About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Sunday, August 11, 2013

Alina POS v.5.6 strings - CRIME

File: Alinav5.6-POS_5A22ED78B6454E34217D07C4AF37B23B
MD5:  5a22ed78b6454e34217d07c4af37b23b
Size: 167936






Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich
.text
`.data
.rsrc
MSVBVM60.DLL
   ASimpson
Passolino
[[6U
b&&}
&oNN
ooLQ
QbLLU_"8
""{($g
gg@Q
.G^^3
K~ F
@|a"f?
\\\\\^)Jsi
####^)q2)
{{{W*E-ee+`
HHHS
=ve+`
dCc!t9
p\\zkJJ
E9r1
sw'4
yyy7U
\DJJJu
kZ\\
yyyHO
MMMMMMMMMMM
mmm1mllvlll
jjj6
noo:ooo
jjk,
qppiqpp
kkk]
sqrrsrr
llld
tts>tss
mllQ
wwwMwwv
nnnC
}|{E|{{
oop8
srrL
tss$
uttR
xwwA
{yxw
Form1
spiegatbene
schiena
povera
VB5!6&*
Tipo 99
Palco Magia 01
Simpson
Z$31
Passolino
nonva
Nanna
Simpson
Form
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
povera
spiegatbene
schiena
user32.dll
CallWindowProcA
KERNEL32.DLL
VirtualAllocEx
hP;@
kernel32
GetLocalTime
GetSystemTime
VerLanguageNameA
h<<@
advapi32
IsTextUnicode
user32
AppendMenuA
GetMenuItemID
h,=@
GetSystemTimeAdjustment
h|=@
winspool.drv
ClosePrinter
gdi32
TextOutA
h(>@
comdlg32.ocx
GetWindowHandle
Powrprof
GetPwrCapabilities
GetNumberFormatA
h,?@
DrawTextA
hp?@
olepro32.dll
OleTranslateColor
GrayStringA
advapi32.dll
ClearEventLogA
hp@@
LoadKeyboardLayoutA
ShowCursor
TrackPopupMenu
hHA@
LocalFileTimeToFileTime
BackupEventLogA
ExtTextOutA
h$B@
_lclose
hdB@
AddAccessAllowedAce
AddAce
AllocConsole
h8C@
AllowSetForegroundWindow
__vbaFreeObj
AnimateWindow
h D@
VBA6.DLL
__vbaSetSystemError
__vbaErrorOverflow
__vbaAryDestruct
__vbaEnd
__vbaAryUnlock
__vbaAryLock
__vbaGenerateBoundsError
__vbaFreeVar
__vbaFreeStr
__vbaHresultCheckObj
__vbaStrVarVal
__vbaObjSet
__vbaRedim
__vbaAryConstruct2
=C/v
Form1
Nanna
Form1
h`D@
h=N@
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaFreeVar
__vbaEnd
_adj_fdiv_m64
_adj_fprem1
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
__vbaObjSet
_adj_fdiv_m16i
_adj_fdivr_m16i
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaAryConstruct2
DllFunctionCall
_adj_fpatan
__vbaRedim
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaStrVarVal
_CIlog
__vbaErrorOverflow
_adj_fdiv_m32i
_adj_fdivr_m32i
_adj_fdivr_m32
_adj_fdiv_r
__vbaAryLock
_CIatan
_allmul
_CItan
__vbaAryUnlock
_CIexp
__vbaFreeStr
__vbaFreeObj
0C_a/1AgHx=r(GTCwopmu]Q]:fNhnse9hF,yg3yi+<ut`IvEZqSoX_4vrh1,QuHRK^c|JL\lc>XwBbYG{563;xlxUji.48
zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|674<ymyVkj/5
asma = 175, 175, 888, 627, , 25, 25, 738, 477, C
SergioLeone = 0, 0, 821, 452,
guccienike = 0, 0, 0, 0, C, 154, 121, 867, 573, C
passa = 0, 0, 0, 0, C, 75, 75, 788, 527, C
zi,=vq`Jw
Y`5wsi2mRvIRL_d(KM\md?YwCcZH|674<ymyVkj/5zh
zj,3i
&5>>
&C(=
="*v
KPTe9pN,=vu`Jw
cZH|674<ymyVkj/5zh4zj,=v%%Jw
dwsi2-RvI
L\e#JD\m
?YwScZH,77T
{my6jj/uxh4z*,=fu`JuF[wTpY`5wsl2-RvIRL_4*KMLmd?YwCaZH
67$<y}yVkj?5zx4zj,=ve`JwF[rTpY`5w3k2
SvIRL_d(KM\md?YwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(K
kodwYwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2x
.yRL_d(
L\mt?YwCcZHx674<ymyVkj/5zh
h&-QJwF[r
pY`Uvsi
-RvMRL_d(KM\md?YwC#ZH
ymyVkz/5z(6zj.=vu
JwF[rTpY`5wsi2mRv
RL_d(KM\md?YwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|674<ymyVkj/5z[
JR,h&-AG~DRM
*/R(
)KkYm
----------------------------------snip
|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|f
8VDj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|674<ymyVkj/5zh4z
 HwF[rTpY`5wsi2
]d(KM\md?YwCcZ
|{myVkj/5zh4zj,
7D[rTpY`5wsi2-R
$*KM\md?YwCcZH|674<ymyV
(6zdm?vk!Hwj
b5wsi2e
tIRL_d~
O\md?Y
aZH|67H}{myVkjdp(&q6Y
29,J6
mJL'!\
-M>$
6`}r0#<
CYzhx
rT7<
,!?_d~"?(
67bU
4z<EO
&14>
TpY%M
9@B1
:!L_dz.*
L<<&
ZH|e
\;j,h$9$%
s-R?'&)-
~YwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?YwCcZH|674<ymyVkj/5zh4zj,=vu`JwF[rTpY`5wsi2-RvIRL_d(KM\md?Yw
[[6U
b&&}
&oNN
ooLQ
QbLLU_"8
""{($g
gg@Q
.G^^3
K~ F
@|a"f?
\\\\\^)Jsi
####^)q2)
{{{W*E-ee+`
HHHS
=ve+`
dCc!t9
p\\zkJJ
E9r1
sw'4
yyy7U
\DJJJu
kZ\\
yyyHO
MMMMMMMMMMM
mmm1mllvlll
jjj6
noo:ooo
jjk,
qppiqpp
kkk]
sqrrsrr
llld
tts>tss
mllQ
wwwMwwv
nnnC
}|{E|{{
oop8
srrL
tss$
uttR
xwwA
{yxw
1u

Unicode Strings:
---------------------------------------------------------------------------
AKKRIKKIO
KIS22
AATTRIKKIA
OLTREMARE
TUTO
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040904B0
Comments
Do not use this section to promote
CompanyName
Dropbox, Inc.
LegalTrademarks
An item kept in custody of a third party
ProductName
A specific trade directed towards
FileVersion
2.02.0012
ProductVersion
2.02.0012
InternalName
Tipo 99
OriginalFilename
Tipo 99.exe
Labels: ,