About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Monday, August 12, 2013

COOKIES Cookiebag Dalbot strings - APT (2)

File: COOKIEBAG_sample_543E03CC5872E9ED870B2D64363F518B
MD5:  543e03cc5872e9ed870b2d64363f518b
Size: 126976






Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich#
.text
`.rdata
@.data
---------------------------snip
string too long
invalid string position
Unknown exception
 (8PX
700WP
`h````
ppxxxx
(null)
GAIsProcessorFeaturePresent
KERNEL32
e+000
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
runtime error
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
1#QNAN
1#INF
1#IND
1#SNAN
Sleep
CreateThread
CloseHandle
GetProcAddress
LoadLibraryA
GetStartupInfoA
CreatePipe
ReadFile
TerminateProcess
WriteFile
GetModuleFileNameA
GetShortPathNameA
MultiByteToWideChar
GetLastError
WideCharToMultiByte
KERNEL32.dll
InternetSetCookieW
InternetOpenW
InternetCloseHandle
InternetSetOptionW
InternetCrackUrlW
InternetConnectW
HttpOpenRequestW
HttpAddRequestHeadersW
HttpSendRequestExW
InternetWriteFile
HttpEndRequestA
HttpQueryInfoW
InternetQueryDataAvailable
InternetReadFile
WININET.dll
WS2_32.dll
RtlUnwind
ExitProcess
GetCurrentProcess
GetTimeZoneInformation
GetSystemTime
GetLocalTime
GetCommandLineA
GetVersion
HeapFree
RaiseException
HeapAlloc
SetFilePointer
GetCPInfo
GetACP
GetOEMCP
HeapReAlloc
HeapSize
GetModuleHandleA
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadCodePtr
GetStringTypeA
GetStringTypeW
SetStdHandle
FlushFileBuffers
CreateFileA
LCMapStringA
LCMapStringW
CompareStringA
CompareStringW
SetEnvironmentVariableA
CreateFileW
SetEndOfFile
http://66.228.132.53:80/EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
C:\unknow.zip
Content-Length
Content-Type
application/x-www-form-urlencoded
GGGGG
command
qwert
.asp
sleep:
exit
quit
content=
download
reqpath=
savepath=
upfile
command=
 start Cmd Failure!
Q3JlYXRlUHJvY2Vzc0E=
kernel32.dll
CreatePipe(echo) failed!!!
CreatePipe(cmd) failed!!!
no file!
download file failure!
 download over!
&FILECONTENT=
FILENAME=
Reqfile not exist!
 upfile over!
reqfilepath
reqfile
.html
?ID=
postvalue
postdata
postfile
hostname
clientkey
EEEEE
YzpcXHdpbmRvd3NcXHN5c3RlbTMyXFxjbWQuZXhl
word.exe
Y21kLmV4ZQ==
path
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Software\Microsoft\Windows NT\CurrentVersion\Windows
load
.?AVexception@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
kU'9
HMXB
?Zd;
?/L[
S;uD
z?aUY
D?$?
U>c{
zc%C1
.:3q
-64OS
NKeb

Unicode Strings:
---------------------------------------------------------------------------
jjjj
jjjj
(null)
POST
AMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
</html>
<html>
utf-8
; expires=Thu, 01-Jan-1970 00:00:01 GMT
         (((((                  H