[Xylitol]

Hi Guys ,

I have been looking for samples PWS:Win32/Dexter.B . the samples which we have in forum are of PWS:Win32/Dexter.A , may be new variation has been noticed by the Microsoft team ,
http://www.microsoft.com/security/porta ... er.B#tab=2

Any one with PWS:Win32/Dexter.B samples !

Warm Regards

Leeno

http://www.kernelmode.info/forum/viewto ... 756#p17147
70feec581cd97454a74a0d7c1d3183d1 please search before asking

[Xylitol]

https://www.virustotal.com/en/file/819a ... 385911488/

[bsteo]

https://www.virustotal.com/en/file/819a ... 385911488/

Thanks dude! Is some new version?

[Xylitol]

latest, there is no build version in this one, the source was probably sold to someone

[bsteo]

latest, there is no build version in this one, the source was probably sold to someone

So it should be 7.* Just found out from the bad guys that the latest Alina version is v7

[bsteo]

Some new POS malware I found on a compromised Backoffice server.

MD5 hash: a5a89dc69c4d3fa47a88b379179626c7
SHA1 hash: d2b1dccbb3a3a6e0ed5d55a89b4c04af192b414a

- crypted/packed with a VB crypter
- drops itself to %APPDATA\NET Framework\msdll32.exe, creates also two files in the same location: nt01.dat, nthome.dat
- tries to communicate with two HTTP panels, at least to fetch some configs:

Code: Select all

www.localhost0x2.net/config/config_01.bin
lucky-dumps.biz/config/config_01.bin

from the first one gets the file with the following encrypted and base64 encoded data:

Code: Select all

gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2c
gJycmNLHx4Sdi4ORxYydhZibxoqBkg==

- creates a MUTEX "_NEW_HOOK10"
- adds itself to autorun

http://camas.comodo.com/cgi-bin/submit? ... ec498571a6

I didn't try to decrypt/unpack it because I'm not home and no tools here.
https://www.virustotal.com/en/file/639a ... 386174185/

[bsteo]

Two new malware files from the same Backoffice as above, didn't have the chance to check them.
https://www.virustotal.com/en/file/c1ce ... 386174129/
https://www.virustotal.com/en/file/bdce ... 386174130/

[Xylitol]

http://www.kernelmode.info/forum/viewto ... 140#p21549
This is projecthook (or the mod), haven't looked the rest.
Also in attachement a pos malware that i received in august from an infected retailer, no idea if i should do a post about this.
https://www.virustotal.com/en/file/746c ... 376958328/
decebal: https://www.virustotal.com/en/file/af72 ... 386206269/ doen't look a pos malware too me another pe embedded in ressource, again vb6

[Xylitol]

checked your second file and this is darkomet not a pos malware

Code: Select all

#BEGIN DARKCOMET DATA --
PWD={xaxa23}
MUTEX={xaxa23}
SID={Jiji}
FWB={0}
NETDATA={davincii.no-ip.biz:1604}
GENCODE={VinoFfiKathi}
INSTALL={1}
COMBOPATH={7}
EDTPATH={MSDCSC32\msdcsc32.exe}
KEYNAME={MicroUpdate32}
EDTDATE={16/04/2007}
PERSINST={0}
MELT={1}
CHANGEDATE={0}
DIRATTRIB={6}
FILEATTRIB={6}
OFFLINEK={1}
#EOF DARKCOMET DATA --

[EP_X0FF]

IntelCrawler: "17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target), several other breaches may be revealed soon"

http://intelcrawler.com/about/press08
http://www.kernelmode.info/forum/search ... s=BlackPOS