contagio malware exchange: Torpig miniloader strings

About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.

Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.

With just strings, not exactly a fun blog to read but might become s useful resource over time.

I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find

P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Friday, August 16, 2013

Torpig miniloader strings - CRIME

File: Torpig miniloader_0F82964CF39056402EE2DE9193635B34
MD5: 0f82964cf39056402ee2de9193635b34
Size: 242688

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Richw]
.text
`.data
.rsrc
becH
C:\TEST\bar.txt
RSDS
packaigee.pdb
9Jhu
---------------------snip
<Tv6
UrlIsW
PathGetDriveNumberA
SHRegWriteUSValueW
StrFormatKBSizeW
PathIsDirectoryA
PathIsDirectoryEmptyA
PathRemoveBlanksA
SHLWAPI.dll
EnumResourceLanguagesA
VirtualAlloc
FillConsoleOutputCharacterW
SetEvent
GetDriveTypeA
DosDateTimeToFileTime
HeapAlloc
ClearCommBreak
WriteFileEx
InterlockedIncrement
OpenEventW
OpenThread
CreateTimerQueue
RemoveDirectoryW
GetProcessHeap
GetFileInformationByHandle
WritePrivateProfileStructA
SetVolumeMountPointW
GetVolumeInformationW
RequestDeviceWakeup
MapUserPhysicalPages
GetFullPathNameA
GetFileSize
GetThreadContext
FreeConsole
SizeofResource
GetBinaryTypeA
GetPrivateProfileIntW
FindVolumeClose
SetMailslotInfo
kernel32.dll
fQlk
----------------------------snip
Unicode Strings:
---------------------------------------------------------------------------
VS_VERSION_INFO
StringFileInfo
040904E4
CompanyName
Brau Holding International AG
FileDescription
Paulaner tool
FileVersion
4.0.0012
InternalName
paulaner.exe
LegalCopyright
Brau Holding International AG. All rights reserved.
OriginalFilename
paulaner.exe
ProductName
Brau Holding International AG
Paulaner tool
ProductVersion
4.0.0012
VarFileInfo
Translation
====================================
File: Torpig miniloader_83419EEA712182C1054615E4EC7B8CBE
MD5: 83419eea712182c1054615e4ec7b8cbe
Size: 247808

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Richw]
.text
`.data
.rsrc
becH
C:\TEST\bar.txt
RSDS</
nantietive.pdb
IM9M
=jsk
-------------------------snip
R64XR
p0Drt
<Tv6
UrlIsW
PathGetDriveNumberA
SHRegWriteUSValueW
StrFormatKBSizeW
PathIsDirectoryA
PathIsDirectoryEmptyA
PathRemoveBlanksA
SHLWAPI.dll
EnumResourceLanguagesA
VirtualAlloc
FillConsoleOutputCharacterW
SetEvent
GetDriveTypeA
DosDateTimeToFileTime
HeapAlloc
ClearCommBreak
WriteFileEx
InterlockedIncrement
OpenEventW
OpenThread
CreateTimerQueue
RemoveDirectoryW
GetProcessHeap
GetFileInformationByHandle
WritePrivateProfileStructA
SetVolumeMountPointW
GetVolumeInformationW
RequestDeviceWakeup
MapUserPhysicalPages
GetFullPathNameA
GetFileSize
GetThreadContext
FreeConsole
SizeofResource
GetBinaryTypeA
GetPrivateProfileIntW
FindVolumeClose
SetMailslotInfo
kernel32.dll
]o=+{
ttH_r
--------------------------snip

Unicode Strings:
---------------------------------------------------------------------------
VS_VERSION_INFO
StringFileInfo
040904E4
CompanyName
Brau Holding International AG
FileDescription
Paulaner tool
FileVersion
4.0.0012
InternalName
paulaner.exe
LegalCopyright
Brau Holding International AG. All rights reserved.
OriginalFilename
paulaner.exe
ProductName
Brau Holding International AG
Paulaner tool
ProductVersion
4.0.0012
VarFileInfo