Point-of-Sale malwares / RAM scrapers

Forum for analysis and discussion about malware.
User avatar
Xylitol
Global Moderator
Posts: 1659
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Mon Sep 23, 2013 7:05 am

morgan wrote:i will be realy happyfull if i can game with dexter v2 or alina and analysis it in full :) who have can contact me in pm thanks
search the web a lot of people have already wrote about how those malware work.
In attach more Dexter
https://www.virustotal.com/en/file/5ffd ... 379926774/
https://www.virustotal.com/en/file/4eab ... 379927702/
https://www.virustotal.com/en/file/621d ... 379928437/
Sample in the wild:

Code: Select all

hxxp://216.17.21.221/win33.exe
hxxp://216.17.21.221/win32.exe
You do not have the required permissions to view the files attached to this post.

jgrunz
Posts: 4
Joined: Tue May 29, 2012 9:28 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by jgrunz » Wed Sep 25, 2013 2:14 pm


bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Fri Sep 27, 2013 5:53 am

jgrunz wrote:Not terribly new, but Alina 6.0--

https://www.virustotal.com/en/file/e241 ... /analysis/
Sample?

Horgh
Posts: 37
Joined: Fri Dec 07, 2012 9:48 am
Location: France

Re: Point-of-Sale malwares / RAM scrapers

Post by Horgh » Fri Sep 27, 2013 7:16 am

exitthematrix wrote:
jgrunz wrote:Not terribly new, but Alina 6.0--

https://www.virustotal.com/en/file/e241 ... /analysis/
Sample?
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1659
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Fri Sep 27, 2013 10:58 am

yeah 6.x isn't really new, but sample are still calling (like the previous samples of Dexter)
108.18.167.108 "Alina v6.0"
108.18.57.208 "Alina v6.0"
108.232.70.135 "Alina v6.0"
108.232.72.200 "Alina v6.0"
108.232.72.66 "Alina v6.0"
108.232.76.111 "Alina v6.0"
108.232.77.162 "Alina v6.0"
108.232.77.226 "Alina v6.0"
108.232.78.14 "Alina v6.0"
108.234.80.248 "Alina v5.4"
120.151.182.3 "Alina v5.4"
130.207.203.2 "Alina v6.0"
142.165.103.129 "Alina v6.1"
149.169.172.69 "Alina v5.4"
172.6.54.202 "Alina v6.0"
172.6.55.244 "Alina v6.0"
172.6.61.11 "Alina v6.0"
172.6.61.22 "Alina v6.0"
172.6.61.231 "Alina v6.0"
172.6.61.251 "Alina v6.0"
172.6.62.254 "Alina v6.0"
172.6.63.120 "Alina v6.0"
172.6.63.227 "Alina v6.0"
173.73.2.179 "Alina v6.0"
178.33.169.46 "Alina v6.1"
184.151.61.120 "Alina v6.0"
184.78.108.217 "Alina v6.0"
204.181.64.8 "Alina v6.1"
210.23.128.48 "Alina v5.4"
216.45.179.175 "Alina v6.0"
23.31.103.157 "Alina v6.0"
50.240.91.34 "Alina v6.0"
63.228.188.62 "Alina v5.4"
63.228.188.62 "Alina v6.0"
63.239.219.130 "Alina v5.4"
68.15.59.251 "Alina v5.4"
68.250.186.137 "Alina v6.0"
69.26.109.90 "Alina v5.4"
70.62.182.6 "Alina v5.4"
71.191.232.37 "Alina v6.0"
71.36.26.225 "Alina v5.4"
71.97.114.169 "Alina v5.4"
72.55.114.227 "Alina v5.4"
72.55.114.227 "Alina v6.1"
72.66.82.59 "Alina v5.4"
76.111.10.168 "Alina v6.0"
76.123.41.82 "Alina v5.4"
77.43.56.48 "Alina v5.4"
81.191.184.136 "Alina v6.0"
83.79.166.222 "Alina v6.0"
87.119.221.45 "Alina v6.0"
90.155.82.141 "Alina v5.4"
98.175.26.111 "Alina v6.0"
99.140.138.42 "Alina v5.4"
99.225.23.89 "Alina v6.0
more recent referers, there is even IPs who call with no referers but the reqs are constructed like Alina

btclord
Posts: 4
Joined: Sun Sep 22, 2013 12:45 am

Re: Point-of-Sale malwares / RAM scrapers

Post by btclord » Fri Oct 04, 2013 1:13 am

Horgh wrote:
exitthematrix wrote:
jgrunz wrote:Not terribly new, but Alina 6.0--

https://www.virustotal.com/en/file/e241 ... /analysis/
Sample?

can anyone unpack this? i am not able to unpack it.

User avatar
EP_X0FF
Global Moderator
Posts: 4777
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by EP_X0FF » Fri Oct 04, 2013 2:36 am

btclord wrote:can anyone unpack this? i am not able to unpack it.
bp CreateProcessW, dump memory, upx -d.

C:\Users\dice\Desktop\src\grab\Debug\alina_dex.pdb
https://www.virustotal.com/en/file/1a26 ... 386173829/
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Fri Oct 04, 2013 7:47 am

EP_X0FF wrote:
btclord wrote:can anyone unpack this? i am not able to unpack it.
bp CreateProcessW, dump memory, upx -d.

C:\Users\dice\Desktop\src\grab\Debug\alina_dex.pdb
Thanks for unpacked binary. Seems they compiled it debug mode, so many info in the PE file :)

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Mon Oct 07, 2013 3:50 pm

Interesting sh*t, KINS and Alina POS malware sources selling on some forums for $2000 (TF)

grum
Posts: 38
Joined: Tue Nov 06, 2012 12:16 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by grum » Mon Oct 07, 2013 6:47 pm

:D on hand with me KINS ~ 300$ full src :lol:

Post Reply