About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Thursday, June 7, 2012

022 Crime Win32/Bakcorox.A - proxy bot - web - June 7, 2012

 Download (pass infected)


pcap file



DNS query:  day7read.info
DNS response:  day7read.info ⇒ 74.207.249.7
Connects to:  day7read.info:443 (74.207.249.7)
Sends data to:  8.8.8.8:53
Sends data to:  day7read.info:443 (74.207.249.7)
Receives data from :  8.8.8.8:53
Receives data from:  day7read.info:443 (74.207.249.7)
 
 Traffic
GET favicon.ico HTTP/1.1
Host: bcProxyBot.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.2.0)
Cookie: 0800277B8CC8admin-0b1297ec9

........
SHA256:     edcfde456995f0d5804e5842a460c72d8a806d0f1b76cfdbea4cc414823c57e3
SHA1:     91c4147f6b62ef5e08bc08ee6788282cb7745afc
MD5:     ff705b746d30a8ba3cab5837cc58c3f7
File size:     14.0 KB ( 14336 bytes )
File name:     FF705B746D30A8BA3CAB5837CC58C3F7
File type:     Win32 EXE
Tags:     armadillo
Detection ratio:     29 / 40
Analysis date:     2012-04-30 20:20:32 UTC ( 1 month, 1 week ago )
0
0
More details
Antivirus     Result     Update
AhnLab-V3     Trojan/Win32.Hupigon     20120430
AntiVir     TR/Dldr.Flexty.A.32     20120430
Antiy-AVL     Trojan/Win32.Coco.gen     20120430
Avast     Win32:Bakcorox [Trj]     20120430
AVG     BackDoor.Generic15.EEP     20120430
BitDefender     Gen:Variant.Zusy.Elzob.1921     20120430
ByteHero     -     20120424
CAT-QuickHeal     TrojanProxy.Coco.r     20120430
ClamAV     -     20120430
Commtouch     -     20120430
Comodo     UnclassifiedMalware     20120430
DrWeb     Trojan.Proxy.23500     20120430
Emsisoft     Trojan-Downloader.Win32.Flexty!IK     20120430
eSafe     Win32.TRDldr.Flexty     20120430
eTrust-Vet     -     20120430
F-Prot     -     20120430
F-Secure     Gen:Variant.Zusy.Elzob.1921     20120430
Fortinet     W32/Coco.E!tr     20120430
GData     Gen:Variant.Zusy.Elzob.1921     20120430
Ikarus     Trojan-Downloader.Win32.Flexty     20120430
Jiangmin     TrojanProxy.Coco.m     20120430
K7AntiVirus     Proxy-Program     20120430
Kaspersky     Trojan-Proxy.Win32.Coco.r     20120430
Microsoft     TrojanDownloader:Win32/Flexty.A     20120430
NOD32     probably a variant of Win32/TrojanProxy.Bakcorox.A     20120430
Norman     W32/Proxy.AA     20120430
nProtect     -     20120430
Panda     Generic Trojan     20120430
PCTools     -     20120430
Symantec     Backdoor.Trojan     20120430
TheHacker     Trojan/Proxy.Coco.r     20120428
TrendMicro     TROJ_GEN.R47CCCJ     20120430
TrendMicro-HouseCall     TROJ_GEN.R47CCCJ     20120429
VBA32     TrojanProxy.Coco.r     20120430
VIPRE     Trojan-Downloader.Win32.Flexty.a (v)     20120430
ViRobot     -     20120430
VirusBuster     Trojan.PR.Coco!FNKo1kplNQ4     20120430

    Comments
    Votes
    Additional information

ssdeep
384:6qg+/QsTq1PELRURctEb+hq9LuIYAAMBk1OFs:/3mZELSuA+ILt4OF
TrID
Win32 Dynamic Link Library (generic) (65.4%)
Generic Win/DOS Executable (17.2%)
DOS Executable Generic (17.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEiD packer identifier
Armadillo v1.71
ExifTool

MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
MachineType..............: Intel 386 or later, and compatibles
TimeStamp................: 2012:03:10 18:22:38+01:00
FileType.................: Win32 EXE
PEType...................: PE32
CodeSize.................: 9216
LinkerVersion............: 10.0
EntryPoint...............: 0x3151
InitializedDataSize......: 4096
SubsystemVersion.........: 5.1
ImageVersion.............: 0.0
OSVersion................: 5.1
UninitializedDataSize....: 0

Portable Executable structural information

Compilation timedatestamp.....: 2012-03-10 17:22:38
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00003151

PE Sections...................:

Name        Virtual Address  Virtual Size  Raw Size  Entropy  MD5
.text                  4096          9014      9216     6.21  2012cebb7ee205fd627a5fe9e602516f
.rdata                16384          1510      1536     4.70  fa78d5393417f7bc7f38042f77199c10
.data                 20480          1172      1536     5.20  18d9f243bc24f2f360a24bb5124cc565
.reloc                24576           808      1024     4.72  ca9a78f5f11bcc7c89a0fd94d13a70f3

PE Imports....................:

IPHLPAPI.DLL
    GetIfTable

ADVAPI32.dll
    RegisterServiceCtrlHandlerW, SetServiceStatus, StartServiceCtrlDispatcherW

KERNEL32.dll
    CreateEventW, GetTickCount, GetTempPathA, SetEvent, WaitForSingleObject, CreateThread, CloseHandle, GetModuleFileNameA, GetModuleHandleA, GetStartupInfoA, Sleep

MSVCRT.dll
    fopen, fwrite, fclose, _errno, _exit, strstr, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, memcpy, atoi, isspace, strchr, strncmp, malloc, free, sprintf, _XcptFilter, memset

SHELL32.dll
    ShellExecuteA

WS2_32.dll
    -, -, -, -, -, -, -, -, -, -, -


PE Exports....................:

strdup

First seen by VirusTotal
2012-03-18 20:22:11 UTC ( 2 months, 2 weeks ago )
Last seen by VirusTotal
2012-04-30 20:20:32 UTC ( 1 month, 1 week ago )
File names (max. 25)

    ff705b746d30a8ba3cab5837cc58c3f7.exe
    FF705B746D30A8BA3CAB5837CC58C3F7