[gritland]

unpacked version of Dexter
bpx VirtualAlolc :mrgreen:

[bsteo]

Oh, thanks! Good apport.
Anyway, you sure you unpacked it properly or just dumped the Iexplore.exe memory where Dexter was infected?

C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\admin.unknown\Downloads\Infostealer.Dexter\3.exe
C:\Users\admin.unknown\Downloads\Infostealer.Dexter\3.exe

If you did and this is the case with it, then injecting dirrectly into "C:\Program Files\Internet Explorer\iexplore.exe" is the dumbest thing I ever saw in a malware in my life! Seems he never heard about Windows APIs on how to get some PATHs as generic as he could :)

[Xylitol]

Hello, POSCardStealer.E, in attach
in the wild: hxxp://leschassagnes.com/small.exe
Also i edited a bit the thread index (http://www.kernelmode.info/forum/viewto ... 594#p14594)
https://www.virustotal.com/file/8217c30 ... 360174019/

[Buster_BSA]

Hello, POSCardStealer.E, in attach
in the wild: hxxp://leschassagnes.com/small.exe
Also i edited a bit the thread index (http://www.kernelmode.info/forum/viewto ... 594#p14594)
https://www.virustotal.com/file/8217c30 ... 360174019/

How does this malware search for credit card information?

Other POS malwares I have reviewed contained regex like:

((b|B)[0-9]{13,19}\^[A-Za-z\s]{0,30}\/[A-Za-z\s]{0,30}\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9\s]{3,50}[0-9]{1})
((b|B)[0-9]{13,19}\^[A-Za-z\s]{0,30}\/[A-Za-z\s]{0,30}\^(1[1-9])((0[1-9])|(1[0-2]))[0-9\s]{3,50}[0-9]{1})
[3-9]{1}[0-9]{12,19}[D=\u0061][0-9]{10,30}
[0-9]{15,16}[D=](0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30}

I do not see something like that in this one.

[Xylitol]

Hello, POSCardStealer.E, in attach
in the wild: hxxp://leschassagnes.com/small.exe
Also i edited a bit the thread index (http://www.kernelmode.info/forum/viewto ... 594#p14594)
https://www.virustotal.com/file/8217c30 ... 360174019/

How does this malware search for credit card information?

Other POS malwares I have reviewed contained regex like:

((b|B)[0-9]{13,19}\^[A-Za-z\s]{0,30}\/[A-Za-z\s]{0,30}\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9\s]{3,50}[0-9]{1})
((b|B)[0-9]{13,19}\^[A-Za-z\s]{0,30}\/[A-Za-z\s]{0,30}\^(1[1-9])((0[1-9])|(1[0-2]))[0-9\s]{3,50}[0-9]{1})
[3-9]{1}[0-9]{12,19}[D=\u0061][0-9]{10,30}
[0-9]{15,16}[D=](0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30}

I do not see something like that in this one.

I've not yet checked the file, i've just searched eset signature and got a match for POSCardStealer.E
but i guess there is another patern to detect track2 or it's a false positive from eset ?

[Buster_BSA]

I've not yet checked the file, i've just searched eset signature and got a match for POSCardStealer.E
but i guess there is another patern to detect track2 or it's a false positive from eset ?

Maybe it has its own search engine.

I see it has the typical behavior of a POS: enumerates all running processes and open them.

[bsteo]

I've not yet checked the file, i've just searched eset signature and got a match for POSCardStealer.E
but i guess there is another patern to detect track2 or it's a false positive from eset ?

Maybe it has its own search engine.

I see it has the typical behavior of a POS: enumerates all running processes and open them.

The same:

Code: Select all

((%?[Bb]?)[0-9]{13,19}\^[A-Za-z\s]{0,26}/[A-Za-z\s]{0,26}\^(1[2-9])(0[1-9]|1[0-2])[0-9\s]{3,50}\?)
([0-9]{13,19}=(1[2-9])(0[1-9]|1[0-2])[0-9]{3,50}\?)
(((%?[Bb]?)[0-9]{13,19}\^[A-Za-z\s]{0,26}/[A-Za-z\s]{0,26}\^(1[2-9])(0[1-9]|1[0-2])[0-9\s]{3,50}\?)[;\s]{1,3}([0-9]{13,19}=(1[2-9])(0[1-9]|1[0-2])[0-9]{3,50}\?))

[gritland]

unpacked version of Dexter
bpx VirtualAlolc :mrgreen:

unpacked and fixed import table, easy for analyze

[bsteo]

unpacked version of Dexter
bpx VirtualAlolc :mrgreen:

unpacked and fixed import table, easy for analyze

Very good job, testing/analysing.

[Xylitol]

POSCardStealer.F in attach (Alina 3.1)
https://www.virustotal.com/file/8f53c8c ... 360243742/