About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Thursday, August 22, 2013

njRat / Backdoor.LV strings - APT



C2 checkin
lv|'|'|TndfQzQyNjRFQkI=|'|'|VICTIM|'|'|Examiner|'|'|2013-06-21|'|'|USA|'|'|Win XP ProfessionalSP2 x86|'|'|No|'|'|0.5.0E|'|'|..|'|'|Y3B0YnRfUHJvY2Vzc19SZWdpc3RyeV9GaWxlX0luZm8ubG9nIC0gTm90ZXB hZA==|'|'|[endof]act|'|'| Y3B0YnRfUHJvY2Vzc19SZWdpc3RyeV9GaWxlX0luZm8ubG9nIC0gTm90ZXBhZA==

File: njRAt_1D3BAEDD747F6F9BF92C81EB9F63B34B
MD5:  1d3baedd747f6f9bf92c81eb9f63b34b
Size: 110080







Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
.text
`.sdata
.rsrc
@.reloc
BSJB
v2.0.50727
#Strings
#GUID
#Blob
wLoader
<Module>
aMFlARt1Q2Bj1GVfZb
TD4myOW8ixbVmc0wCF
Object
System
mscorlib
fQYL7B84mmJRdrU3KK
GfSviSAGX5kNVrRoZY
aFguFaGnjXmFgmttaZ
ValueType
RUej1ecCdtNqx4qyoM
guN1kS1eOL6oGKDdfE
qTLWMJmEALehonqjh3
WRCy8fERBet5ywu0Kk
sdZpRUVSS7koDSkkEh
f66BTcSdkEN4CEx3t9
EdNNrCxD0HPEKJXTqU
cPPppT6E99CCcPIf6S
xhBRQknOm7ZDQSrnwO
MNIggEySGpHlVvbxVb
a7kQPSIYJdDIMumlgB
qpZ9r73GjGh2QOug7o
dxM2gVhfcEpIBZpCwk
DYcOPVvOJfyvEp1xkV
sbY9iqoWovmWWJ0nUM
RuDD0QLOk5emcZN8wg
DObaIugU0tWLbjpFmw
GaUC5HQsYK5prBvdTs
.cctor
Void
Int32
JFaSnjXmF
Char
tmtxtaZPU
yj16eCdtN
String
Sx4nqyoM1
JN1ykSeOL
moGIKDdfE
qTL3WMJEA
sehhonqjh
ITfjAvlKX
ResolveEventHandler
.ctor
IntPtr
AssemblyName
System.Reflection
CKxtUKuut
Assembly
ResolveEventArgs
GjMWFlAR1
Stream
System.IO
DeflateStream
System.IO.Compression
BinaryReader
CompressionMode
IDisposable
Dispose
u2B8j1GVf
NblAD4myO
Byte
dixGbVmc0
ACFccQYL7
AppDomain
S4m1mJRdr
H3KmKbfSv
MemoryStream
DSGEX5kNV
Evidence
System.Security.Policy
wRoVZYdFg
paRvCy8fR
Seto5ywu0
l3tX9kdNN
Boolean
zkoLdZpRU
kS7gkoDSk
Type
EEhQG66BT
gdk4EN4CE
OIgCgESGp
wCDr0HPEK
UXTeqUWPP
RuntimeFieldHandle
Dictionary`2
System.Collections.Generic
set_Item
ContainsKey
FpTFE99CC
gPIKf6Srh
SRQwkOm7Z
AQSDrnwOZ
Array
XlVfvbxVb
a7kiQPSYJ
Encoding
System.Text
aDIkMumlg
ShppZ9r7G
aGhb2QOug
Vo85xM2gV
U0nTUMquD
A0QZOk5em
fZNY8wgfO
GaINuU0tW
CcEUpIBZp
CwkMiYcOP
jOJufyvEp
gxk0VLbY9
DqWRovmWW
Monitor
System.Threading
Exit
tbj2pFmwb
WUCO5HsYK
HprPBvdTs
kYaq7siC4
o6lBweZhC
RuntimeTypeHandle
ocwltVChh
EKjJySowb
uCS761TpG
nrqaYDHku
AxbsJWV5c
wu3H1bo1v
X0H9Jljie
dnazyPxpw
R3wjdfxfni
aT4jj0s3ah
add_ResourceResolve
jtIjt1KKdl
Convert
ToBase64String
a0kjWSQ0uD
get_Default
g2Hj8OOgZD
get_Evidence
ayLjAIClxx
get_Name
px5jGJrLDg
get_CurrentDomain
goxjcb5MhH
add_AssemblyResolve
TX5j1lm2m1
Load
u43jm9xksu
GetExecutingAssembly
agnjE8tCcs
MOQjVy6O5F
SQHjSsn9Ta
VkqjxNRl1s
BgVj6XlEda
v4sjnqjyHh
Write
qmGjy1grJG
ReadInt32
BO7jIyv5sV
ExecuteAssemblyByName
F35j3joZVJ
wLTjhXpY8U
SetData
Uyfjvx24AE
ToArray
vofjoVxSNa
Concat
RoTjLBF0qa
GetBytes
fdajgqJRhS
GetData
HCJjQEJ15S
Read
dwOj4beDhk
Enter
YVojXRKUic
GetTypeFromHandle
uIejrjpqIe
ReadBytes
MyMjeCViWv
ToLowerInvariant
ifsjFCCE4D
GetManifestResourceNames
RVsjKwdaRU
RuntimeHelpers
System.Runtime.CompilerServices
InitializeArray
BBSjw85Zv7
GetManifestResourceStream
wLoader.g.resources
STAThreadAttribute
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
_CorExeMain
mscoree.dll
s!rqkbtfe)ijbca{0sw3f`x7qw:_SN>rOEG
()*+,-.
k;<=>?@AB
DGgLIAJK
MNORQRSTUV
YZ[|]^_`abcd%fgHijknmnkpqrstuvsxyz{|}~
 !"#$%&
\LR_,-.
9:;>=>?@ABCDEFGHIJkLM.a"4><7UV[XYZ[
]^_babc
efghijklmnopqr3tu4wxyz{|}~
+)?|
P`Re_,{
32V4
Jr@`B
u------------------------------snip
&h,!
usxx
j7oml6-
OzVZAB
.SLk^-.g
/!0$R9
}x}t{
t_ru
xEt_
VcSM
+F=4
6&0.v,QK
pVsbqw
mLkw
bQfg
|F1`
+8<:
s5$-
~e`d
}i0nno
hc6drCqaa
LMUAI
/*M(qj
(%F'
|>}q
a^_\M\W
ypzsVySoNVlJ
29p'
A{1fz
@s{qrG\
n`hx
I-Tc
91?nR5<z
7#:W;|6
rm'a
S6QT
2H!B
Sl<*($
-##u
q+5vC);{
k?(s
]BU,S{
N]gu
D`EL
=>t83v1
<a 7
BDBR
;Mx+f6x
ypwq
3/*vP*D):
&a%6q
l@;~
yzvtLsUcpk.j(&jm(e
/u`[6]POZ]
VKPMnLF
W@=^>
{(9:
.)L*L
S*ve
p3r?0f
j,k^
T#SC
N]L-
HCFL
 0.*-WC*!
uc2{
-jKoqhy
5SVQW
O]LO
CbAH
n0/w-@**
=$ck'
c%dzvQ`O
V]t[*0RoNL
B[Ca
70e<3
Ws:*11
}Czl
s|pnv
lakyha
eHcral
S^QT
M9YKN
FVnS
8~=
?w W49
&f%T#(I"?
|Q:qywtUv
hvjh
8x7y
avy|
mR,d
]dQ[YZ7
k-<-j)\'1
 c"m
oDX}
o"/s
8Kk/
Xm6u
0|[oa,yZo:g@
d@_:
XIXx
xjFv$
P|S=M
>?;ij'6|4(r
.+'!.o&i
:P(y
'T5Z
SvCYfG
y}~]
YZnr5
E:BrC#
x%Vcc]
%.Jhkncb]
0JOPSSjbb^\
2FGGJOOQRjna[
%%7FFDGJNORhjn[
88DFFJNOSjqXC
88FDJOgr
888DGOh
!78FGJo
8DDM
!8GY
%8DDq
8888
GDD.;
UcF@
----------------snip
Y@5@

Unicode Strings:
---------------------------------------------------------------------------