About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Monday, August 12, 2013

Coswid strings - APT

File: D62CD4AD2A919B6ACFA6D49D446DFFDB_svchost.exe_
MD5:  d62cd4ad2a919b6acfa6d49d446dffdb
Size: 19968

see md5 other below




Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
cRich
.text
`.rdata
@.data
PhT@D
hT@D
Qh$q@
hT@D
hTDD
hXDD
h,q@
Qh8q@
h<q@
t$j/
h@q@
hHq@
hLq@
h\q@
hT@D
hdDD
hhDD
h$p@
hdp@
%``@
%d`@
%p`@
%x`@
hSVW
5lDD
>"u:F
XPVSS
%H`@
%D`@
Sleep
GetShortPathNameA
GetModuleFileNameA
GetProcAddress
LoadLibraryA
GetLongPathNameA
GetTempPathA
lstrlenA
KERNEL32.dll
WS2_32.dll
RegCloseKey
RegSetValueExA
RegCreateKeyA
RegOpenKeyA
ADVAPI32.dll
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA
WININET.dll
atoi
strcat
strcpy
fclose
fflush
??3@YAXPAX@Z
fwrite
memset
fopen
strrchr
??2@YAPAXI@Z
atol
sscanf
_purecall
strlen
MSVCRT.dll
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
GetModuleHandleA
GetStartupInfoA
rijndael
.update.sektori.org
/update.png
cXVpdA==
Y21k
c2xlZXA=
dW5zdXBwb3J0
Y29ubmVjdA==
+Mozilla/4.0 (compatible; MSIE 8.0; Win32)
%s %s
HTTP/1.1
.exe
kernel32.dll
CreateProcessA
1234567890123456
HTTP/1.1
Software\Microsoft\Windows NT\CurrentVersion\Windows
load

Unicode Strings:
---------------------------------------------------------------------------
jjjj
jjjj
jjjjjjj
jjjj
jjjj

================
File: A4BA6540520C375875BF46CF8E19CB7D
MD5:  a4ba6540520c375875bf46cf8e19cb7d
Size: 19968

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
cRich
.text
`.rdata
@.data
PhT@D
hT@D
Qh$q@
hT@D
hTDD
hXDD
h,q@
Qh8q@
h<q@
t$j/
h@q@
hHq@
hLq@
h\q@
hT@D
hdDD
hhDD
h$p@
hdp@
%``@
%d`@
%p`@
%x`@
hSVW
5lDD
>"u:F
XPVSS
%H`@
%D`@
Sleep
GetShortPathNameA
GetModuleFileNameA
GetProcAddress
LoadLibraryA
GetLongPathNameA
GetTempPathA
lstrlenA
KERNEL32.dll
WS2_32.dll
RegCloseKey
RegSetValueExA
RegCreateKeyA
RegOpenKeyA
ADVAPI32.dll
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA
WININET.dll
atoi
strcat
strcpy
fclose
fflush
??3@YAXPAX@Z
fwrite
memset
fopen
strrchr
??2@YAPAXI@Z
atol
sscanf
_purecall
strlen
MSVCRT.dll
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
GetModuleHandleA
GetStartupInfoA
rijndael
.release.pornandpot.com
/google.png
cXVpdA==
Y21k
c2xlZXA=
dW5zdXBwb3J0
Y29ubmVjdA==
+Mozilla/4.0 (compatible; MSIE 8.0; Win32)
%s %s
HTTP/1.1
.exe
kernel32.dll
CreateProcessA
1234567890123456
HTTP/1.1
Software\Microsoft\Windows NT\CurrentVersion\Windows
load

Unicode Strings:
---------------------------------------------------------------------------
jjjj
jjjj
jjjjjjj
jjjj
jjjj

=======================

File: 06CD694D383E4951E274878B975B5785
MD5:  06cd694d383e4951e274878b975b5785
Size: 154624

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
RichP
.text
`.rdata
@.data
.rsrc
5 `@
L$tj
Qhdp@
hXp@
hPp@
T$|h8p@
hPp@
h4p@
h4p@
h0p@
h0p@
D$@D
_^]3
D$<SUVWh
L$Lh
T$PQR
5@`@
=<`@
58`@
-0`@
T$Hj@R
D$Hj
L$Lj
_^]3
hH+@
XSVW
_WPS
HHtpHHtl
^h p@
YYh(p@
h$p@
5Dq@
5Dq@
5Dq@
<"u%
F<"t
t9UW
?=t"U
QQS3
PSSW
8"uD
8"uF@
8"u,
@@f9
@@f9
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
DSUVWh
_^][
8MZu
t>j,P
Yt0@
SVWUj
hh*@
]_^[
hp*@
t.;t$$t(
VC20XC00U
SVWU
tEVU
t3x<
]_^[
hhd@
hdd@
h<d@
VWss
Yu!j
=xt@
Vt6P
Yt4^
Y;5,
90tr
Wj@Y3
t7SW
   
@AA;
u,9E
^_[3
^[_3
uiSj
uY;]
pD#U
j #M
j?^;
SUVWu
_^][
QQSV
sN;E
u%C@
VWuBh
tzVS
GIt%
t/Ku
u?Vj
^95`
F;5`
~&WP
SVW3
F;5`
hH+@
uFWWj
"WWSh
9} u
E WW
tMWWS
t@9}
VSh
hH+@
SUVW
_^][
 (8PX
700WP
`h````
ppxxxx
(null)
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
runtime error
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
CreateProcessA
CloseHandle
WriteFile
LockResource
SizeofResource
LoadResource
FindResourceA
CreateFileA
CreateDirectoryA
GetCurrentDirectoryA
GetTempPathA
SetProcessPriorityBoost
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetCurrentProcess
lstrcatA
lstrcpyA
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
KERNEL32.dll
ShellExecuteA
SHChangeNotify
ShellExecuteExA
SHELL32.dll
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
TerminateProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
HeapFree
RtlUnwind
GetLastError
SetFilePointer
HeapAlloc
GetCPInfo
GetACP
GetOEMCP
VirtualAlloc
HeapReAlloc
GetProcAddress
LoadLibraryA
SetStdHandle
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
FlushFileBuffers
ATI Negative News.pdf
%s\%s
spoolsu.exe
open
\ATI Negative News
\~unzip012~
Open
 > nul
/c del
COMSPEC
!This program cannot be run in DOS mode.
cRich
.text
`.rdata
@.data
PhT@D
hT@D
Qh$q@
hT@D
hTDD
hXDD
h,q@
Qh8q@
h<q@
t$j/
h@q@
hHq@
hLq@
h\q@
hT@D
hdDD
hhDD
h$p@
hdp@
%``@
%d`@
%p`@
%x`@
hSVW
5lDD
>"u:F
XPVSS
%H`@
%D`@
Sleep
GetShortPathNameA
GetModuleFileNameA
GetProcAddress
LoadLibraryA
GetLongPathNameA
GetTempPathA
lstrlenA
KERNEL32.dll
WS2_32.dll
RegCloseKey
RegSetValueExA
RegCreateKeyA
RegOpenKeyA
ADVAPI32.dll
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA
WININET.dll
atoi
strcat
strcpy
fclose
fflush
??3@YAXPAX@Z
fwrite
memset
fopen
strrchr
??2@YAPAXI@Z
atol
sscanf
_purecall
strlen
MSVCRT.dll
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
GetModuleHandleA
GetStartupInfoA
rijndael
.firstwillnessclub.com
/old/google.png
cXVpdA==
Y21k
c2xlZXA=
dW5zdXBwb3J0
Y29ubmVjdA==
+Mozilla/4.0 (compatible; MSIE 8.0; Win32)
%s %s
HTTP/1.1
.exe
kernel32.dll
CreateProcessA
1234567890123456
HTTP/1.1
Software\Microsoft\Windows NT\CurrentVersion\Windows
load
733333333333333333333330?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
0?{{{{{{{{{{{{{{{{{{{{{{0?
3333333330
?{{{{{{{{{{{0
?{{{{{{{{{0
?{{{{{{{0
3333330
333333333333330
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
{{{{{{{{{{{{{{0
wwwwwww
{{{{{x
{{{{{x
{{{{{x
{{{{{x
lllll
[q~b[Fllll
ha[]dlll
nKB\`lll
[f}tttttttttt
nKG[llll
ha[llll
XwwwwwwwwwwwwwwSSSTTpNJBllll
SSSSSSSSSSSSSSTTTTTTTTT:kK^l
<<<<<<<<<<<<<<<<<<<<<<<<<<u9l
A><<<<<<<<<<<<<<<<<<<<<<<<<<
V211111111111111111111111111
2((((((((((((((((((((((((((
|%##########################
[iix
*'5[Dj
"'/5H[DPY
._j=
! 6J[[Lj=
! 6J[[
DDDDl
-Yjoz{
[[[[[jxzW
[[[[[[[[
[[[[[[[[7
lllll
[fPFMlllll
[sTtpk
_glllll
wwww
nhGFlllll
[i>wTTTTTTTTwpN
IMlll
[i)<<<<<<<<<<<<<<:nK_l
[i}<<<<<<<<<<<<<<<<<wl
[c*(((((((((((((((((wl
>X_l
2Xil
[>6cj0
2Aml
"' 6Hx
.LjR=W
 .Jbjx=
[[[[[Y
[[[[[[
[[[[[[[
rllll
7lllll
[o>w
h7dllll
[o>wSSTTTw:nLglll
[o2T<<<<<<<11<t9Ll
[o$(111111111((#
[$9s=
yyyy3Wq
33$?m[
[[[[[[
[[[[[[
ddddddddddddd
IIIIIIIIIIIIIId7
ttttttttj
<<<<<<<T
1111111(o
Id7TI
Id7(1IIIIIIIIIIII
IIIII`
7777
444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
44444
555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555
4444
??????????????????????????????????????????????????????????????????????????????????????????
4444
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
4444
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
4444
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
4444
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
4444
DBBEBCEBBBCBBBEDDBBBDCCBBBBCBBCBBDDBCBBBCCCBCBBCBBEDBDEBCCBBCDBCEBCBCBBBBBBDCCDCCBDDDCBBD6
4444
EEECEEEEEBCCBCBEBEBECCBEEBCCEDECEEEDDBCDBECBEECECCECEEEBEDDBCEEBBDEEEEBBECCEDEEEEDBCECBBC6
4444
EEEEEEEEEEEEEEEEEEEEECDEEEEEDEECECEEEDEEEEEEEDECEDEEEEEEEECECEEECEEEBEEEECEBECCEEEEEEEEEE7
4444
EEEEEFEGEFFEGFGEEEEEFEGEFHFGGEEEEEGHEFFEFEEFFFEFEEEEHEGFEHEEGEEEFEEEEHEEEEEEFEEEEFGGEFFFE7
4444
FHHHHFGFHGFHFGEFFEFFHEFEFFFFFFFFGHHHFHGHHHFHHHHFGFGFGHGGEHFHFGGHGGGGHHFFHGHGFFEEEHHEHGHHF8
4444
HIHIIIKHJKKHHIHKHKHKIJKHIJHJIHIJHKJHHHHHIJIIIKHIHIIHHIKIKKKIKIJJIIHKIHKJJJIIKKHHHKHKHIIIH:
4444
KKKIKKKKKKKKIKIIKIKKKKKIKKKKKKKIKKKKKKKKKKIIKKKKKKIKKKKKIKKKIIKKKKIKKLKKKKKKKKIKKKKIIKKKK9
4444
LMLLLKKNKKNLMKKLKKLLKLKKLKNLLKLLLKKLLMKKNKLNKKNLLKLNMKKLKLKKNNMMLMLLNLKMKKLMKLKLLNKLKLNNL;
4444
NNNNMNNNNNLNLLNNNNLLNNLLNNLNNNNLLNLLNLNLNNLLLLNNMNLLNLLNNNNLNLNLLLNNNNLLLNLNNNNNNNLNNLLLN>
4444
OOONOOONOQNONONOOONONONOONONNORONOQNONOOOONRNORNNQNNOOONOOOONOOOQOQONOQNNRONQNNOORNOONNNN<
4444
RRRRRRRROORORRROOORRRORROORRRRRORRRORROOPRRRRORROORRRRRRROROROOSRRRRRRORRRRRRRROORRORRRRR<
4444
RSSRRRRSSSRRSVRSRRRSSSSRVSSRRSRRSRSSSSSSUURSSRRRSSRSUSUSVSRSSRURSRRSSUSVURSSSSSRRVRSRRVVS=
4444
SSVVVVSVVTSSTVTVTSTVVVVWTSTVVWTVVVVVVVVSVSSSSSVSWSSWWVVVVSSVVVVVSVVVSVVVVVWVSSVVVWSVVSSSS@
4444
WVZWWWVWWZZWWWVWWWWWWVWWWYZWWWWWVWVWWVWWVZZZWWWWWWWZWZWWWVWWVZWWWWWWYYWVWWVWWWWZZZWWYVWWV@
4444
Z[Z[WWZZWWZZZXXZZZZWZXZZ[X[[[ZZWZZZZZWZZXWWZXZWZWZZZZZZZZZ[ZW[ZZ[ZZ[ZWWZ[[ZZWZZZZ[[WZZZZZA
4444
[[^[^[^[[]^[^[[[[[[[[[^^[[[[^^[[[[[^^[[[^^[[[[[[[^]^[[[[^[[^^[[[^ZZ[[^[[[^^^^[[ZZ[[][[[[^-
4444
^_^\^_\^[__^^_^^__^^^^___^__^\_\\_^^^^\^^_[__^^__^_^__^^\[^^_^_^^_^\_^_^^\^\^[^[[__^\^^^\-
4444
ba_`__aa_____aaaab__a_aa``ab__a__a___b__a____`___a__a______a_a_b_a__a__`_aa`a__aa_abaa``a.
4444
abbbbbbbababbabebababbbbbbbbbbbbbbbbbabaaababbabbbbbbaabbabbaabbabbdbabbbaaabbabbabababbb.
4444
eeebeccbefbefefeffbbbeffeecbfbeeeebefebebefbceefeceefefffffbfebeebeeebebfeebfecbbbeeecffc/
4444
ffiffffffffififfffffffffffffieffffffffffiifffiiffffiffiifffffffiffffffiffffffhffffffffiif/
4444
ijjgijggjfifjjgijijjjjigjijgjiiijijjiiiffjijjjjjjijjijijjiijiijjjiigfijjjjjijjjjjjjgijjjj0
4444
jjmjjjjjllllljjjkljlkjjmljljljjjkkjjjmkljjjjkjjjmljjklljljljjjkllkjmjjlljlkllmkllkklljllj1
4444
mmlmmlmmmmlmmmmmkmmlmmlmmmmmmmmmmmmmmmmmlmmmmlmmlmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm2
4444
npoppnomnomnmppnopomopommmnopmpnmonpppomopmooopmoppponpppmmpnompmompopnnompnopmmmmmoopoom2
4444
ppppppqpppppppppsqpqprpppppppprpqppqrrprpqspppqrppprpppprqqrppppqpppprprpqpppqppppppppppr'
4444
pssssssqrssssssspqssssssprqsssssssqrqssqsrrsqssrrqrsssrqsspsqqsspsqqsssspsssssqqqrrsqssss(
4444
vtwvtvvttstvwwvtwsvsswvtsvtsvtwstwvsssvvtsssssswvswsssswsttvsssswwsssvwstwvswvssswtvvsvvv(
4444
wwwwwwwwwwwwxwwwxwwwwwwwwwwtwwwwwwxwwwwwuwwwwwwxtwwwwwwwwwwwwwwwwwwxwxwwwwwwwwwwwwwxwwwww)
4444
xyyzzzwyzyzzzzwzwwxzzyxzzzyyzzxxzzwxxxyxxxzzzzxyyyywzzzxyyxzzxzxzxyywyzzzwxxzxzyyxzzxwzzz*
4444
xyyzzzwyzyzzzzwzwwxzzyxzzzyyzzxxzzwxxzz|zz|{zzz{|zzz{z{zzzzzzz|z{z{z{{z{zzzzzz{{{zzz{z{{{+
4444
zz{{zz|{zzzzzz|}zzzzzzzzzz{z{|zz{zzz|{}}}}{}}}}{}{}}}}{}}}}{}}}}}}}{}}{}{}}{{}}zz}}}{}}}},
4444
}}}{{{}}}{{}{{{}}{}}{{}}}{}}}{z}{}}{}{}}}}{}}}}{}{}}}}{}}}}{}}}}}}}{}}{}{}}{{}}zz}}}{}}}},
4444
}}}~}~}~~~~~}~~~~
~~~}~}}
}}~~~
}~}}~}}~~}~~~~~~~~
}~~}
~~~}}
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
4444
44444
333333333333333333333333333333333333333333333333333333333333333333333
4444444
333333333333333
444444444
33333333333333
4444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
MS User
MS Us
MS User
Micro
bjbjqPqP
 & 6"

Unicode Strings:
---------------------------------------------------------------------------
jjjjjj
(null)
         (((((                  H
IDI_ICON1
jjjj
jjjj
jjjjjjj
jjjj
jjjj
Root Entry
Root Entry
1Table
CompObj
WordDocument
SummaryInformation
DocumentSummaryInformation
Unknown
Times New Roman
Symbol
Arial
SimSun
!),.:;?]}
MS User
MS User

Labels: ,