About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Saturday, August 10, 2013

Andromeda Bot strings - CRIME

File: Andromeda_85F908A5BD0ADA2D72D138E038AECC7D_DHL-LABEL-ID-2456-8344-5362-5466.exe_
MD5:  85f908a5bd0ada2d72d138e038aecc7d
Size: 57344





Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich
.rsrc
`[^H5
h2%[
44?}
 \7O
>.(G_
#!'%+)/-3175;9?
=CAGEKIOMSQWU[Y_]cagekiomsqwu{y
!~qC^
ZDF0
J|hj
" B+
HJ5H]
V5 #
L<+V:!hi
{$:8)
zzxh
GT-V
Q^*HNLA
n8AV;
erwM.
Fhfd
.vvtm
U(W]
}imi
ptzn
'$ q
cgd`5
CGD@
\RLg{:
|rlw[
<2,7
"&%!@
khnl
!/)H
'+($q
yl~#
F@FS
eDLH
32G9
kapil
B0@G*
$2_$
)#]/
Z[W_|h
"_SS
RC]I
nhjK
}y{Z
0Gagg
acCsc
`l}8
_DoAZ$wEV
FHdf`
h@'P@0
d~@r
-@/F
iwz@
K@N\
ov>C
_@Qg
7(*R
e7T?r
\DKy
+{7X
_6$[
4+U~
@b%P
,)@e
=58n,1
AH,t
MKmX
3l?=
-90n
rMBlP
<;n,
q%H@$
\j\~A
a~UU
Bfz@
?BK@
zTat
<Jo9*
lp&t
U7x>
8O_f
ob4O
ygC<,lk
TRH(+
-@6@
U/(=V
@l["
nWM&
(l(C
Mw0W
jDBH
Oj,k
l@nD
L@3>
(Rj4r
-|"Z$
Rd>6
V2p1
/D$v
vFfo2
J  @x
XrB4
`qn0*
1oi+
$<z8l
^SH6
?L@!
|G?r
aH|lU
Cs\H4
m&[=
vd0P
 `m=
>@Jb
F8\Tb
2|0I
@TX\
X@~F
b`t
_j01&
J`4r[
::l8
5: +
|B|'
>{N.
88zp
:_+|
sZ{'|
2x^{M
Tl-F
!<1D
{$ND
CG'#2
8PTb
^#y4
t&\J|
+b@RU$|
X/8x
~=c]<
rV~#W3Z
X.@u
32b]
V^-Cp
0b.@
ZPpN
uF#=
dX>=
YPWxh
 +8l
VxL^l
X46D
LZeJ@
ow$38
k<=<
Ba_\
oFj%
<8w,_`
Wy&&rBg
8Q,y
`w$#
<:^G
[W(@O
F!RZ<
kPm+
00cK<
Lr<X
x;\s/
uAx/
Yy|K
$+Q@r(
Xwd(
\)R#/Z
p2rj'%t
$rX@
AV=ix
}Y<4
':92
4hM$
8r8|
R?8=
f*)"{
0jq't
Q.Td
.lhL
fN3O_p
jG@W
8.kD
?U\pX
oVF*
Oa"^
VxZ>
G0t >
6sBx
F:>,L
c["urJDA
Ho|b
o/ed
8Xrg
t.DX
(F|M,
?'4~
+ F"
Sb$At2
f\E*
?x8=1
--<*6
5}J@
R`,)C,
F|tV
C0.J
`+Fx
o`\:
dxxU'
JT(X:
0``cY3
LMoh
Fp;*
rogg
,o@l.
MM>\P\L
t9;x
aX0rd
B-&VL$
L^F_
|4f,
,'@\
 n;^@i
0<:)
7WRV
@n*F
@.;\
f]Wv
wBj($
6,}t
vx |t
tH5S
)pQb
joX
R@1h
P?@~U#
1& $
Rp(~
_;z@b
h:tU
$&@q
|Jljl
biee
*uD0
+w9t
/=_!
HHf|
lffzHF
'-ry
.0@<&
Hz>>
< @K$
33+0~
h#tx$%e
B74|
Jdk@
LS1X
XIi@
LgVr
Z8&/
Mtf>
j3s!
[7@s_
LJt]
Em`($
rv|4
s|<0
Xc:V
h%QW
JM&ap
J8\u
 `.a
Um"5X
]7l>
WS9mZ`
Pf%k
<q"@
~lyE
X[-&%
@bs{.
}jEWN
[vJ$
|UVV&@
M:`+V
pYY)
ld,R
q~'p
V6\3zC
R@]Y
M80+
@:pJX
x@Qc
L|A-
X(jD^
/k@rQ
ofso
@7zGP`
;"_g
~)R8
ID(V
;3}r
VR@Vk!
_!,l
@~H^
i_P_
vFnL
ffjS
@4z]
QbuGkvC
K8MT
W-4,
Z@g/
0rs@
}:VN?
81|n
Ch"1>
Wv)4\F
{rFBS
R^gn
sL(@
JU`0
*F*w@
YHj2e
LkTZD
|9p|
-@h0
Y@"W
$FNF
IGJP
NApO
AN:H
/xFJGX
G.hr
%h&l
QAHh
XLOBJ3
C<@Bth
GNCh6h
h__hC
v><8T
IVSCr
WF'I
AJAp
Hi"/j
">7J
BJCX5xQB6bh
Xfj`
PGQI
sN5G
r0#u
OGOGh
Dekykol
Apiy
Cisosy
YzonJulud
m;Ycic
CyfT
Q%Ubi
*XqL`ut
Jajide
eqap
fepou
?Aba
SCaly
lanyb
LPUhe
Ymim
.pNyg
Icocu
S.S*n^
LP@v
NnPl
so})
<lt,~B
B"kd
P6OC
!9?D
NoGA
 @t{zP
~?)$
Wr&b&e~
pFe>
|T_'8
EnukZ
SVGL
+~kW
AU%}%
^"VV?
ed=s
=Y%~4
8K/F,|
!!j6F
[qQuNb
C4=5
M)/+4
&F.[
.#z)
1hU=
|u1i
]p`(w
.|/A@'
$8$~:
#e|>
M7fV
]g0ul
~BTF
d<X$
<U].
Q-J\
eO~Z}
{(l(
38+\
<E!J
?TEt{
U0Z#+
J5vJ
I|jX%|
{!g9
DKWk
y-#pf
qVp7
Fre^O
N[Nt
#|={
`BeM
P;#o
Xw]+
|&6n0d
yW@P?
@Un@
y5[`
8OY\
GlK.
W6mq
T0&q%
y>eoC
Sw9f
!C!^-
r}lR
Kylo
q}~9
EqC3
4pwn
H~G;
fE`R
zjx4
F-98$
,6s T
sx0$Uw
{$:C
l2Y1
ImFL
Z-J19
-DkO
p{Zu
T52-
%qwL_:
~VPj
p~18K
W= ]?U
{oXw
bEQ^
E8$e
wu!5g
T-L0
ow?9
=J{D
`XN=
^~L`
k>oA
<N"J
tdQ,
/_lK
+vT\t
h#m<z
w@l-
GlobalAddAtomA
etModuleHand
bExitProcess}>U
W?TlsS
Vdue
Lsa:RemoteUserName+>
B$Cur
ntHw
stActivePopup&DragObje
ilogBoxPa*
`.data
.iP_0G
.rsrc!PNN
XPTPSW
KERNEL32.DLL
ADVAPI32.DLL
USER32.DLL
xLoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
LsaGetRemoteUserName
EndDialog

Unicode Strings:
---------------------------------------------------------------------------
Asap Pou
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
H%oq#
FileVersion
3, 3, 1
rhx1F1nOQ47l5Kx
e43gcFd7o7YEjkBCQ
NIx28MsDMo
QhRm8njucR
5tsIqwfMunMe4bpderR
JmhLC5nLlU
x8ROYKgFYI823ft
FRtB7iGqmvSoVGKU
qcvUg5tX6W
jp5kvmv56M
N5YwKBAulTJUUnWW8ju7
6JxvwpYeaWGQk
GFaGM1GapC23GeDVl
j3qE4kPbcTGj
fYGRiarf3CrNYwX
7imWFQYD5pY1xUXKJilK
LegalCopyright
Edgy 2002 2007
OriginalFilename
Gang.exe
ProductVersion
3 3 541
VarFileInfo
Translation
Labels: ,