About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Sunday, September 8, 2013

Vidgrab strings - APT


File: Vidgrab_660709324ACB88EF11F71782AF28A1F0_DW20_.exe__
MD5:  660709324acb88ef11f71782af28a1f0
Size: 118784



....3
HTTP/1.1 301 Moved Permanently
Location:http://windowsupdate.microsoft.com/
Content-Type: text/html
Connection: Keep-Alive
<h1>Bad Request (Invalid Verb)</h1>
.....HK|(172.16.253.130)|1067|WinXP|D|L|No|0..0....1..52..|No|V2010-v24|2184|0|3111947|0|1|.
Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.rsrc
@ANu
RZQV
_^[]
0XA;L$
QQSVW
Yj@h
5,0@
Pj(S
QSVW
CBOu
`SVW
RZV3
6f9O
u:hH
SSSS
Qj@j+@P
$VUh
_^][
0fA;M
Vu%h
VPhT
%D0@
%H0@
%L0@
%P0@
%T0@
%X0@
%\0@
%`0@
%d0@
%h0@
%l0@
hSVW
>"u:F
XPVSS
%t0@
%<0@
Sleep
GetTickCount
VirtualFreeEx
CloseHandle
GetModuleFileNameA
CreateFileA
SetSystemTime
GetLocalTime
GetCurrentThreadId
ResumeThread
GetStartupInfoA
GetVersion
ExpandEnvironmentStringsA
KERNEL32.dll
GetMessageA
PostThreadMessageA
GetInputState
USER32.dll
ADVAPI32.dll
SHSetValueA
SHDeleteValueA
SHLWAPI.dll
memset
__CxxFrameHandler
_except_handler3
strcat
??3@YAXPAX@Z
??2@YAPAXI@Z
memcpy
memcmp
fclose
fwrite
fopen
MSVCRT.dll
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
GetModuleHandleA
X[XXX\Z\
[]W\VH
ZHVG
01+x(*7?*9XX5x;9667,x:=x*-6xXX16x
x57<=vUUR|[\Zd[[
x\@e
1;0[
W\[H
Y\8XX
[H[\
XVySY^XX
PZVRZ\Z[
MZ]HZ\xZ\XXHZZ
XXZMx[JKp[PX[
^UZGZKZmZ[[k\l
]JX8{XX
ZT8yXX<ZPW[PH%
PUWQWHRHZ
RWWSv,= ,ZM
ZO\[Z
8v*<9,9X
{UZI|IT\GP]Z
hgXZC[P\
ZT^[Zp
v*=47;XX@
YZMZIK
XJZTR[ZO
RWWSWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH_\WHWH\H
m@xXH[#d
P-@^y
uZhZu
',HX
+V0X
ZBX[-P
-------------snip
[-~[}
%TX,I_
ZcZTR
[Tb]TPyXH
vZTJ@W[WHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHRH8
Z\[K
ZP&Z\(Z\8Z\
Z\dZ\DZ\rZ\[|b{XX
ZTHZP
UDZ\jZ\
Z\[x
ZD[Px]
ZPZ_P[z
ZQPMZQ[t
VhZCX8
Zx[p
ZP[D_\Z
\C[t[\
Vh[E
[p`ZP[D
_@[t[\
Vh[x+
[T[\
L[P[}Z\
ZT:*X"&
Rp~J8jJZFW[XXG
 XX[
1*,-94
*==X
XX=,
<<*=++XX
1:*9*!
XX/Y
7<-4=
96<4=ZL-_
=*+176XX
4==(XvX
47+^nX
kjv<44XXaZ
=Xx,
=*.1;=
,9,-Z"YZXy
=?1+,=*^A
,*4],*
^#*X
Z/;+,75:Z>
+,*6;(!X
\mXPH
Z>KWXWY
161,Z
PXZ59]
9<2-+,
r1.M
{t_\
KP8XX
ZPXX
.;07+,\5^
[91Ju]
W^WHWHWHWHVHSoftwa
re\rar
WYWHWHWHWHWHWHWHWH
XWHWHWHWHWHWHZH
*=9,=
0Z_<K{
=*6=4
[JW\WHWHWH
SWHWHWHWHWHWHWHWH^H
ZSYhOhXX
heisj
j9j,j#jXX
jZkXXBk~k
kXlXXPlWlNlxl
luljl`lXXel
l8l5l,l
m9mXX?m*m'm
mWnynXD%n
|Z[X8hXX0h
h\iHi
iZzW[WHWHWHWHWHWHWHWH
[WHWHWHWHWHWHWHWHWHWHXXXXX
>=>>>:Z\
ZPEX[[~[]W\WH?>>0!
jVWM
NLQYLXX_S
]_PPQJ
LKPXX
SQZ[
334Z\
HZH!vh
ZPxIz
J~\H
Jp\p
\pu\X]+\@
M9Zh
ZPlW]V[4^'>XHn{>>r?<>
5?8]W
ZP.ZQ[\>>
.ZZ>><M`ZNL
[P>.]M
ZKZiZ[[k\l]JZ^][
?>j?]TW^
?>v)\RW]WHUHZ,&;UKSV
Z_J_ZI&
Z%Zt>
ZP{]ZL_[z\X
L[RQ]>>
#ZNZ
> ZP
ZtZ__[Zp|_TWPWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWH
Z\FZ\TZ\hZ\xZ\
Z\0Z\
Z\nZ\VZ\@Z\
?>(Z\
Z\rZ\2hZZ\FZ\
?>~Z\[T
},DZ4jZ\
Z\TZ\
Z\~[
Z\[t
pZ\VZ\HZ\
Z`Z\
Z\zZ\dZ\VZ\
Z\tZ\ZZ\DZ\
?> Z\
Z|VZPDZ\
[TZ\
?>$Z\
Z\lZd
Z\VZ\DZ\
Z\LZ\ZZ\hZ\
JxZ\
Z\xZ\h
Zt$Z\:Z\
Z\JZ\ZZ\K
rVZ\FZ\
?>2Z\(Z\
Z\~Z\vZ\
nZ\dZ\ZZ\PZ\
Z\FZH[
ZDJZ\[T
Z\[D
ZP&Z\6Z\jZ\
]zZ\
Z@[|
?>lZ\`Z\
Z\NZ\\
=Z\nZ\|Z\
Z\ Z\RZp
ZPDZ\^Z\rZ\
Z\0Z\
Z\BZ\XZ\jZ\xZ\
Z<@Z\
Z\*ZD
Z\*j<
Z\.Z@$Z\
ZH4ZxKX
JT[P
J46JL
ZTtZ\bZ\LZ\
Z@[l:
QZ\MZ\K
ZP4Z\5Z\
7ZP6Z\+Z\
3ZP*
2ZT1Z\,Z\
.Z\>Z\
Z\[L[\
>Z#[RYXQ\
JSN>>x>L>W>[X
>P>Z>R>G>p>_>SZH[r
YyZD_>\ZZ[ZR[J>>
}ZhN>J
M>KZz[>
ZRbZ\
fZ_>*4>kP
[TWPZ[F+
IJBYXZPmQXJI_L[bsW]LQMYXZVbwPJ[LP[J
{FNRQPXL[L\JRRWxQLSMbmJQXXL_Y[
~_\]Z[XYVWXXTURSPQNOLMJKHIFG
XDec`a^WGQGEBC@A>>mX
[z[\KYnLWHWR[Y[Z
mvwxj
r^NZ@iZ
G]rZL}R[_L
Z\cZ\
2CZ\BZ\eZ\EZ\^Z\@Z\
raZP
mXXJ_LJ
NNRW]_JWQP
[([`WDZD
QD[R[]J
s[@^ZW_^M^hs_WR^JZ
nR_G
x[n_KM[WtQNTJ[tL[HWQK
jL_]UQ
p[FJWLhQR
^HzQIP]JZ
PsKJ[PL|LJ
XvQZ
_xx_HQLWJ[
Q@mJ']V[
[iPhz
Qtl[
NXL[M\uTtz
T@|Q
hYVJ
{pk[{>
r[X_W}hzqdXipZ
}lqrr
rq}uy
pks_U
m[N_L
_j8]
hZ\j'>
}QSNJ
>NxczA\LtWCJtv{rl(PPz{r[
wpm{lj[S>
nlXZwpj
m}l{{J
{f{}`Pkj{[E]DZ
m{r{}]h
vqs[u
{pz]l
n[Tm
>Zt{m}\|}P
rZt}H}r{
lZ$j
|\l|L
>3:]34P
X]LG
ZDM[|
]}LGNX
J[Zu[G
t>oo
Zc>]PJ
>{ZWJZg>w{
KJQI
Tmqxji
[dH@h[LM
M9W[:_U_HH\
[F[ZxRQ_Z
J_NJ
X_ZRR
[LLQ<=LS]M>qKJRX
avjjn[<QL
PLYT[D
n_MMIQLZZ}\Hm[LH
klr[
UhkM[[)Q
W<PL[DS<\H]<P8[LZ'>[P
\nqnk
L[}L[_XJJ[wPMJ_P]L
LL_LG
>RN>
^pZFWpUpA
[PChmsjDXn
Nh\D^T
]]QKPJ
{S_WRZ%Z
[tZW>[PO
Z:`:
MM_YWPY
mXxK\MGMJ[SbnLQX*
W`XJb_`pjb}KLL[PJ~
GPBs[W
>>{4,
iPL^
Wt$\h{x^
[h[L[
ZZ*Fz
.s_P_Y
>kln
g8` SL[$KLW,Z,qXXW][bZv[
W&>>
xW[RZM>VJJNM
]Z_>
mJLz
>]_w
mWYPKX
ZDanmjql{Z
FZMZ[@{
ZIR[p[I\Oh
kPWP
fWYWHWHWHWHWHWHWH
(WHWHWHWHWHWHWHZH[M[J
O@MVQ[
UL,\VOPWWxPA^Q{m{jzdRJ:
^BW_WH]HW
]~W^QH'
!JKN
|Oz,{
MbXHE
}XXx
Q}WRWHWHRH
RU\Svu\_W]WHO'WHWHPHhltH
^KW_VH
]?ZL
c;=Z_\T[PIZYmgmZ_
K[KW\WHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
YWHWHWHWHWHWHWHWHWH>mqxji
XXl{bsW]LQMQXJb
]JXXWH[
m[JKNbwPMJ_RXXR[Z
}QSNQP[PJMbEXX
XX}x
-------------------------snip
VwZt
i:&mv]v
mvri=
0>Z
n`YLQ]
]xJVnm[`zrr>X>wZ
Pz]P[J}V[]U}QPPJL*+
Jlwp{j\8
RIL>
QI{F][N
3>0j
JGN[z;XQ~~k
{~fj
>WYWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWH_H
Z.>>2ZT"
>~PX>>
>^>>
>>nXX>>>A
>>b?>>
 XP>>5
)zx!
zdXX
z>XX
>>&j
ZXJj>
JVIj,
$J^M
KN>>
>>:?>>
j0YXk>
CYXj
VJH=
xYYJ^
>[[>
_zFXX
8zFq
hjN`
ZHjJ
 >?kW>EZ
>.?>Jz
zX+>re
Zxm:hO
mzt_
zbXZn
>>xX>
?>rJ,2
?>"J
z0~?
EY\j
n?>Z
'I]*4
4IXZ
\LJLD
jJZR
>^?>yPJ
>N?>2YY
5Y]j
sJb@
@YXj
JT4XH
8xPT
?>^Z<
?>bJ
jPW[WHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWH
WHWHWHWHWHWHWHWHWHWHWHWHWHWHWHWHXX>>>>>>>
I7TS
[ba^
WriteProcessMemory
VirtualAllocEx
kernel32.dll
VirtualAlloc
GetProcAddress
GetModuleHandleA
VirtualProtect
LoadLibraryA
VirtualFree
SOFTWARE\KasperskyLab\AVP6\environment
ProductRoot
SOFTWARE\KasperskyLab\protected\AVP9\settings
Ins_ProductPath
\UIFramework\uiWinMgr.exe
SOFTWARE\TrendMicro\Vizor
ProductPath
Kernel32.dll
\avp.exe
\klwtblfs.exe
SOFTWARE\KasperskyLab\protected\AVP12\environment
\wmifw.exe
ReadProcessMemory
CreateThread
Sleep
GetThreadContext
CreateProcessA
%SystemRoot%\System32\svchost.exe
Shlwapi.dll
SHGetValueA
VirtualProtectEx
%temp%\tmp092.tmp
ExpandEnvironmentStringsA
Software\rar
data
\fxsst.dll
%SystemRoot%
wwwwwx
wwwwx
wwwwwwwx
wwwwww

Unicode Strings:
---------------------------------------------------------------------------
IZQD
3$wG
IDI_ICON5