About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Monday, August 12, 2013

Taleret strings - APT (2)

File: Taleret_5328CFCB46EF18ECF7BA0D21A7ADC02C
MD5:  5328cfcb46ef18ecf7ba0d21a7adc02c
Size: 126976






Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich\n
.text
`.rdata
@.data
.reloc--------------------------snip
j@j<
CFile
CNotSupportedException
CMemoryException
CException
CObject
CFileException
CMapPtrToPtr
CCmdTarget
CTempWnd
CWnd
AfxOldWndProc423
AfxWnd42s
AfxControlBar42s
AfxMDIFrame42s
AfxFrameOrView42s
AfxOleControl42s
GetMonitorInfoA
EnumDisplayMonitors
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
GetSystemMetrics
USER32
DISPLAY
commctrl_DragListMsg
InitCommonControlsEx
COMCTL32.DLL
combobox
CTempMenu
CMenu
CTempGdiObject
CTempDC
CGdiObject
CUserException
CResourceException
H:mm:ss
dddd, MMMM dd, yyyy
M/d/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
 (8PX
700WP
`h````
ppxxxx
(null)
runtime error
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetLastActivePopup
GetActiveWindow
MessageBoxA
GetProcAddress
LoadLibraryA
lstrcatA
GetSystemDirectoryA
ExpandEnvironmentStringsA
FreeLibrary
ExitProcess
DisableThreadLibraryCalls
Sleep
WaitForSingleObject
FreeConsole
GetLocalTime
GetLastError
CloseHandle
GetCurrentProcess
LocalFree
HeapFree
HeapAlloc
GetProcessHeap
Process32Next
OpenProcess
Process32First
CreateToolhelp32Snapshot
DeleteFileA
ReadFile
SetFilePointer
GetFileSize
GetTickCount
OutputDebugStringA
InterlockedIncrement
InterlockedDecrement
lstrlenA
WideCharToMultiByte
MultiByteToWideChar
DuplicateHandle
CreateFileA
WriteFile
FlushFileBuffers
LockF
UnlockFile
SetEndOfFile
lstrcpyA
FindClose
FindFirstFileA
GetVolumeInformationA
lstrcpynA
GetFullPathNameA
lstrcmpiA
GetModuleFileNameA
SetLastError
InitializeCriticalSection
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetFileAttributesA
GetFileTime
LocalAlloc
TlsAlloc
GlobalFree
GlobalUnlock
GlobalHandle
TlsFree
GlobalLock
GlobalReAlloc
GlobalAlloc
TlsSetValue
LocalReAlloc
TlsGetValue
GetVersion
FileTimeToSystemTime
FileTimeToLocalFileTime
GetCurrentThreadId
lstrcmpA
GetModuleHandleA
GlobalDeleteAtom
GlobalFindAtomA
GlobalAddAtomA
GlobalGetAtomNameA
GetProcessVersion
GlobalFlags
GetCPInfo
GetOEMCP
CreateThread
ExitThread
GetTimeZoneInformation
GetSystemTime
RtlUnwind
GetCommandLineA
RaiseException
GetACP
HeapSize
HeapReAlloc
TerminateProcess
UnhandledExceptionFilter
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
SetUnhandledExceptionFilter
SetStdHandle
IsBadReadPtr
IsBadCodePtr
CompareStringA
CompareStringW
SetEnvironmentVariableA
KERNEL32.dll
wsprintfA
PostQuitMessage
DefWindowProcA
DispatchMessageA
TranslateMessage
GetMessageA
UpdateWindow
ShowWindow
CreateWindowExA
RegisterClassA
LoadCursorA
LoadIconA
SendMessageTimeoutA
CharUpperA
GetSystemMetrics
LoadStringA
EnableWindow
MessageBoxA
SendMessageA
GetWindowLongA
IsWindowEnabled
GetLastActivePopup
GetParent
UnhookWindowsHookEx
SetWindowsHookExA
PeekMessageA
CallNextHookEx
GetKeyState
GetNextDlgTabItem
GetFocus
EnableMenuItem
CheckMenuItem
SetMenuItemBitmaps
ModifyMenuA
GetMenuState
LoadBitmapA
GetMenuCheckMarkDimensions
GetWindowRect
GetWindowPlacement
IsIconic
SystemParametersInfoA
RegisterWindowMessageA
SetWindowPos
SetWindowLongA
GetWindow
SetForegroundWindow
GetForegroundWindow
GetMessagePos
GetMessageTime
RemovePropA
CallWindowProcA
GetPropA
SetPropA
GetClassLongA
DestroyWindow
GetDlgCtrlID
GetWindowTextA
GetDlgItem
GetMenuItemID
GetSubMenu
GetMenuItemCount
GetMenu
GetClassInfoA
WinHelpA
GetCapture
GetTopWindow
CopyRect
GetClientRect
AdjustWindowRectEx
SetFocus
GetSysColor
MapWindowPoints
PostMessageA
SetWindowTextA
GetSysColorBrush
ReleaseDC
GetDC
GetClassNameA
PtInRect
ClientToScreen
DestroyMenu
TabbedTextOutA
DrawTextA
GrayStringA
USER32.dll
GetStockObject
CreateBitmap
GetClipBox
SetTextColor
SetBkColor
GetObjectA
GetDeviceCaps
DeleteObject
DeleteDC
SaveDC
RestoreDC
SelectObject
SetMapMode
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
PtVisible
RectVisible
TextOutA
ExtTextOutA
Escape
GDI32.dll
GetFileTitleA
comdlg32.dll
ClosePrinter
DocumentPropertiesA
OpenPrinterA
WINSPOOL.DRV
RegisterServiceCtrlHandlerW
SetServiceStatus
RegQueryValueExA
RegCloseKey
AdjustTokenPrivileges
LookupPrivilegeValueA
ConvertSidToStringSidA
EqualSid
GetTokenInformation
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
InternetCloseHandle
InternetSetOptionA
InternetSetCookieA
HttpQueryInfoA
InternetConnectA
HttpSendRequestA
HttpOpenRequestA
WININET.dll
GetAdaptersInfo
iphlpapi.dll
SHRegGetValueA
SHLWAPI.dll
CoCreateGuid
ole32.dll
MsgHandlerDll.dll
CDBuildIntegrityVect
CDBuildVect
CDFindCommonCSystem
CDFindCommonCSystemWithKey
CDGenerateRandomBits
CDLocateCSystem
CDLocateCheckSum
CDLocateRng
CDRegisterCSystem
CDRegisterCheckSum
CDRegisterRng
MD5Final
MD5Init
MD5Update
ServiceMain
Start
V.]1
wxxxd
kernel32.dll
CreateDirectoryA
GetWindowsDirectoryA
WinExec
GetDriveTypeA
GetFileAttributesA
GetLogicalDriveStringsA
DeleteFileA
MoveFileA
FindNextFileA
FindFirstFileA
FindResourceA
CreateFileA
GetVolumeInformationA
CopyFileA
CreateMutexA
GetTempPathA
lstrcatA
lstrcpyA
lstrcmpA
user32.dll
GetWindowTextA
GetForegroundWindow
FindWindowExA
PostMessageA
GetCursorPos
WindowFromPoint
wsprintfA
keybd_event
GetParent
ADVAPI32.dll
RegSetValueExA
RegCreateKeyA
RegEnumKeyA
RegDeleteKeyA
RegSetValueA
RegOpenKeyExA
RegQueryValueA
RegQueryValueExA
RegDeleteValueA
CreatePipe
GetSystemDirectoryA
CreateProcessA
User32.dll
SetWindowsHookExA
CallNextHookEx
CreateFileMappingA
GetModuleFileNameA
Wininet.dll
InternetOpenA
InternetOpenUrlA
HttpQueryInfoA
InternetReadFile
Advapi32.dll
RegCreateKeyExA
OpenProcessToken
%s %s - %s
can not load %s, run failed
\cryptdll.dll
%tmp%\~alot.dat
can not find function %s, run failed
rundll32.exe
CDBuildIntegrityVect
CDBuildVect
CDFindCommonCSystem
CDFindCommonCSystemWithKey
CDGenerateRandomBits
CDLocateCSystem
CDLocateCheckSum
CDLocateRng
CDRegisterCSystem
CDRegisterCheckSum
CDRegisterRng
MD5Final
MD5Init
MD5Update
The Window
sdfjx
https:
MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible;
Software\Microsoft\Windows\CurrentVersion\Internet Settings
User Agent
XXXXX
Funny day
ail: %s:%d
conn f
%s --> read from registry
Software\Microsoft\SysInternal
%s --> furl: %s
%s --> gsetting: %s
%s --> auto proxy
%s model
services
rundll32
1A10
{AEBA21FA-782A-4A90-978D-B72164C80120}
{A8A88C49-5EB2-4990-A1A2-0876022C854F}
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
DefaultConnectionSettings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
explorer.exe
SeDebugPrivilege
MUID
http://%s:%d
http://%s
NOT Certified
AFTER: Disconnect
AFTER: %d s
SetTime: %d OK
SendFile: %d OK
%temp%\
WRONG PASSWORD
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
 error:
 Run
 Run error
 Run OK
ShellExecuteA
shell32.dll
%%temp%%\%u
/webhp?source=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
POST
HTTP/1.1
%02X-%02X-%02X-%02X-%02X-%02X
0.0.0.0
01-01-01-01-01-01
%04x
%04x%04x%04x%04x
.?AVCObject@@
.?AVCFile@@
.?AVCException@@
.?AVCFileException@@
.PAX
.PAVCObject@@
.PAVCException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCSimpleException@@
.?AVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCFileException@@
.?AVCNoTrackObject@@
.?AUCThreadData@@
.?AV_AFX_THREAD_STATE@@
.?AVAFX_MODULE_STATE@@
.?AVAFX_MODULE_THREAD_STATE@@
.?AV_AFX_BASE_MODULE_STATE@@
.?AVCCmdTarget@@
.?AV_AFX_CTL3D_STATE@@
.?AVCMapPtrToPtr@@
.?AVCCmdUI@@
.?AVCWnd@@
.?AVCTestCmdUI@@
.?AVCTempWnd@@
.?AVCHandleMap@@
.?AV_AFX_WIN_STATE@@
.?AVCMenu@@
.?AVCTempMenu@@
.?AVCDC@@
.?AVCGdiObject@@
.?AVCTempDC@@
.?AVCTempGdiObject@@
.?AVCResourceException@@
.?AVCUserException@@
.?AVtype_info@@
0#0(0A0F0L0S0X0q0v0|0
11161<1C1H1a1f1l1s1x1
2!2&2,23282Q2V2\2c2h2
3#3(3A3F3L3S3X3q3v3|3
41464<4C4H4a4f4l4s4x4
5!5&5,53585Q5V5\5c5h5
6#6(6A6F6L6S6X6q6v6|6
71767<7C7H7a7f7l7s7x7
8!8&8,83888Q8V8\8c8h8
9#9(9A9F9L9S9X9
: :':2:9:L:S:`:j:
:,;1;@;V;_;{;
<!<1<A<Q<a<q<
=!=7=M=_=o=z=
>E>f>o>v>~>
?=?S?
090m0
102W2x2
7$7+787p7u7|7
888?8F8T8
879>9E9R9b9
;T;[;q;
;A<K<T<
=-=X=
=0>:>w>}>
?+?C?T?
0"1Y1
1&2{2
363=3P3W3k3r3
4!4&4,43484Q4V4\4c4h4
9!:3:);G;
=&>f>
2(3h3
5+5_5q5w5
5F6\6
7I7^7h7
92:8:X:x:
<!<7<C<
=M=S=Z=g=
>->;>
2!2'22282G2M2X2]2f2l2z2
2 3E3m3
3:4X4x4
5$5+555<5F5P5X5^5d5j5p5v5|5
6 6/6d6
7:7L7
838[8}8
9'9W9
:+<7<A<e<j<
?$?1?8?G?t?~?
2R3l3u3>4u4
4$5*525u5
6"6'616K6Y6a6g6
737B7^7m7x7
9 9$9(9r9x9|9
: :$:A:k:
;V<e<v<
<1=x=
> >$>(>,>0>4>8>
? ?'?,?0?4?Q?{?
0 0$0(0,0
0)1=1g1
2:2N2d2
2D3e3~3
6E7W7u7
8(9:9I9j9p9
:.:::D:O:Y:c:i:
:S;Y;w;
<&<8<F<U<f<Q=W=
=0><>C>S>Y>`>j>
?-?8?L?R?`?i?z?
0.0Q0]0p0
2'2i2{2
7p:t:x:|:
=6=>=O=T=a=f=
=E>R>
?"?2?8?@?^?d?u?
0)0/0^0
0&1,1J1P1
397>7h8m8
9q;v;R<W<
<0=7=
=O>Y>
?"?*?2?H?P?X?`?h?{?
1.141;1D1K1S1Y1d1l1
404C4N4T4Y4_4l4
8 8:8K8Q8d8
=-=_=i=
=,>2>?>`>
>(?4?>?R?`?m?r?x?
"0g0J1c1
2e2x2
3*353H3o3~3
4/4E4L4
5W5]5i5
6"6*686V6s6
:$:7:>:P:X:h:y:
=&=-=4=;=X=^=l=r=|=
> >'>?>V>q>
?0?8?S?]?h?r?
0 0)010=0F0W0a0i0q0y0
0J1Y1
2#2/2C2N2]2n2{2
4V4k4x4
4+5:5S5y5
5%696s6z6
6+757|7
:,:2:v;q<
>.?J?b?
1&171
1*2>3\3
5R5f5
6d6j6x6
7X7]7|7
8$8^8
:$:N:X:i:v:
:D;Y;
<$<*<0<6<<<B<H<Z<
<?=p=
0H1d1l1
6'626>6Y6d6p6
7#737i7|7
849^9|9
95:A:b:
;3<\<m<
=4=N=G>Y>
?+?G?V?o?z?
0 0+0K0W0
1%111A1
4O5p5
9#9'9+9/93979;9?9C9G9K9O9S9W9[9_9c9g9k9o9s9w9{9
9S<Y<_<i<t<
=W=b=
>$>D>J>O>a>l>y>
?&?3?<?B?^?
1*1:1B1
2#20292U2Z2y2
3I4y4
4&51565
6F6N6U6
7$7)7<7L7X7_7i7{7
9^9p9
<G<z<W=i=
='>H>S>
z0>1E132P2'5+5/53575;5?5C5G5K5O5S5W5[5_5c5g5k5o5s5w5{5
5n6s6
6?7M7X7
8G8r8
9!;I;N;
;E<u<
<*=K=
=2>?>U>a>
0)010:0E0N0i0
1)1I1o1
1Y3d3
5+5`5
5*6R6o6
6-7p7
7O8j8
8%9A9U9e9|9
:@:_:
<H<w<
S0a0}0
0(1i1~1
1X2e2
2.343K3V3b3l3
4(4O4q4
4 5)525D5J5[5h5
666g6
6:7C7Z7f7p7
7V8w8
:(:I:\:
;.;3;H;
<%<-<?<F<O<Z<i<z<
<1={=
>'><>P>[>h>q>w>
?%?1?J?T?`?k?u?
!0Z0
1+1:1T1h1s1
2!242A2H2`2}2
3)32383Q3\3i3r3x3
5)5q5&6I6y6
7<7h7
848`8}8
9!959A9W9a9u9
:?:I:k:}:
4 404@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
5 54585<5@5D5H5L5P5T5X5\5`5h5
6(6L6l6p6t6
7 7,707H7T7X7h7l7
8,8D8\8t8
949L9d9|9
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
= =0=4=8=<=@=D=H=L=P=T=X=\=`=l=p=
>(>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
? ?$?(?,?0?4?8?<?@?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?
\1`1p1x1|1
4d5h5p5t5
6 6$6(6<6L6P6X6p6
7 787P7T7l7|7
8 8(8@8D8\8l8p8x8
9$9(909H9L9d9t9x9
:0:4:L:\:`:h:
; ;$;<;L;P;X;p;t;
<,<<<@<H<`<d<|<
=,=0=8=P=T=X=\=t=
>$>(>8>T>`>|>
?(?D?P?l?t?
0$0,040<0D0L0T0\0d0l0x0
141<1D1P1l1t1
2,242@2\2h2
3,3034383<3L3X3t3
4$404L4T4`4|4
5$5,545@5\5h5p5
646@6\6h6
7H7T7\7h7
8,848<8H8d8p8
9,949@9H9x9
:4:@:\:h:
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
1 1$1(1,1014181<1H1L1P1T1`1l1<=@=D=X=p=
>0>P>p>
?8?X?
0(0@0`0x0
1 181X1
1@4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
8 8(8H8X8h8$9,949<9D9L9T9\9d9l9t9|9
9\<`<
>(>,>0>4>8><>@>D>H>L>X>

Unicode Strings:
---------------------------------------------------------------------------
(null)
         (((((                  H
Labels: ,