Point-of-Sale malwares / RAM scrapers

Forum for analysis and discussion about malware.
User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Fri Apr 19, 2013 12:24 pm

Nothing new in the VISA report we know already all these files.
Infostealer.Somabix in attach, i've sent the sample to ESET for detection, i've read the symantec review and seem it's another already see stuff targeting Retalix POS softwares.
https://www.virustotal.com/fr/file/320a ... 366373692/
edit: Now know by Microsoft as TrojanSpy:Win32/PointOfSale.A
You do not have the required permissions to view the files attached to this post.


bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Fri May 10, 2013 11:57 am

Good read. Anyway does somebody have the sample from this read? MD5 is c9e5752eea81f7d3521b1d2232afd3b8

Alina's panel is at: hxtp://208.98.63.228/wordpress/sam.php

208.98.63.228 ssh 22/tcp Secure Shell - RSA encrypted rsh
208.98.63.228 http 80/tcp www www-http World Wide Web HTTP
#208.98.63.228 www 80/tcp World Wide Web HTTP [TXL]
208.98.63.228 sunrpc 111/tcp rpcbind SUN Remote Procedure Call
208.98.63.228 unknown 3306/tcp unassigned
208.98.63.228 unknown 46228/tcp unassigned

SSH and MySQL open, time for a little brute? :)
Last edited by Xylitol on Fri May 10, 2013 1:46 pm, edited 1 time in total.
Reason: http obfuscation

User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Fri May 10, 2013 1:04 pm

exitthematrix wrote:Anyway does somebody have the sample from this read? MD5 is c9e5752eea81f7d3521b1d2232afd3b8
Alina 3.5, maybe i will do a small response post for spiderlabs about the C&C but not today, i've already posted something.
Also about the panel of this one: wordpress/admin.php
You do not have the required permissions to view the files attached to this post.


User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Fri May 24, 2013 4:28 pm

wow, Josh Grunzweig have really do a heavy work.

List of hashs and version of Alina associated:
D31EB6E7F39DDE0C2015DC2804C84A85 - 0.1
0DE9765C9C40C2C2F372BF92E0CE7B68 - 1.0
7CF5A421C3403441D84A0E34F81C3F0C - 2.0
99A307128DAA407147D1C69D2824D703 - 2.1
6686EED5875F622F5ED21397ACB41D86 - 2.1
2139E613DC20DF19DAA6D90A0FF05591 - 2.1
E7E13912AF192ABE2F6EC90F6D429C6C - 3.1
04474D2723D328CE28029C050EC6C0BB - 3.2
5D333312E3DD0FB7B5823696E99000E9 - 3.3
A31E549C1919DD4EE3C78D3265D86EFC - 3.4
1EFEB85C8EC2C07DC0517CCCA7E8D743 - 3.4
C9E5752EEA81F7D3521B1D2232AFD3B8 - 3.5
37493EB319D126D0AB8F5A55DA85563D - 4.0
8CDB63B3BFE16C0517E96B316EDA3514 - 5.2
71FBCA87E863DB0ACA080B4F87CC36F2 - 5.3
A418410FA8B2617F3109DC289FA151C5 - 5.5

In attach
https://www.virustotal.com/en/file/195d ... 369412682/
https://www.virustotal.com/en/file/442d ... 369412684/
https://www.virustotal.com/en/file/8782 ... 369412688/
https://www.virustotal.com/en/file/e4a4 ... 369412690/
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Mon May 27, 2013 1:09 am

Alina 5.6 in attach
https://www.virustotal.com/en/file/2cb5 ... 369616232/
Josh Grunzweig will be interested ;)
unpacked: https://www.virustotal.com/en/file/334c ... 369689145/
Compilation timestamp 2013-05-16 23:58:26
You do not have the required permissions to view the files attached to this post.




Post Reply