About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Tuesday, September 3, 2013

PlugX dropper strings - APT

File: DW20.exe
MD5:  2ff2d518313475a612f095dd863c8aea
Size: 305709






Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.CRT
@.rsrc
WVS3
WVU3
N+D$
9Ru1
8RuS
t!j|
zuWh
u--------------snip
FAA;t$
FAA;u
tUVW
H_H^
QQSVWh
_^[]
_^][
_^[]
Wj@3
f98t
D>*;
_^[]
 SVW
uCVj
t<9E
_^[]
QSVW
@v*9G
@v*9G
 SVW
FTt=
~,@s
Rh`LA
Qh@LA
Rh`LA
Rh`LA
WVWj
WVWj
WVWj
Rh`LA
w5WWWW
Rh@LA
<H>t
Sh(JA
_CFFf
t<SSSS
hPLA
8hpLA
t-PP
 tSj X
&u#3
GGFF
htKA
u-f9
h`KA
^ S;
SVWj
u<9}
tZ9~
Ph0LA
QP9]
h|CA
QD9] t
Q,9]
QQVW
- ???
%.*s(%d)%s
YNANRC
bad allocation
__rar_
.rar
?*<>|"
*messages***
CryptUnprotectMemory
CryptProtectMemory
CryptUnprotectMemory failed
CryptProtectMemory failed
SetDllDirectoryW
Z2fQ`^-A
InitCommonControlsEx
COMCTL32.dll
SHAutoComplete
SHLWAPI.dll
GetCurrentDirectoryW
GetLastError
SetLastError
CloseHandle
GetCurrentProcess
SetFileTime
MoveFileW
FlushFileBuffers
SetFilePointer
SetEndOfFile
GetFileType
CreateFileA
CreateFileW
ReadFile
GetStdHandle
WriteFile
GetFileAttributesA
GetFileAttributesW
SetFileAttributesA
SetFileAttributesW
DeleteFileW
DeleteFileA
CreateDirectoryA
CreateDirectoryW
FindClose
FindNextFileA
FindFirstFileA
FindNextFileW
FindFirstFileW
GetVersionExW
GetFullPathNameA
GetFullPathNameW
MultiByteToWideChar
GetModuleFileNameW
FindResourceW
GetModuleHandleW
HeapAlloc
GetProcessHeap
HeapFree
HeapReAlloc
CompareStringA
ExitProcess
GetTickCount
FreeLibrary
GetProcAddress
LoadLibraryW
GetCurrentProcessId
GetLocaleInfoW
GetNumberFormatW
DosDateTimeToFileTime
GetDateFormatW
GetTimeFormatW
FileTimeToSystemTime
FileTimeToLocalFileTime
ExpandEnvironmentStringsW
WaitForSingleObject
Sleep
GetExitCodeProcess
GetTempPathW
MoveFileExW
UnmapViewOfFile
MapViewOfFile
GetCommandLineW
CreateFileMappingW
SetEnvironmentVariableW
OpenFileMappingW
LocalFileTimeToFileTime
SystemTimeToFileTime
GetSystemTime
WideCharToMultiByte
CompareStringW
IsDBCSLeadByte
GetCPInfo
GlobalAlloc
SetCurrentDirectoryW
KERNEL32.dll
OemToCharBuffA
EnableWindow
GetDlgItem
ShowWindow
MessageBoxW
CharToOemBuffW
CharUpperW
SetWindowLongW
GetWindowLongW
GetWindow
GetSystemMetrics
SetWindowTextW
GetWindowTextW
SetWindowPos
GetClientRect
GetWindowRect
LoadStringW
CharToOemBuffA
CharUpperA
wvsprintfA
wvsprintfW
DispatchMessageW
TranslateMessage
GetMessageW
PeekMessageW
ReleaseDC
GetDC
SendMessageW
SetDlgItemTextW
SetFocus
EndDialog
DestroyIcon
SendDlgItemMessageW
GetDlgItemTextW
GetClassNameW
DialogBoxParamW
IsWindowVisible
WaitForInputIdle
SetForegroundWindow
GetSysColor
PostMessageW
LoadBitmapW
LoadIconW
CharToOemA
OemToCharA
IsWindow
CopyRect
DestroyWindow
DefWindowProcW
RegisterClassExW
LoadCursorW
UpdateWindow
CreateWindowExW
MapWindowPoints
GetParent
FindWindowExW
USER32.dll
DeleteDC
StretchBlt
SelectObject
CreateCompatibleBitmap
GetObjectW
CreateCompatibleDC
GetDeviceCaps
DeleteObject
GDI32.dll
CommDlgExtendedError
GetSaveFileNameW
GetOpenFileNameW
COMDLG32.dll
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
SetFileSecurityA
SetFileSecurityW
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegQueryValueExW
RegOpenKeyExW
ADVAPI32.dll
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetMalloc
SHGetSpecialFolderLocation
SHGetFileInfoW
SHFileOperationW
ShellExecuteExW
SHChangeNotify
SHELL32.dll
OleUninitialize
OleInitialize
CoCreateInstance
CLSIDFromString
CreateStreamOnHGlobal
ole32.dll
OLEAUT32.dll
WINRAR.SFX
RSDS
xJv&
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
FFF))EE
FFFF))))))
FFFE
 (08@P`p
33!D
03%D
/3'D
,3+D
+3-D
(31D
gwgw`
WwS7'u
gwS37%w`
WwS3
r%wP
gwS3
r"Wv
WwS3
r"%wP
gwS3
WwS3
gwS3
WwS3
gwS3
WwS3
gwS3
WwR"'P
Wwgu"'P
wR'P
Wu'P
g33WwQ
g3WwQ
gWwQ
abcd
/'[,\\0]^_\\\Q
RSTU0VWXYZH
IJKL=MNOPQ
'A,4;BC
>>DE9
:(,4;<=>;?@
3,45657879
,++-.
.-+++
()))*
*))*+
 !"#$%&
{{{p
{{{{0
{{{p
{{{{
{{wp
w{{{
{{{p
{{{{
{{{{{{{{{
wwwwwwww
8888888888{x7
8888888888887
"g$D
8880
"j$LL
8"j$D
8880
"j$L
"btD
USq88
UU888
ddddddd
dddddddd
rrrrrrr
rrrrrrr
rrrrrrr
~vrrrrr
rrrrrrr
~vrrrrs
rrrrrrr
~vrrrrs
rrrrrmm
mmrrrrs
~~vd
rrrr
~yrs
~~~vd
rrrrr
yrrs
~~~|v
rrrrrr
yrrrs
~~~{z
rrrrrrr
yrrrps
~~{zz
rrrrrrrr
yrrrpps
~{zzz
rrrrrrrrrrrrrppps
tzzzz
kkkkkkkkkkkjhjjjo
tqmxzz
aaaaaaaaaaaaaaaaaaaaf~leQmux
JJJJJJJJJJJJJJJJJJJaieQRamu
''''''''''''''''''DaJKHPam
"(GLOa
*-/0
)LUa
+.2=
$CFNa
+.2>
V\^V
----------------------snip
penc-N
NX[(W
~_cOW
ck(W
N4Y_cOW
gck(W
4xOW
eHr,g
[SO"
O(u
NX[(W
N_cOW
N0R
N0R4N
*NW[&{
PA<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
  version="1.0.0.0"
  processorArchitecture="*"
  name="WinRAR SFX"
  type="win32"/>
<description>WinRAR SFX module</description>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
  <security>
    <requestedPrivileges>
      <requestedExecutionLevel level="asInvoker"          
      uiAccess="false"/>
    </requestedPrivileges>
  </security>
</trustInfo>
<dependency>
  <dependentAssembly>
    <assemblyIdentity
      type="win32"
      name="Microsoft.Windows.Common-Controls"
      version="6.0.0.0"
      processorArchitecture="*"
      publicKeyToken="6595b64144ccf1df"
      language="*"/>
  </dependentAssembly>
</dependency>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
  <application>
    <!--The ID below indicates application support for Windows Vista -->
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
    <!--The ID below indicates application support for Windows 7 -->
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
  </application>
</compatibility>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
  <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
    <dpiAware>true</dpiAware>
  </asmv3:windowsSettings>
</asmv3:application>
</assembly>
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGRar!
54zF
559;
eHt@
hkcmd.exe
rW$,
/:[KhH
u9k F2G------------------------snip

Unicode Strings:
---------------------------------------------------------------------------
SeRestorePrivilege
SeSecurityPrivilege
r%.*s(%d)%s
rtmp%d
?*<>|"
%c:\
.rar
*messages***
%08x
Crypt32.dll
RarSFX
%s %s
%s %s %s
REPLACEFILEDLG
RENAMEDLG
GETPASSWORD1
ASKNEXTVOL
Software\WinRAR SFX
STATIC
.exe
Install
.inf
.lnk
%s%s%d
ProgramFilesDir
Software\Microsoft\Windows\CurrentVersion
<br>
%s.%d.tmp
Delete
Text
Title
Path
Silent
Overwrite
Setup
TempMode
License
Presetup
Shortcut
SavePath
Update
SetupCode
LICENSEDLG
"%s"
runas
winrarsfxmappingfile.tmp
-el -s2 "-d%s" "-p%s" "-sp%s"
__tmp_rar_sfx_access_check_%u
STARTDLG
sfxname
sfxcmd
kernel32
A&nbsp;
<style>body{font-family:"Arial";font-size:12;}</style>
</html>
utf-8"></head>
<head><meta http-equiv="content-type" content="text/html; charset=
<html>
</style>
<style>
</p>
about:blank
Shell.Explorer
RarHtmlClassName
EDIT
riched20.dll
riched32.dll
ASKNEXTVOL
GETPASSWORD1
LICENSEDLG
RENAMEDLG
REPLACEFILEDLG
STARTDLG
ccpp
(&B)...
(&E):
(&Y)
(&A)
(&R)
(&N)
(&L)
(&C)
WinRAR
(&D)
(&W)...
hRichEdit20W
jmsctls_progress32
"%s"
 %s CRC
%s CRC
 %s CRC
 %s
 %s
 %s
 Windows
b<style>body{font-family:"Arial,
";font-size:12;}</style><ul><li>
 <b>
</b>
</li><br><br>)<ul><li>
 <b>
</b>
</li><br><br>)<li>
 <b>
</b>
</li>
<br><br> <li>
</li></ul>
 %s
 %d
 %s