Point-of-Sale malwares / RAM scrapers

Forum for analysis and discussion about malware.

Re: Point-of-Sale malwares / RAM scrapers

Postby Xylitol » Mon Sep 23, 2013 7:05 am

morgan wrote:i will be realy happyfull if i can game with dexter v2 or alina and analysis it in full :) who have can contact me in pm thanks

search the web a lot of people have already wrote about how those malware work.
In attach more Dexter
https://www.virustotal.com/en/file/5ffd ... 379926774/
https://www.virustotal.com/en/file/4eab ... 379927702/
https://www.virustotal.com/en/file/621d ... 379928437/
Sample in the wild:
Code: Select all
hxxp://216.17.21.221/win33.exe
hxxp://216.17.21.221/win32.exe
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1629
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 485

Re: Point-of-Sale malwares / RAM scrapers

Postby jgrunz » Wed Sep 25, 2013 2:14 pm

jgrunz
 
Posts: 4
Joined: Tue May 29, 2012 9:28 pm
Reputation point: 0

Re: Point-of-Sale malwares / RAM scrapers

Postby bsteo » Fri Sep 27, 2013 5:53 am

jgrunz wrote:Not terribly new, but Alina 6.0--

https://www.virustotal.com/en/file/e241 ... /analysis/


Sample?
bsteo
 
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm
Reputation point: 12

Re: Point-of-Sale malwares / RAM scrapers

Postby Horgh » Fri Sep 27, 2013 7:16 am

exitthematrix wrote:
jgrunz wrote:Not terribly new, but Alina 6.0--

https://www.virustotal.com/en/file/e241 ... /analysis/


Sample?
You do not have the required permissions to view the files attached to this post.
Horgh
 
Posts: 37
Joined: Fri Dec 07, 2012 9:48 am
Location: France
Reputation point: 40

Re: Point-of-Sale malwares / RAM scrapers

Postby Xylitol » Fri Sep 27, 2013 10:58 am

yeah 6.x isn't really new, but sample are still calling (like the previous samples of Dexter)
108.18.167.108 "Alina v6.0"
108.18.57.208 "Alina v6.0"
108.232.70.135 "Alina v6.0"
108.232.72.200 "Alina v6.0"
108.232.72.66 "Alina v6.0"
108.232.76.111 "Alina v6.0"
108.232.77.162 "Alina v6.0"
108.232.77.226 "Alina v6.0"
108.232.78.14 "Alina v6.0"
108.234.80.248 "Alina v5.4"
120.151.182.3 "Alina v5.4"
130.207.203.2 "Alina v6.0"
142.165.103.129 "Alina v6.1"
149.169.172.69 "Alina v5.4"
172.6.54.202 "Alina v6.0"
172.6.55.244 "Alina v6.0"
172.6.61.11 "Alina v6.0"
172.6.61.22 "Alina v6.0"
172.6.61.231 "Alina v6.0"
172.6.61.251 "Alina v6.0"
172.6.62.254 "Alina v6.0"
172.6.63.120 "Alina v6.0"
172.6.63.227 "Alina v6.0"
173.73.2.179 "Alina v6.0"
178.33.169.46 "Alina v6.1"
184.151.61.120 "Alina v6.0"
184.78.108.217 "Alina v6.0"
204.181.64.8 "Alina v6.1"
210.23.128.48 "Alina v5.4"
216.45.179.175 "Alina v6.0"
23.31.103.157 "Alina v6.0"
50.240.91.34 "Alina v6.0"
63.228.188.62 "Alina v5.4"
63.228.188.62 "Alina v6.0"
63.239.219.130 "Alina v5.4"
68.15.59.251 "Alina v5.4"
68.250.186.137 "Alina v6.0"
69.26.109.90 "Alina v5.4"
70.62.182.6 "Alina v5.4"
71.191.232.37 "Alina v6.0"
71.36.26.225 "Alina v5.4"
71.97.114.169 "Alina v5.4"
72.55.114.227 "Alina v5.4"
72.55.114.227 "Alina v6.1"
72.66.82.59 "Alina v5.4"
76.111.10.168 "Alina v6.0"
76.123.41.82 "Alina v5.4"
77.43.56.48 "Alina v5.4"
81.191.184.136 "Alina v6.0"
83.79.166.222 "Alina v6.0"
87.119.221.45 "Alina v6.0"
90.155.82.141 "Alina v5.4"
98.175.26.111 "Alina v6.0"
99.140.138.42 "Alina v5.4"
99.225.23.89 "Alina v6.0

more recent referers, there is even IPs who call with no referers but the reqs are constructed like Alina
User avatar
Xylitol
Global Moderator
 
Posts: 1629
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 485

Re: Point-of-Sale malwares / RAM scrapers

Postby btclord » Fri Oct 04, 2013 1:13 am

Horgh wrote:
exitthematrix wrote:
jgrunz wrote:Not terribly new, but Alina 6.0--

https://www.virustotal.com/en/file/e241 ... /analysis/


Sample?



can anyone unpack this? i am not able to unpack it.
btclord
 
Posts: 4
Joined: Sun Sep 22, 2013 12:45 am
Reputation point: -1

Re: Point-of-Sale malwares / RAM scrapers

Postby EP_X0FF » Fri Oct 04, 2013 2:36 am

btclord wrote:can anyone unpack this? i am not able to unpack it.


bp CreateProcessW, dump memory, upx -d.

C:\Users\dice\Desktop\src\grab\Debug\alina_dex.pdb
https://www.virustotal.com/en/file/1a26 ... 386173829/
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4750
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Point-of-Sale malwares / RAM scrapers

Postby bsteo » Fri Oct 04, 2013 7:47 am

EP_X0FF wrote:
btclord wrote:can anyone unpack this? i am not able to unpack it.


bp CreateProcessW, dump memory, upx -d.

C:\Users\dice\Desktop\src\grab\Debug\alina_dex.pdb


Thanks for unpacked binary. Seems they compiled it debug mode, so many info in the PE file :)
bsteo
 
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm
Reputation point: 12

Re: Point-of-Sale malwares / RAM scrapers

Postby bsteo » Mon Oct 07, 2013 3:50 pm

Interesting sh*t, KINS and Alina POS malware sources selling on some forums for $2000 (TF)
bsteo
 
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm
Reputation point: 12

Re: Point-of-Sale malwares / RAM scrapers

Postby grum » Mon Oct 07, 2013 6:47 pm

:D on hand with me KINS ~ 300$ full src :lol:
grum
 
Posts: 38
Joined: Tue Nov 06, 2012 12:16 pm
Reputation point: -9

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 8 guests