About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Friday, August 16, 2013

Chebri.C strings - CRIME

File: Chebri_B605C8E99315C330A015F36DE2A870EE
MD5:  b605c8e99315c330a015f36de2a870ee
Size: 8704






Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
jRich
.text
.rdata
@.data
.reloc
iqsoyyo
czgorvv
dzzrsap
acndvrb
hkppjev
nbdcisi
Rh~f
Rh~f
h4A@
%|0@
%t0@
%p0@
%l0@
%x0@
WS2_32.dll
SHSetValueW
SHLWAPI.dll
ExitProcess
lstrlenA
CreateProcessW
WaitForSingleObject
GetModuleHandleW
GetTickCount
Sleep
CopyFileW
GetFileAttributesW
GetModuleFileNameW
lstrlenW
GetLastError
LocalAlloc
lstrcatW
CreateMutexA
ReleaseMutex
CloseHandle
LocalFree
CreateThread
KERNEL32.dll
wsprintfW
USER32.dll
ShellExecuteW
SHGetSpecialFolderPathW
SHELL32.dll
AANCHODAACHEV_AND_BRIANKREBS_GOT_MARRIED
24131194125.com
>3>8>>>D>O>U>a>s>
F0S0`0t0
0:1F1R1]1j1w1
2%2.272?2H2T2_2l2
3$303I3k3p3
4$4*40464<4B4H4N4T4Z4`4

Unicode Strings:
---------------------------------------------------------------------------
\regsrv33.exe
dows\Cur
Soft
ware\
on\R
Microso
rentVersi
ft\Win
%s%s%s%s%s%s%s%s
Microsoft DLL Registaation
regsrv33.exe


=======================
File: Chebri_B1960078B67184BFBE3A1B351DC38471
MD5:  b1960078b67184bfbe3a1b351dc38471
Size: 8704

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
jRich
.text
.rdata
.data
.reloc
Rh~f
Rh~f
h4A@
%|0@
%t0@
%p0@
%l0@
%x0@
WS2_32.dll
SHSetValueW
SHLWAPI.dll
ExitProcess
lstrlenA
CreateProcessW
WaitForSingleObject
GetModuleHandleW
GetTickCount
Sleep
CopyFileW
GetFileAttributesW
GetModuleFileNameW
lstrlenW
GetLastError
LocalAlloc
lstrcatW
CreateMutexA
ReleaseMutex
CloseHandle
LocalFree
CreateThread
KERNEL32.dll
wsprintfW
USER32.dll
ShellExecuteW
SHGetSpecialFolderPathW
SHELL32.dll
DANCHODANCHEV_END_BRIANKREBS_GOT_FARRIED
aquartmale.org
>3>8>>>D>O>U>a>s>
F0S0`0t0
0:1F1R1]1j1w1
2%2.272?2H2T2_2l2
3$303I3k3p3
4$4*40464<4B4H4N4T4Z4`4

Unicode Strings:
---------------------------------------------------------------------------
\regsrv34.exe
dows\Cur
Soft
ware\
on\R
Microso
rentVersi
ft\Win
%s%s%s%s%s%s%s%s
Microsoft DLL Registrations
regsrv34.exe

=================================
File: Chebri_AF93638AC05F9636550C1959127D1471
MD5:  af93638ac05f9636550c1959127d1471
Size: 7964

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
jRich
.text
`.rdata
@.data
.reloc
Rh~f
Rh~f
h4A@
%|0@
%t0@
%p0@
%l0@
%x0@
WS2_32.dll
SHSetValueW
SHLWAPI.dll
ExitProcess
lstrlenA
CreateProcessW
WaitForSingleObject
GetModuleHandleW
GetTickCount
Sleep
CopyFileW
GetFileAttributesW
GetModuleFileNameW
lstrlenW
GetLastError
LocalAlloc
lstrcatW
CreateMutexA
ReleaseMutex
CloseHandle
LocalFree
CreateThread
KERNEL32.dll
wsprintfW
USER32.dll
ShellExecuteW
SHGetSpecialFolderPathW
SHELL32.dll
AANCHODANCHEV_AND_BRIANKREBS_GOT_MARRIED

Unicode Strings:
---------------------------------------------------------------------------
\regsrv32.exe
dows\Cur
Soft
ware\
on\R
Microso
rentVersi
ft\Win
%s%s%s%s%s%s%s%s
Microsoft DLL Registaation


Labels: ,