About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Tuesday, September 3, 2013

Surtr (Smoaler) strings - APT

File: DW20.dll
MD5:  8e187ae152c48099f715af442339c340
Size: 44032






Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.reloc
;ORD.
MessageBoxA
user32.dll
CloseHandle
CreateFileA
GetFileSize
GetModuleFileNameA
GetTempFileNameA
GetTempPathA
ReadFile
SetFilePointer
VirtualAlloc
WinExec
WriteFile
lstrlenA
kernel32.dll
mydll.dll
DoWork
0#010I0j0y0
1%1+171=1C1I1T1_1k1
!This program cannot be run in DOS mode.
Richw
.text
`.rdata
@.data
.rsrc
SVW3
)MYi62
HX-1
-'pY
l|A@
8HTd
&5I8
d)9&
Od-@q
Soft
ware
\Mic
roso
ft\W
indo
ws M
edia
t$ ;4
_^]3
Pj@h
h40@
h$0@
Dah$0@
h$0@
h$0@
h$0@
h$0@
Oh$0@
7tah@0@
hD0@
Pj@QV
5L1@
t"It
Iu'j
hh @
hSVW
>"u:F
XPVSS
%( @
%8 @
%P @
%T @
VirtualProtect
KERNEL32.dll
strncpy
fclose
fread
ftell
fseek
fopen
fwrite
MSVCRT.dll
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
GetModuleHandleA
GetStartupInfoA
advapi32.dll
kernel32.dll
ntdll.dll
h6WW
>t:$
ut@$p(
(uPV
D1$c
U?(p
hvg
^w$L
UO$EdP
u7$d
Q]y(
YQA+;h
zu+$
stf(W
wwwwwwwwwwwwww
wwwwwwwwwwwwww
DDDDDDDDD@
DDDDDDDDDGpw
DDDDDDDDDGpw
DDDDDDDDDDDDDD
wwwwwwwwwwwwww
This
proggam
DO~S
mode.
iS0R
chDH(
P@EL8
rdatP
.'(Le)
P`relo
5lp(L
t9"I
\$l;
Q8RP
()jT@+h
FV2PSR
VUoW%
`!3\
C@go6;
QVhU<
AsAnG#
-140p
F<iECE
QQ1P5^
xtcR
B8*Xs,
9MZu}:
vd'Q
v=bO
PL&CT$
QHxp
 {I;P
+Q$@
$tF#
 FYE
H.Pt
JPXQU
65h!
ZSWV
yUq3
K/2g
"j@A
15*W Q
EPS4
r4U @x
|diLT
Q},\&
bB0d#
s)j!P
E <B)L_
&dS
e2h^
PKzt
kJd\
mWB&
T$_7
VZ2|
`JB.mX%
*9WE
T^^h
zB!d
fEqK,
16OPT"!<%
>a9H
PVQR
/2qVj(
@Q|&
tNv^
8,Du
QSeW
&6Ad
v*:(A
j(@!
fqhx
t!hy
Au)I
Z_L[
'*jU
'Lw!
h8B#|
"GDt
)TSh
fp!8=
tU8<A
TpT!
'2x%P
WuST
K:jrg
jd,H
$Whq
UNH e %
szJlJ E
?uI3$
JR"[!jc
"-$j
LJO_"
qCZ@
C! y
(=KP
/Wfx
D?0h
fgXD1`X
-@b$
B,"~
B4#O
z{2%18
<"#0
dDAb
LG@X
bx10X
?B!|
B0!$
o{)-o<Q
Fxw@
["_,eRVUe
tB*d
n6.O
_[mz
cDPp
U~PN
4WP}
$h)g?
 &E4+
{-Yo
zb8H
!8!X
ASk)
Xo!m
J"8M
FI!HF!
VL{ RBlf
Xkm@
Y2N^
eQg\
(OU
 ;JD
F&m,
SK<Kck
(/dU2<
W~%dNS
VQ$S9b
%+GJ(
!]_K
%#,4
*pX
q5*#
s$bP->
$+bt|
+3!8
SRR>h
WJ- -
U>Bq'
nC7@
[+VU
Y9M]
.R?[
kLvN^H
QqSkR
u.Wh
ko-A (
47tF
eCQT
(fWU(
&Rh!
A-,0
C'/4*!"
x_tT
SWQ8F!
PywN
tK9a
=JR@
EVW/
<X(F
1XRP
t/WS+
jEL#
G0#(
-_tf
tM%VP
-b'Q^
1YK.
Df!gI
(ch-
l<#uZ?$U
0V8Y
17WP(
<DL)
"):DBJ
xP?1
X (
6(8Cr
ginthr
}3v*
2@Y9AP
FraDH
ndvl
SVCRT.d
USER3R2^8
a5ACP
r(tu
vPgo
bNjL4
icm>
Q(&QI
8ed8
u`@$p(_
U?(p
hvg
UO$EdP
a<ppA
u7$vd
Q]y(
<JQL
8^8X8?Q
u+;$
(m3C
stf(W
Y3p8
Ke9rn
Aibr
%s #
SoftwZ
e\Mico
Cur0
0E=xp|
X),U
9cS=C{<vd
CxrPR
 aCvVp
rqwf
n:(z
TA~~i
4 HdCvxt
/v-Y
_CUR
U7\(
=sSA
H5S"
tg$m
Zb)D
3Lkn~)
Q:|(yV
4h&d@
/=B&cS
orTB44i
ToM$ul
!3tPkc
FHilXUu
(x86)\I
SysWO
s0thm
\1Li
2$BaxnD
1232.
VP|N]LMyc0
$XC.+
PADCINGX
&3r-tEvLx
 ;r&tGvdx
=1'BGQg`
{95o:v
75NB
:r,tSv
v!x1zH|N~Y~e~u~
71f'{G
3rJtyv
6r7tVv
v"x3
L+OxzA|F~W~\~m~r~
=#>0?7?<?H?M?R?^?c?h?t?y?~?
,O8>
"910:9}
92E:
3BNR
#5r*t9vXxzz
tBvLxfzx|
Pt\v
4P B
> ?$*(
~0~4~8~<~@~DX
t)v6xOz_|
T1mN
L7VN
9i9;
T=zN
4!5T
)%:1
qv4,
x0|'
,4!<=D*L
~t~|M
freL19
jkub
!Wv8
lu~(
wwwwwwwwwwwwww
wwwwwwwwwwwwww
DDDDDDDDD@
DDDDDDDDDGpw
DDDDDDDDDGpw
DDDDDDDDDDDDDD
wwwwwwwwwwwwww

Unicode Strings:
---------------------------------------------------------------------------
Ef77
Labels: ,