unpacked version of Dexter
bpx VirtualAlolc :mrgreen:
bpx VirtualAlolc :mrgreen:
Attachments
(12.16 KiB) Downloaded 133 times
A forum for reverse engineering, OS internals and malware analysis
C:\Program Files\Internet Explorer\iexplore.exeIf you did and this is the case with it, then injecting dirrectly into "C:\Program Files\Internet Explorer\iexplore.exe" is the dumbest thing I ever saw in a malware in my life! Seems he never heard about Windows APIs on how to get some PATHs as generic as he could :)
C:\Users\admin.unknown\Downloads\Infostealer.Dexter\3.exe
C:\Users\admin.unknown\Downloads\Infostealer.Dexter\3.exe
Xylitol wrote:Hello, POSCardStealer.E, in attachHow does this malware search for credit card information?
in the wild: hxxp://leschassagnes.com/small.exe
Also i edited a bit the thread index (http://www.kernelmode.info/forum/viewto ... 594#p14594)
https://www.virustotal.com/file/8217c30 ... 360174019/
Buster_BSA wrote:I've not yet checked the file, i've just searched eset signature and got a match for POSCardStealer.EXylitol wrote:Hello, POSCardStealer.E, in attachHow does this malware search for credit card information?
in the wild: hxxp://leschassagnes.com/small.exe
Also i edited a bit the thread index (http://www.kernelmode.info/forum/viewto ... 594#p14594)
https://www.virustotal.com/file/8217c30 ... 360174019/
Other POS malwares I have reviewed contained regex like:
((b|B)[0-9]{13,19}\^[A-Za-z\s]{0,30}\/[A-Za-z\s]{0,30}\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9\s]{3,50}[0-9]{1})
((b|B)[0-9]{13,19}\^[A-Za-z\s]{0,30}\/[A-Za-z\s]{0,30}\^(1[1-9])((0[1-9])|(1[0-2]))[0-9\s]{3,50}[0-9]{1})
[3-9]{1}[0-9]{12,19}[D=\u0061][0-9]{10,30}
[0-9]{15,16}[D=](0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30}
I do not see something like that in this one.
Xylitol wrote:I've not yet checked the file, i've just searched eset signature and got a match for POSCardStealer.EMaybe it has its own search engine.
but i guess there is another patern to detect track2 or it's a false positive from eset ?
Buster_BSA wrote:The same:Xylitol wrote:I've not yet checked the file, i've just searched eset signature and got a match for POSCardStealer.EMaybe it has its own search engine.
but i guess there is another patern to detect track2 or it's a false positive from eset ?
I see it has the typical behavior of a POS: enumerates all running processes and open them.
((%?[Bb]?)[0-9]{13,19}\^[A-Za-z\s]{0,26}/[A-Za-z\s]{0,26}\^(1[2-9])(0[1-9]|1[0-2])[0-9\s]{3,50}\?)
([0-9]{13,19}=(1[2-9])(0[1-9]|1[0-2])[0-9]{3,50}\?)
(((%?[Bb]?)[0-9]{13,19}\^[A-Za-z\s]{0,26}/[A-Za-z\s]{0,26}\^(1[2-9])(0[1-9]|1[0-2])[0-9\s]{3,50}\?)[;\s]{1,3}([0-9]{13,19}=(1[2-9])(0[1-9]|1[0-2])[0-9]{3,50}\?))
gritland wrote:unpacked version of Dexterunpacked and fixed import table, easy for analyze
bpx VirtualAlolc :mrgreen:
gritland wrote:Very good job, testing/analysing.gritland wrote:unpacked version of Dexterunpacked and fixed import table, easy for analyze
bpx VirtualAlolc :mrgreen: