A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20892  by Xylitol
 Sat Sep 21, 2013 8:35 am
Unknown PoS malware, similar to ProjectHook.
found on a previously infected machine as replacement for Dexter
https://www.virustotal.com/en/file/1c6e ... 379752374/

It call
Code: Select all
htxp://193.109.68.10:80/3VEjLtintFETnAenGM3h5yg4pHnREw/index.php
You do not have the required permissions to view the files attached to this post.
 #20895  by Xylitol
 Sat Sep 21, 2013 2:32 pm
Have you even looked the content of this thread ? there is Alina samples in almost every page.
Dexter v2: http://www.kernelmode.info/forum/viewto ... 110#p20877
Alina 5.6: http://www.kernelmode.info/forum/viewto ... 100#p19430
 #20899  by Xylitol
 Sat Sep 21, 2013 3:36 pm
i doubt someone will post the source :|
In attach another Dexter i've extracted from infected PoS system
https://www.virustotal.com/en/file/b592 ... 379779988/
You do not have the required permissions to view the files attached to this post.
 #20901  by btclord
 Sun Sep 22, 2013 12:59 am
i tried to play with dexter and what i am getting is encrypted text to my website.
how to get these strings decrrypted to know what is really uploading? is there php files or panel source?
 #20905  by Xylitol
 Sun Sep 22, 2013 7:47 am
btclord wrote:i tried to play with dexter and what i am getting is encrypted text to my website.
how to get these strings decrrypted to know what is really uploading? is there php files or panel source?
xor/base64
http://cybercrime-tracker.net/dexter.php
In attach another Dexter sample, and same, extracted from infected PoS.
https://www.virustotal.com/en/file/db5c ... 379848040/
You do not have the required permissions to view the files attached to this post.
  • 1
  • 10
  • 11
  • 12
  • 13
  • 14
  • 25