# Dec 2012 Dexter - POS Infostealer samples and information **[contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html](http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html)** End of the year presents. Point of Sale (POS) infostealer, aka Dexter. I got 3 more "tester-type" samples and added them below - in addition to the well known 4 samples mentioned by Seculert. You can read more about it here: [Seculert Dexter - Draining blood out of Point of Sales](http://blog.seculert.com/2012/12/dexter-draining-blood-out-of-point-of.html) [TrendMicro Infostealer Dexter Targets Checkout Systems](http://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/) Verizon: [Dexter: More of the same, or hidden links?](http://securityblog.verizonbusiness.com/2012/12/14/dexter-more-of-the-same-or-hidden-links/) [Volatility labs Unpacking Dexter POS "Memory Dump Parsing" Malware](http://volatility-labs.blogspot.ca/2012/12/unpacking-dexter-pos-memory-dump.html) [Trustwave labs: The Dexter Malware: Getting Your Hands Dirty](http://blog.spiderlabs.com/2012/12/the-dexter-malware-getting-your-hands-dirty.html) Symantec [Infostealer.Dexter](http://www.symantec.com/security_response/writeup.jsp?docid=2012-121219-2643-99&tabid=2) **Files** The following are MD5s of Dexter related malware samples: (Seculert Dexter - Draining blood out of Point of Sales ) 2d48e927cdf97413523e315ed00c90ab 94c604e5cff7650f60049993405858dfc96f8ac5b77587523d37a8f8f3d9c1bc 70feec581cd97454a74a0d7c1d3183d1 cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785 f84599376e35dbe1b33945b64e1ec6ab ----- b27aadd3ddca1af7db6f441c6401cf74b1561bc828e19f9104769ef2d158778e ed783ccea631bde958ac64185ca6e6b6 fb46ea9617e0c8ead0e4358da6233f3706cfc6bbbeba86a87aaab28bb0b21241 **Additional Files** 65f5b1d0fcdaff431eec304a18fb1bd6 7e327be39260fe4bb8923af25a076cd3569df54e0328c7fe5cd7c6a2d3312674 560566573de9df114677881cf4090e79 28a26fe50e2d4e2b541ae083aa0236bd484c7eb3b30cf9b5a7f4d579e77bf438 1f03568616524188425f92afbea3c242 bdbe024a08c9a4e62c5692762aa03b4c1e564b38510cb4b4b1758e371637edb4 **Download** Download 7 samples listed above (email me if you need the password) **General information** Samples 2d48e927cdf97413523e315ed00c90ab (Seculert MD5) f84599376e35dbe1b33945b64e1ec6ab (Seculert MD5) ed783ccea631bde958ac64185ca6e6b6 (Seculert MD5) all contain http://193.107.17.126/test/gateway.phpfor C2 communications (Verizon: [Dexter: More of the same, or hidden links? ):](http://securityblog.verizonbusiness.com/2012/12/14/dexter-more-of-the-same-or-hidden-links/) U:\FirmWork\Studio\Common\Bin.exe in strings is found i **ed783ccea631bde958ac64185ca6e6b6 (Seculert MD5)** **2d48e927cdf97413523e315ed00c90ab (Seculert MD5)** **f84599376e35dbe1b33945b64e1ec6ab (Seculert MD5)** 560566573de9df114677881cf4090e79 1f03568616524188425f92afbea3c242 65f5b1d0fcdaff431eec304a18fb1bd6 @@PAUH in strings found in all 9 files **Individual file information** ----- 1 **70feec581cd97454a74a0d7c1d3183d1 (Seculert MD5)** **=====================================================================** **cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785** 70feec581cd97454a74a0d7c1d3183d1 (Seculert MD5) %userprofile%\Application Data\fubqq\fubqq.exe injected in iexplore.exe or e,g, POST http://fabcaa97871555b68aa095335975e613.com:80/portal1/gateway.php or any of the domains below (Verizon: [Dexter: More of the same, or hidden links? ):](http://securityblog.verizonbusiness.com/2012/12/14/dexter-more-of-the-same-or-hidden-links/) _11e2540739d7fbea1ab8f9aa7a107648.com_ _7186343a80c6fa32811804d23765cda4.com_ _e7dce8e4671f8f03a040d08bb08ec07a.com_ _e7bc2d0fceee1bdfd691a80c783173b4.com_ _815ad1c058df1b7ba9c0998e2aa8a7b4.com_ _67b3dba8bc6778101892eb77249db32e.com_ _fabcaa97871555b68aa095335975e613.com_ | <- | | -> | | Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | 173.255.196.136 <-> 172.16.253.130 150 37230 120 7200 270 44430 172.16.253.255 <-> 172.16.253.1 107 35324 0 0 107 35324 ----- ASCI strings GetSystemWindowsDirectoryW KERNEL32.dll C:\Debugger.fgh ,vr1 ---snip---ModuleReplace.exe LoadMemberData ?RenameCommand@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z ?RenameFortation@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z ?RenameHerbal@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z ?RenameLoadMac@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z ?RenameOptimize@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z ?RenameTest@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z VS_VERSION_INFO StringFileInfo 040904B0 CompanyName Microsoft Corporation FileDescription Microsoft Help and Support FileVersion 6.1.7600.16385 (win7_rtm.090713-1255) InternalName HelpPane.exe LegalCopyright Microsoft Corporation. All rights reserved. OriginalFilename HelpPane.exe ProductName Microsoft Windows Operating System ProductVersion 6.1.7600.16385 **2** ----- **2D48E927CDF97413523E315ED00C90AB (Seculert MD5)** **=====================================================================** **94c604e5cff7650f60049993405858dfc96f8ac5b77587523d37a8f8f3d9c1bc** %userprofile%\Application Data\pmnnw\pmnnw.exe http://193.107.17.126:80/test/gateway.php | Frames Bytes | | Frames Bytes | | Frames Bytes | 172.16.253.255 <-> 172.16.253.1 1003 335116 0 0 1003 335116 193.107.17.126 <-> 172.16.253.130 264 16368 88 5280 352 21648 ASCI Strings T7M #nR U:\FirmWork\Studio\Common\Bin.exe AssistCoop.exe ?FancyBack@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z ?OptimusIO@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z ?OptionWindowGear@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z pcap and traffic same as above. **3** **ED783CCEA631BDE958AC64185CA6E6B6 (Seculert MD5)** **========================================================================** fb46ea9617e0c8ead0e4358da6233f3706cfc6bbbeba86a87aaab28bb0b21241 %userprofile%\Application Data\jikmr\jikmr.exe http://193.107.17.126:80/test/gateway.php 172.16.253.255 <-> 172.16.253.1 108 35676 0 0 108 35676 193.107.17.126 <-> 172.16.253.129 30 1860 9 540 39 2400 pbk }64 ASCI Strings ----- U:\FirmWork\Studio\Common\Bin.exe Vljdsevr ----snip----SHLWAPI.dll TeamReg.exe ?FancyBack@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z ?ForsakenQuantum@@YGKPAUHKEY__@@PAUHPALETTE__@@@Z ?OptimusIO@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z ?OptionWindowGear@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z **4** **F84599376E35DBE1B33945B64E1EC6AB (Seculert MD5)** **========================================================================** **b27aadd3ddca1af7db6f441c6401cf74b1561bc828e19f9104769ef2d158778e** %userprofile%\Application Data\yebcs\yebcs.exe http://193.107.17.126:80/test/gateway.php ASCI strings TkJ U:\FirmWork\Studio\Common\Bin.exe Kagtklnuhjchep Trebuchet MS ------snip-----------GetQueueStatus USER32.dll TeamReg.exe ?FancyBack@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z ?ForsakenQuantum@@YGKPAUHKEY__@@PAUHPALETTE__@@@Z ?OptimusIO@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z **Additional samples** **5** **1F03568616524188425F92AFBEA3C242** **========================================================================** **bdbe024a08c9a4e62c5692762aa03b4c1e564b38510cb4b4b1758e371637edb4** 1F03568616524188425F92AFBEA3C242 ----- %userprofile%\Application Data\pstwx\pstwx.exe \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN %userprofile%\Application Data\pstwx\pstwx.exe **Injected in iexplore.exe** Process ID: 2756 (iexplore.exe) Process doesn't appear to be a service PID Port Local IP State Remote IP:Port 2756 TCP 1130 172.16.253.129 SYN SENT 193.107.17.126:80 http://193.107.17.126:80/test/gateway.php Conversations | Frames Bytes | | Frames Bytes | | Frames Bytes | 172.16.253.255 <-> 172.16.253.1 13 3016 0 0 13 3016 193.107.17.126 <-> 172.16.253.129 3 186 1 60 4 246 WHOIS Source: RIPE NCC IP Address: 193.107.17.126 Country: Seychelles Network Name: IDEALSOLUTION Owner Name: Ideal Solution Ltd From IP: 193.107.16.0 To IP: 193.107.19.255 Allocated: Yes Contact Name: Ideal Solution NOC Address: Sound & Vision House, Francis Rachel Str., Victoria, Mahe, Seychelles Email: ideal.solutions.org@gmail.com However, real location is in Russia [http://bgp.he.net/AS58001#_whois](http://bgp.he.net/AS58001#_whois) [http://bgp.he.net/AS58001#_peers](http://bgp.he.net/AS58001#_peers) role: Ideal Solution NOCaddress: Sound & Vision House, Francis Rachel Str. address: Victoria, Mahe, Seychelles remarks: *************************************** remarks: This is Ideal-Solution and 2x4.ru IP network remarks ----- **6** **65F5B1D0FCDAFF431EEC304A18FB1BD6** **======================================================================** **7e327be39260fe4bb8923af25a076cd3569df54e0328c7fe5cd7c6a2d3312674** 65F5B1D0FCDAFF431EEC304A18FB1BD6 %userprofile%\Application Data\kwqpn\kwqpn.exe http://193.107.17.126:80/test/gateway.php | Frames Bytes | | Frames Bytes | | Frames Bytes | 172.16.253.255 <-> 172.16.253.1 30 9000 0 0 30 9000 193.107.17.126 <-> 172.16.253.131 9 558 2 120 11 678 pcap and traffic same as above. ASCI Strings RSDSB U:\FirmWork\Studio\Common\Bin.exe AssistCoop.exe ?FancyBack@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z ?OptimusIO@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z ?OptionWindowGear@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z ?RegardSeven@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z ?RightApocoloptus@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z **7** **560566573de9df114677881cf4090e79** **======================================================================** **28a26fe50e2d4e2b541ae083aa0236bd484c7eb3b30cf9b5a7f4d579e77bf438** ----- Application Data\aewtm\aewtm.exe URL http://193.107.17.126:80/test/gateway.php ASCI Strings RSDS U:\FirmWork\Studio\Common\Bin.exe AssistCoop.exe ?FancyBack@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z ?OptimusIO@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z ?OptionWindowGear@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z ?RegardSeven@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z -----