About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Tuesday, September 3, 2013

Gh0st hgif strings - APT

File: DW20.exe
MD5:  5d2a996e66369c93f9e0bdade6ac5299
Size: 102400

GET /h.gif?pid =113&v=130586214568 HTTP/1.1
Accept: */*
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)
Connection: Keep-Alive





Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Richi}
.text
`.rdata
@.data
h@A@
Rh P@
hPA@
h,P@
tUhT
h9P@
Ph\A@
hlA@
PPhR
h9P@
%(@@
%,@@
%0@@
% A@
hSVW
>"u:F
XPVSS
;x4u
ole32.dll
CoUninitialize
CoCreateInstance
CoInitialize
CloseHandle
VirtualFreeEx
WaitForSingleObject
LoadLibraryA
GetProcAddress
GetModuleHandleA
WriteProcessMemory
VirtualAllocEx
OpenProcess
CreateRemoteThread
Module32Next
Module32First
CreateToolhelp32Snapshot
GetLastError
WriteFile
SetFilePointer
GetFileSize
CreateFileA
GetModuleFileNameA
GetLongPathNameA
GetTempPathA
Sleep
FreeLibrary
lstrcatA
FindClose
FindNextFileA
FindFirstFileA
GetWindowsDirectoryA
GetShortPathNameA
MultiByteToWideChar
GetSystemInfo
KERNEL32.dll
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHELL32.dll
strlen
xcept_handler3
strcmp
sprintf
memset
strncpy
_stricmp
MSVCRT.dll
__dllonexit
_onexit
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
??0Init@ios_base@std@@QAE@XZ
??1Init@ios_base@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
MSVCP60.dll
GetStartupInfoA
LocalAlloc
InterlockedExchange
RaiseException
Kernel32
FreeLibrary
!This program cannot be run in DOS mode.
Rich
.text
-----------------snip
_^[]
;x4u
QRhp=
QRhl=
@HTTP/1.0 200 OK
Content-type:text/html
Content-length:0
USER32.dll
ADVAPI32.dll
SHELL32.dll
 deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
 inflate 1.1.4 Copyright 1995-2002 Mark Adler
WS2_32.dll
WININET.dll
PSAPI.DLL
WTSAPI32.dll
wsprintfA
CharNextA
ExitWindowsEx
GetWindowThreadProcessId
IsWindowVisible
GetWindowTextA
EnumWindows
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA
GetThreadDesktop
OpenDesktopA
PostMessageA
IsValidSid
LookupAccountNameA
LsaClose
LsaRetrievePrivateData
LsaOpenPolicy
LsaFreeMemory
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
LookupAccountSidA
GetTokenInformation
SHGetSpecialFolderPathA
SHGetFileInfoA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
ShellExecuteA
WSAIoctl
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA
GetModuleFileNameExA
EnumProcessModules
WTSFreeMemory
WTSQuerySessionInformationA
InitializeCriticalSection
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
EnterCriticalSection
Sleep
VirtualAlloc
CreateEventA
CloseHandle
WaitForSingleObject
ResetEvent
SetEvent
InterlockedExchange
CancelIo
lstrlenA
FreeLibrary
GetProcAddress
LoadLibraryA
GetVersionExA
GetTickCount
WriteFile
SetFilePointer
GetLastError
CreateProcessA
FindClose
LocalFree
LocalReAlloc
LocalAlloc
RemoveDirectoryA
OpenProcess
GetShortPathNameA
DeleteFileA
GetTempPathA
GetCurrentProcess
OutputDebugStringA
GetSystemDirectoryA
DisconnectNamedPipe
ReadFile
PeekNamedPipe
WaitForMultipleObjects
GetSystemDefaultUILanguage
ReleaseMutex
SetErrorMode
CreateThread
GetLocalTime
GetCurrentThreadId
KERNEL32.dll
??3@YAXPAX@Z
memmove
ceil
_ftol
__CxxFrameHandler
??2@YAPAXI@Z
_CxxThrowException
sprintf
free
_except_handler3
strtok
_beginthreadex
calloc
MSVCRT.dll
??1type_info@@UAE@XZ
_initterm
malloc
_adjust_fdiv
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Xlen@std@@YAXXZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
MSVCP60.dll
RaiseException
Serverz.dll
Connection: Keep-Alive
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)
Pragma: no-cache
Accept-Language: en-us
Accept: */*
GET /h.gif?pid =113&v=130586214568 HTTP/1.1
.PAX
.PAD
bad Allocate
bad buffer
%s\*.*
%s\%s
%s%s%s
%s%s*.*
KBDMGR.EXE
%skbdmgr.lnk
%skbdmgr.exe
C_RUN_PLUG_COMMAND_FILELIST_DRIVE
C_RUN_PLUG_COMMAND_SCREEN_SPY
C_RUN_PLUG_COMMAND_SHELL
C_ONLINE_ACTIVE
LCommend::RemoveServer
LCommend::Messgae
LCommend::LogoOff
LCommend::PowerReset
LCommend::PowerOff()
LCommend::Update
LCommend::OpenIE
SeShutdownPrivilege
open
iexplore.exe
 Update
wininet.dll
urlmon.dll
\cmd.exe
7.25 host
godson355.vicp.cc
%s:%d|%s %s|%s|%s|%s
%ug %um
%u GB
%u MB
GlobalMemoryStatusEx
ProcessorNameString
HARDWARE\DESCRIPTION\System\CentralProcessor\0
%s SP%d
2008
Vista
2003
2000
memcpy
malloc
strchr
msvcrt.dll
SetUnhandledExceptionFilter
GetLocalTime
LeaveCriticalSection
lstrcmpiA
lstrlenA
lstrcmpA
lstrcpyA
lstrcatA
GetTempPathA
CreateFileA
FindFirstFileA
FindNextFileA
MoveFileA
DeleteFileA
GetLogicalDriveStringsA
GetFileAttributesA
GetDriveTypeA
GetWindowsDirectoryA
CreateDirectoryA
GetModuleFileNameA
GetVolumeInformationA
OpenEventA
CreatePipe
GetFileSize
GetDiskFreeSpaceExA
GetPrivateProfileSectionNamesA
LocalFree
ReadFile
OpenProcess
Process32Next
Process32First
GetStartupInfoA
run error
My WorkSpace %d
m4qtrsz5bfn3o1g
1.1.4
need dictionary
incorrect data check
incorrect header check
invalid window size
unknown compression method
invalid bit length repeat
too many length or distance symbols
invalid stored block lengths
invalid block type
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
invalid distance code
invalid literal/length code
incomplete dynamic bit lengths tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed literal/length tree
empty distance tree with lengths
incomplete distance tree
oversubscribed distance tree
.?AVtype_info@@
041b1|1
5J5{5
5c6u6
6F7a7
7;8N8W8`8v8
9H9Z9
9(:b:x:
=,=E=\=
>#?R?c?
516A6S6c6s6}6
6"7(7D9{9
:f;.<
1M2b2l2}2
4"4`4
575D5Z5
586l7x7
:.:;:d:q:
;#;5;?;
<K<`<
< =F=p=
>6?U?
40e1
2%2<2
3:6L6
:T;k;
;5<M<V=#>F>w>
?/?M?V?
0S0b0
2F3q3w3&4T4e4t4z4
5#5`5t5@6^6}6
6Z7o7
858<8I8W8^8
:;:d:
#0*0/0`0
1W1v1
2\2`2d2h2l2p2t2x2|2
3(3>3E3R3Z3~3
4-4\4a4i4
5.5K5
5;6]6
7,7R7
728r8}8
:2:N:}:
:0;D;T;d;t;
=.=;=H=U=b=o=|=
=>>j>
>:?I?X?
0'0C0_0{0
1<1I1V1
2"3/3R3_3
4B4O4r4
525?5b5o5
6,6L6Y6q6~6
9%9*9/999>9C9M9R9`9e9j9t9y9~9
:(:-:2:<:A:F:P:U:Z:d:i:n:x:}:
;#;(;-;7;<;A;K;P;U;_;d;i;s;x;
<#<-<F<m<s<y<
=">Q>
?@?m?z?
0N0u0
14191C1K1R1v1
192M2[2m2w2
3-3T3h3r3
4#4*454<4G4N4Y4`4k4r4|4
5"5-545?5F5Q5X5c5j5u5|5
8H8W8
<(=,=0=4=8=<=@=D=H=L=P=T=X=\=
v0I1m1
2e4q4
3u5z5f<%?
7]8l8
:#:l:
;!;3;9;
<<=q=
R0b0h0
0R1Z1`1k1x1
3&3-383?3J3Q3\3c3n3u3
5(5-5
6&656<6G6N6X6g6n6y6
7&7L7e7k7
8*8J8h8u8{8
1P2\2h2t2
2T?X?
0(0D0L0T0\0d0
1 1<1D1P1l1t1
2(2D2L2X2t2
3$303L3X3t3
4$4(4,40444D4H4L4P4T4d4h4l4p4t4
5 5$5(5,50545<5@5H5L5P5T5X5`5d5h5l5p5t5x5|5
9X:\:p:t:
=0=4=8=<=@=D=H=L=P=T=X=\=`=d=l=p=x=|=
Storm ddos Server
Welcome to use storm ddos
Thank you
asdfgh
CreateMutexA
SetFileAttributesA
Process32First
Process32Next
CreateProcessA
WuSh B- Is Running!
CreateThread
GetEnvironmentVariableA
 /c
del "

Unicode Strings:
---------------------------------------------------------------------------
jjjjjjj
jjjjjj
jjjjj
jjjjjj
jjjj
jjjj
VS_VERSION_INFO
StringFileInfo
040904b0
Comments
CompanyName
FileDescription
Device Protect Application
FileVersion
3, 9, 0, 0
InternalName
Microsoft(R) Windows(R) Operating System
LegalCopyright
Copyright ? 2013
LegalTrademarks
OriginalFilename
OriginalFileqqqq
csdf.dll
PrivateBuild
ProductName
ProductVersion
3, 9, 0, 0
SpecialBuild
VarFileInfo
Translation
Labels: ,