About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Saturday, August 10, 2013

Bladabindi strings - CRIME

File: fe3e87a746bbf71268a35dfc43a6396d1ef3a92e33b99e1350317183edb66da6
MD5:  82f0aeb7ce7c448b763055a10726ed7b
Size: 28672





Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
+%((
!%((
!%((
!%((
F,KsG
7%((
B%((
3%((
3 r)
B%((
BSJB
v2.0.50727
#Strings
#GUID
#Blob
<Module>
System.Runtime.CompilerServices
RuntimeCompatibilityAttribute
.ctor
CompilationRelaxationsAttribute
Microsoft.VisualBasic.ApplicationServices
ApplicationBase
System.ComponentModel
EditorBrowsableAttribute
EditorBrowsableState
System.CodeDom.Compiler
GeneratedCodeAttribute
Microsoft.VisualBasic.Devices
Computer
System.Diagnostics
DebuggerHiddenAttribute
System
Object
Microsoft.VisualBasic.CompilerServices
StandardModuleAttribute
Microsoft.VisualBasic
HideModuleNameAttribute
MyGroupCollectionAttribute
RuntimeHelpers
GetObjectValue
Equals
GetHashCode
Type
RuntimeTypeHandle
GetTypeFromHandle
ToString
Activator
CreateInstance
System.Runtime.InteropServices
ComVisibleAttribute
ThreadStaticAttribute
CompilerGeneratedAttribute
m_ThreadStaticValue
User
get_GetInstance
System.ComponentModel.Design
HelpKeywordAttribute
System.Threading
Mutex
System.IO
FileInfo
System.Net.Sockets
TcpClient
Conversions
ToBoolean
System.Reflection
Assembly
GetExecutingAssembly
get_Location
Exception
Microsoft.VisualBasic.MyServices
RegistryProxy
ServerComputer
get_Registry
Microsoft.Win32
RegistryKey
get_CurrentUser
String
Concat
CreateSubKey
DeleteValue
ProjectData
SetProjectError
ClearProjectError
GetValue
SetValue
Boolean
Operators
CompareString
Environment
get_MachineName
get_UserName
ComputerInfo
get_Info
get_OSFullName
Replace
GetEnvironmentVariable
ToLower
RegistryKeyPermissionCheck
GetValueNames
get_Length
DateTime
FileSystemInfo
get_LastWriteTime
System.Text
Encoding
get_UTF8
GetBytes
Convert
ToBase64String
FromBase64String
GetString
Random
Next
get_Chars
get_Default
Array
System.Collections.Generic
List`1
MemoryStream
ings
CompareMethod
Split
Write
ToArray
Stream
Dispose
System.IO.Compression
GZipStream
CompressionMode
set_Position
Byte
Read
BitConverter
ToInt32
Space
StringBuilder
get_Capacity
Substring
IntPtr
Zero
op_Equality
op_Explicit
StrDup
Process
GetProcessById
get_MainWindowTitle
Interaction
Environ
Conversion
STAThreadAttribute
SessionEndingEventArgs
Thread
Command
ToInteger
WaitForExit
Component
Sleep
GetProcesses
ProcessModule
get_MainModule
get_FileName
get_Id
GetCurrentProcess
EndApp
OpenExisting
ThreadStart
Start
SessionEndingEventHandler
SystemEvents
add_SessionEnding
OpenSubKey
get_FullName
get_LocalMachine
SpecialFolder
GetFolderPath
File
Copy
Load
System.Net
WebClient
System.Drawing
Graphics
Bitmap
Rectangle
Size
get_ProcessName
StartsWith
Int32
NewLateBinding
LateIndexGet
DownloadData
WriteAllBytes
LateSet
LateCall
LateGet
CompareObjectEqual
OrObject
System.Windows.Forms
Screen
get_PrimaryScreen
get_Bounds
get_Width
get_Height
Image
FromImage
CopyPixelOperation
CopyFromScreen
Cursor
Cursors
Point
get_Position
Draw
GetThumbnailImageAbort
GetThumbnailImage
System.Drawing.Imaging
ImageFormat
get_Jpeg
Save
Clone
ConditionalCompareObjectEqual
get_Message
get_Handle
Socket
get_Client
SocketFlags
Send
get_Connected
Monitor
Enter
SelectMode
Poll
get_Available
Exit
Receive
Contains
ParameterizedThreadStart
Disconnect
set_ReceiveTimeout
set_SendTimeout
set_SendBufferSize
set_ReceiveBufferSize
Connect
AppWinStyle
Shell
Delete
DeleteSubKey
DirectoryInfo
get_Name
get_Directory
get_Parent
Exists
DebuggerStepThroughAttribute
Keys
Clock
Keyboard
StreamWriter
get_LocalTime
Enum
get_ShiftKeyDown
get_CapsLock
ToUpper
ChrW
Char
ReadAllText
AppendText
set_AutoFlush
Remove
Close
TextWriter
WriteAllText
xryeywjzze.exe
avicap32.dll
user32.dll
kernel32
user32
ntdll
kernel32.dll
mscorlib
MyApplication
xryeywjzze.My
MyComputer
MyProject
MyWebServices
ThreadSafeObjectProvider`1
xryeywjzze
m_ComputerObjectProvider
m_AppObjectProvider
m_UserObjectProvider
m_MyWebServicesObjectProvider
.cctor
get_Computer
get_Application
get_User
get_WebServices
GetType
Create__Instance__
instance
Dispose__Instance__
NtSetInformationProcess
hProcess
processInformationClass
processInformation
processInformationLength
capGetDriverDescriptionA
wDriver
lpszName
cbName
lpszVer
cbVer
GetLocaleInfo
Locale
LCType
lpLCData
cchData
GetForegroundWindow
GetWindowThreadProcessId
hwnd
lpdwProcessID
GetWindowText
GetWindowTextA
hWnd
WinTitle
MaxLength
GetWindowTextLength
GetWindowTextLengthA
GetVolumeInformation
GetVolumeInformationA
lpRootPathName
lpVolumeNameBuffer
nVolumeNameSize
lpVolumeSerialNumber
lpMaximumComponentLength
lpFileSystemFlags
lpFileSystemNameBuffer
nFileSystemNameSize
main
sender
Plugin
ByteOfPlugin
ClassName
CompDir
_Lambda$__1
LastAV
LastAS
lastKey
keyboard
Logs
LogsPath
ToUnicodeEx
wVirtKey
wScanCode
lpKeyState
pwszBuff
cchBuff
wFlags
dwhkl
GetKeyboardState
MapVirtualKey
uCode
uMapType
GetKeyboardLayout
dwLayout
GetAsyncKeyState
vKey
VKCodeToUnicode
VKCode
Application
WebServices
GetInstance
MyTemplate
8.0.0.0
4System.Web.Services.Protocols.SoapHttpClientProtocol
Create__Instance__
Dispose__Instance__
My.Computer
My.Application
My.User
My.WebServices
WrapNonExceptionThrows
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING

Unicode Strings:
---------------------------------------------------------------------------
7JU]dkr
!@!X
THPY
[endof]
smsn.exe
AppData
83860fea0c990f39d5ea171ba042db9f
2KrZhNi62YrZhSDYs9mK2LHZgdixINiz2LnZiNiv2Yo=
0.3.6
awrasx10.no-ip.biz
1177
|'|'|
True
Software\Microsoft\Windows\CurrentVersion\Run
Software\
Microsoft
Windows
 Win
PROCESSOR_ARCHITECTURE
yyyy-MM-dd
unknown
abcdefghijklmnopqrstuvwxyz
SystemDrive
" ..
.exe
prof
getvalue
temp
False
start
Send
length
netsh firewall delete allowedprogram "
Software
cmd.exe /k ping 0 & del "
" & exit
netsh firewall add allowedprogram "
" ENABLE
.tmp
yy/MM/dd
??/??/??
[ENTER]
[TAP]
Js2P
ssPP
bsJP2
1s%P
Labels: ,