About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Monday, August 19, 2013

Nitedrem strings - CRIME

MD5:  508af8c499102ad2ebc1a83fdbcefecb
Size: 147456







Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich
.text
`.data
.rsrc
MSVBVM60.DLL
Qs1hRsf
Qs*aQs\
Qs$FPs
uRs-
5Bs%
QstjPsh
Os0jPs
Project1
Project1
user32
VB5!
Project1
Project1
Project1
Module1
Project1
user32
CallWindowProcA
kernel32
FindResourceA
LoadResource
LockResource
SizeofResource
FreeResource
GetModuleFileNameA
RtlMoveMemory
VBA6.DLL
__vbaAryCopy
__vbaUI1I2
__vbaUbound
__vbaErrorOverflow
__vbaRedimPreserve
__vbaAryUnlock
__vbaAryLock
__vbaStrCopy
__vbaFreeStr
__vbaAryDestruct
__vbaFreeVar
__vbaStrVarMove
__vbaStrMove
__vbaSetSystemError
__vbaGenerateBoundsError
__vbaAryConstruct2
__vbaExitProc
__vbaCyI2
__vbaCyAdd
__vbaOnError
__vbaCyStr
__vbaFreeObj
__vbaHresultCheckObj
__vbaNew2
h,3@
5,3@
(SVW
PSVW
,SVW
0SVW
h\!@
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaFreeVar
__vbaStrVarMove
_adj_fdiv_m64
_adj_fprem1
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
__vbaExitProc
__vbaOnError
__vbaCyAdd
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaCyStr
_CIsin
__vbaChkstk
__vbaGenerateBoundsError
__vbaCyI2
__vbaAryConstruct2
DllFunctionCall
__vbaRedimPreserve
_adj_fpatan
__vbaUI1I2
_CIsqrt
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaUbound
_CIlog
__vbaErrorOverflow
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
_adj_fdivr_m32
_adj_fdiv_r
__vbaAryLock
_CIatan
__vbaStrMove
__vbaAryCopy
_allmul
_CItan
__vbaAryUnlock
_CIexp
__vbaFreeObj
__vbaFreeStr
t:::Q:_:H:T:_:V:
:::T:N:^:V:V:::::::::::::::::::::::::::::::::::::::::::::::::::a
9::P
9::P
9::P
E9::P
L9::P
P9::P
f9::
;~:::P(
w9::Ra
C9::P
9::Pz
9::Ra
u9::P$
+9::
?9::
:::mk
8::R
.9::P
8::mhP:P:P>P:P:P:P:
8::R
8::P
D8::R
8::P
V8::
[8::
3PzR:
}8::
*8::R
;::Ra
8::P
;::P8hk
;::::
:::P
:::9
;::9+P
;::P
;::Ra
I;::
_;::9
f;::
j;::
~;::
M*lh
;::R
l;::
);::
?;::
;=:;:P:
:::R
+;::P
:::kP>ml
:::R
U:::
Z:::
u:::R
A:::P
:::R
j:::P
(:::
>:::
$:::PzR:*::
:::R
q:::
ohkilm
edac`g
ohkilm
edac`g
::::w`
:9:::>:::
:::::::z:::::::::::::::::::::::::::::::::::
:::4%
nRSI
JHU]H[W
Y[TTUN
WU^_
:::::::
hSYR
::::::::::::::::j
::v;9:,7
k::::::::
:5;1;<::
;::*:::
8:::z::*:::8::>:::;:::>::::::::
8::*::::::8:::::*::*::::*::*::::::*:::::::::::
::::
3::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::ojb
:::::
:::*:::::::>::::::::::::::
:::::
;::>::::::::::::::z::
HIHY::::*:::
8::0:::
;:::::::::::::z::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:ojb
7380
z*z?V||||F
>||||
B||||f^
Z||||
*||||~vN
||||&.
2||||b
R||||:
||||
||||
Z|||rJ
HUP_YN
v:.U<
9INOX
3q*6
D9:V
1/{-Z
A^]:
:N-u*9
j.vYz)HH
5b.n
;R[:
0---------------------------------------snip
Ebjnjim
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::,7
k9:::8:9:
9:::
4:::b;:
*:::
::::,7
k9:::::;:_:::j::
::::,7
k9:::::;:>2::R:::
>::::::::::,7
k9:::::;:_:::
::::,7
k9:::::;:>2::
58::L::
>::::::::::,7
k9:::::9:
O::2;:
::::,7
k9:::::;:::::
>::::::::::,7
k9:::::;:::::
;::&
>::::::::::,7
k9:::::;:::::r;::2
>::::::::::,7
k9:::::;:;:::J;:
::::,7
k9:::::;:::::
>::::::::::,7
k9:::::;:;:::
::::,7
k9:::::;:>2::
;::R
>::::::8:y:q:8:n:k:
:::z:::;:;::::::;::::::::::::::::::::::
:::z:::;:>:::::
8::::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
=J::::::::::
=MJ::::::2
=MMJ::::
=MJ:::::
=J::::::
::::::::
::::::::
::::::::
::::::::
::::::::
::::::::
::::::::
::::::::
::::::::::
::::::::
::::::::::::
::::::::::::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:::*:::
:::;:>:::::
:::::::::::::::::::::::::
:::::::::::::::::::::::::::::2
M:::2
MJ:5
J::5
:::5
:::5
::::5
::::4
::::4
:::::::::::::::::::::::::::::::::::::
8:::;:9:
8:;:;:
*:;:>:
O***:;:>:
:::l:i:e:l:
:h:i:s:u:t:e:s:t:|:u:::::
::;:::;:::::::;:::::::::::::>:::;:::::::::::::::~:::::l:[:H:|:S:V:_:s:T:\:U:::::
:>:::n:H:[:T:I:V:[:N:S:U:T:::::>2
;::;:i:N:H:S:T:]:|:S:V:_:s:T:\:U:::*;::;:
:(:;:j:H:U:^:O:Y:N:t:[:W:_:::::j:H:U:P:_:Y:N:
:::::
:0:;:|:S:V:_:l:_:H:I:S:U:T:::::
:::::
:0:;:j:H:U:^:O:Y:N:l:_:H:I:S:U:T:::
:::::
:0:;:s:T:N:_:H:T:[:V:t:[:W:_:::I:N:O:X:::::
:(:;:u:H:S:]:S:T:[:V:|:S:V:_:T:[:W:_:::I:N:O:X:
:_:B:_:::::::::::::::::
8:::::::::::::
8:::::::::::::::::::::
8:::::
::::q
~vv:wilxlw
~vv:::vU[^vSXH[HC{::}_NjHUY{^^H_II::lSHNO[VjHUN_YN::
BSNjHUY_II:::::::::::::::::::::::P
1u
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING

Unicode Strings:
---------------------------------------------------------------------------
@*\Ac:\Project1.vbp
1000000
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040904B0
ProductName
Project1
FileVersion
1.00
ProductVersion
1.00
InternalName
Project1
OriginalFilename
Project1.exe