQ;	a
i@;ZYd
J[IP4a
. J NeC
<K9<+N
[kAEyi
KCC-Mh
K-:dw.
kernel32.dll
KF8	ps
K[@{kaV
l2.-PF
L#h'2-
l[+KvN
L$,m  I
LoadLibraryA
LS~q_Z
&LTXLz%
MessageB
M^`:{FJ^
MLKDc: 
M}>oF9
MvCWhf
;mx(mh
N34;2#
n9-{97
*N?E1P
nel32.dll
.N~FhJ|K
N/$H"-
n:jKQ.%
<!nkoM
nT60%~&BY
n'tjT*
nT:}yte
nY6hsj
nY-o"+-@R
N>zg`l
:O?1~&
O=fdtI
o<g&dg
om[T;j
-"Oq7ic"N
O="wZ0/*
p3ev~?rk
P65qVY
PECompact2
p"`Fs;	
-PJN=a
pj\ 	Of
pRf0@m#D
 procedure %s could not be locat
P-@U@VAVX
Pwt/<U
px5_UM
q1+_fq
Q5b\f0
qd,',G
&qFQ@l
%q&jcK
qm"|*e?
Q!*r&\
Q>{R.a
 $Qw"x
QX]kfmgzC
{~R{+:
r0C%%lR
R/$[d7
RHR~\N
r)Jn7vQ
=rkn;\
rLd#Qh
|RNTHG
ruqADTI-
-Rw@j"J
R]ypb[
	S(2Yy
>s6t}\
#sb[\Z
 seFry
S;-+P5**
St:QcI$
SYv"J3
$S'Z>F/
T1SmL_
tC*B@x
\$T;\$H
T_H?9{
T$H9T$T
!This program cannot be run in DOS mode.
t.!*p]dp:D\1
TProtect
twE7ELK
|$T;|x
ualFree
uaRPg*H> c
@Uda;'
/UE#%u
U#FjPG
UJrV)	
um2v5U
U%M8 E.
umxxmu
u_o(kvna
u{qbyZ
UqD4x#
u^:R=G
|uRx/-
user32
USQWVR
<US;"w
uUU_+q
UVVVWX
UYm'$>
^Va8dS	R
/vI6hY
VirtualAlloc
VirtualFree
vjBI\B
/-vVIIW
> {,!w
(	%#_W
w1#':*S
WBL) qL
wGuDH@
wsprintfA
W*+{>VS{
+*X$-'1
xayM=I":HF
XC{*l5
xj''3R
xk0f95
XUN(\a
@xwdTIpj
<y|J$$_
<Yjdi|
YM4$eR
[yNnrcz
"y$+^?S
$}?*Z>
ZAN)W]
ZJc_R#
ZNF,yI.
^z'oa6 
^z[VlD1
Z^_Y[]