{
	"id": "01765dba-57d4-42b1-b7ac-eba33e389e15",
	"created_at": "2026-04-06T00:08:54.833884Z",
	"updated_at": "2026-04-10T03:21:06.084162Z",
	"deleted_at": null,
	"sha1_hash": "4832b722a70d53bedc78a1205a129eb32210ec6a",
	"title": "Dec 2012 Dexter - POS Infostealer samples and information",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 377515,
	"plain_text": "Dec 2012 Dexter - POS Infostealer samples and information\r\nArchived: 2026-04-05 18:37:56 UTC\r\nEnd of the year presents. Point of Sale (POS) infostealer, aka Dexter.\r\nI got 3 more \"tester-type\" samples and added them below - in addition to the well known 4 samples mentioned by\r\nSeculert.\r\nYou can read more about it here:\r\nSeculert Dexter - Draining blood out of Point of Sales \r\nTrendMicro Infostealer Dexter Targets Checkout Systems\r\nVerizon: Dexter: More of the same, or hidden links?\r\nVolatility labs Unpacking Dexter POS \"Memory Dump Parsing\" Malware\r\nTrustwave labs: The Dexter Malware: Getting Your Hands Dirty\r\nSymantec Infostealer.Dexter\r\nFiles\r\nThe following are MD5s of Dexter related malware samples: (Seculert Dexter - Draining blood out of Point of\r\nSales )\r\n2d48e927cdf97413523e315ed00c90ab\r\n94c604e5cff7650f60049993405858dfc96f8ac5b77587523d37a8f8f3d9c1bc\r\n70feec581cd97454a74a0d7c1d3183d1\r\ncae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785\r\n f84599376e35dbe1b33945b64e1ec6ab\r\nb27aadd3ddca1af7db6f441c6401cf74b1561bc828e19f9104769ef2d158778e\r\ned783ccea631bde958ac64185ca6e6b6\r\nfb46ea9617e0c8ead0e4358da6233f3706cfc6bbbeba86a87aaab28bb0b21241\r\nAdditional Files\r\nhttp://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html\r\nPage 1 of 8\n\n65f5b1d0fcdaff431eec304a18fb1bd6\r\n7e327be39260fe4bb8923af25a076cd3569df54e0328c7fe5cd7c6a2d3312674\r\n560566573de9df114677881cf4090e79\r\n28a26fe50e2d4e2b541ae083aa0236bd484c7eb3b30cf9b5a7f4d579e77bf438\r\n1f03568616524188425f92afbea3c242\r\nbdbe024a08c9a4e62c5692762aa03b4c1e564b38510cb4b4b1758e371637edb4\r\nDownload\r\nDownload 7 samples listed above (email me if you need the password)\r\nGeneral information\r\nSamples\r\n2d48e927cdf97413523e315ed00c90ab (Seculert MD5)\r\nf84599376e35dbe1b33945b64e1ec6ab (Seculert MD5)\r\ned783ccea631bde958ac64185ca6e6b6  (Seculert MD5)\r\nall contain http://193.107.17.126/test/gateway.phpfor C2 communications (Verizon: Dexter: More of the\r\nsame, or hidden links? ):\r\nU:\\FirmWork\\Studio\\Common\\Bin.exe in strings is found i\r\ned783ccea631bde958ac64185ca6e6b6  (Seculert MD5)\r\n2d48e927cdf97413523e315ed00c90ab  (Seculert MD5)\r\nf84599376e35dbe1b33945b64e1ec6ab  (Seculert MD5)\r\n560566573de9df114677881cf4090e79 \r\n1f03568616524188425f92afbea3c242\r\n65f5b1d0fcdaff431eec304a18fb1bd6\r\n@@PAUH in strings found in all 9 files\r\nIndividual file information\r\n1\r\n70feec581cd97454a74a0d7c1d3183d1  (Seculert MD5)\r\n===================================================================== \r\ncae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785\r\n70feec581cd97454a74a0d7c1d3183d1  (Seculert MD5)\r\n%userprofile%\\Application Data\\fubqq\\fubqq.exe\r\nhttp://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html\r\nPage 2 of 8\n\ninjected in iexplore.exe\r\nor e,g, POST http://fabcaa97871555b68aa095335975e613.com:80/portal1/gateway.php  \r\nor any of the domains below (Verizon: Dexter: More of the same, or hidden links? ):\r\n11e2540739d7fbea1ab8f9aa7a107648.com\r\n7186343a80c6fa32811804d23765cda4.com\r\ne7dce8e4671f8f03a040d08bb08ec07a.com\r\ne7bc2d0fceee1bdfd691a80c783173b4.com\r\n815ad1c058df1b7ba9c0998e2aa8a7b4.com\r\n67b3dba8bc6778101892eb77249db32e.com\r\nfabcaa97871555b68aa095335975e613.com\r\n                                              |       \u003c-      | |       -\u003e      | |     Total     |\r\n                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |\r\n173.255.196.136      \u003c-\u003e 172.16.253.130           150     37230     120      7200     270     44430\r\n172.16.253.255       \u003c-\u003e 172.16.253.1             107     35324       0         0     107     35324\r\nASCI strings\r\nGetSystemWindowsDirectoryW\r\nKERNEL32.dll\r\nC:\\Debugger.fgh\r\n,vr1\r\n---snip----\r\nModuleReplace.exe\r\nhttp://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html\r\nPage 3 of 8\n\nLoadMemberData\r\n?RenameCommand@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z\r\n?RenameFortation@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z\r\n?RenameHerbal@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z\r\n?RenameLoadMac@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z\r\n?RenameOptimize@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z\r\n?RenameTest@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z\r\nVS_VERSION_INFO\r\nStringFileInfo\r\n040904B0\r\nCompanyName\r\nMicrosoft Corporation\r\nFileDescription\r\nMicrosoft Help and Support\r\nFileVersion\r\n6.1.7600.16385 (win7_rtm.090713-1255)\r\nInternalName\r\nHelpPane.exe\r\nLegalCopyright\r\n Microsoft Corporation. All rights reserved.\r\nOriginalFilename\r\nHelpPane.exe\r\nProductName\r\nMicrosoft\r\n Windows\r\n Operating System\r\nProductVersion\r\n6.1.7600.16385\r\n2\r\n2D48E927CDF97413523E315ED00C90AB (Seculert MD5)\r\n===================================================================== \r\n94c604e5cff7650f60049993405858dfc96f8ac5b77587523d37a8f8f3d9c1bc  \r\n%userprofile%\\Application Data\\pmnnw\\pmnnw.exe            \r\nhttp://193.107.17.126:80/test/gateway.php\r\n                                 | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |\r\n172.16.253.255       \u003c-\u003e 172.16.253.1            1003    335116       0         0    1003    335116\r\n193.107.17.126       \u003c-\u003e 172.16.253.130           264     16368      88      5280     352     21648\r\nASCI Strings\r\nhttp://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html\r\nPage 4 of 8\n\nT7M\r\n#nR\r\nU:\\FirmWork\\Studio\\Common\\Bin.exe\r\nAssistCoop.exe\r\n?FancyBack@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\n?OptimusIO@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\n?OptionWindowGear@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\npcap and traffic same as above.\r\n3\r\nED783CCEA631BDE958AC64185CA6E6B6 (Seculert MD5)\r\n========================================================================\r\nfb46ea9617e0c8ead0e4358da6233f3706cfc6bbbeba86a87aaab28bb0b21241\r\n%userprofile%\\Application Data\\jikmr\\jikmr.exe\r\nhttp://193.107.17.126:80/test/gateway.php\r\n172.16.253.255       \u003c-\u003e 172.16.253.1             108     35676       0         0     108     35676\r\n193.107.17.126       \u003c-\u003e 172.16.253.129            30      1860       9       540      39      2400\r\npbk\r\n}64\r\nASCI Strings\r\nU:\\FirmWork\\Studio\\Common\\Bin.exe\r\nVljdsevr\r\n----snip-----\r\nSHLWAPI.dll\r\nTeamReg.exe\r\n?FancyBack@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\n?ForsakenQuantum@@YGKPAUHKEY__@@PAUHPALETTE__@@@Z\r\n?OptimusIO@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\n?OptionWindowGear@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\n4\r\nF84599376E35DBE1B33945B64E1EC6AB (Seculert MD5)\r\n========================================================================\r\nb27aadd3ddca1af7db6f441c6401cf74b1561bc828e19f9104769ef2d158778e\r\n%userprofile%\\Application Data\\yebcs\\yebcs.exe\r\nhttp://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html\r\nPage 5 of 8\n\nhttp://193.107.17.126:80/test/gateway.php\r\nASCI strings\r\nTkJ\r\nU:\\FirmWork\\Studio\\Common\\Bin.exe\r\nKagtklnuhjchep\r\nTrebuchet MS\r\n------snip------------\r\nGetQueueStatus\r\nUSER32.dll\r\nTeamReg.exe\r\n?FancyBack@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\n?ForsakenQuantum@@YGKPAUHKEY__@@PAUHPALETTE__@@@Z\r\n?OptimusIO@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\nAdditional samples\r\n5\r\n1F03568616524188425F92AFBEA3C242\r\n========================================================================\r\nbdbe024a08c9a4e62c5692762aa03b4c1e564b38510cb4b4b1758e371637edb4 \r\n1F03568616524188425F92AFBEA3C242\r\n%userprofile%\\Application Data\\pstwx\\pstwx.exe\r\n\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN %userprofile%\\Application\r\nData\\pstwx\\pstwx.exe\r\nInjected in iexplore.exe\r\nProcess ID: 2756 (iexplore.exe)\r\nProcess doesn't appear to be a service\r\nPID Port Local IP State Remote IP:Port\r\n2756 TCP 1130   172.16.253.129 SYN SENT 193.107.17.126:80\r\nhttp://193.107.17.126:80/test/gateway.php\r\nConversations                                              | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |\r\n172.16.253.255       \u003c-\u003e 172.16.253.1              13      3016       0         0      13      3016\r\n193.107.17.126       \u003c-\u003e 172.16.253.129             3       186       1        60       4       246\r\nWHOIS Source: RIPE NCC\r\nIP Address:   193.107.17.126\r\nhttp://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html\r\nPage 6 of 8\n\nCountry:      Seychelles\r\nNetwork Name: IDEALSOLUTION\r\nOwner Name:   Ideal Solution Ltd\r\nFrom IP:      193.107.16.0\r\nTo IP:        193.107.19.255\r\nAllocated:    Yes\r\nContact Name: Ideal Solution NOC\r\nAddress:      Sound \u0026 Vision House, Francis Rachel Str., Victoria, Mahe, Seychelles\r\nEmail:        ideal.solutions.org@gmail.com\r\nHowever, real location is in Russia\r\nhttp://bgp.he.net/AS58001#_whois\r\nhttp://bgp.he.net/AS58001#_peers\r\nrole: Ideal Solution NOCaddress: Sound \u0026 Vision House, Francis Rachel Str. address: Victoria, Mahe, Seychelles\r\nremarks: *************************************** \r\nremarks: This is Ideal-Solution and 2x4.ru IP network remarks\r\n6\r\n65F5B1D0FCDAFF431EEC304A18FB1BD6\r\n======================================================================\r\n7e327be39260fe4bb8923af25a076cd3569df54e0328c7fe5cd7c6a2d3312674 \r\n65F5B1D0FCDAFF431EEC304A18FB1BD6\r\n%userprofile%\\Application Data\\kwqpn\\kwqpn.exe\r\nhttp://193.107.17.126:80/test/gateway.php\r\n                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |\r\n172.16.253.255       \u003c-\u003e 172.16.253.1              30      9000       0         0      30      9000\r\n193.107.17.126       \u003c-\u003e 172.16.253.131             9       558       2       120      11       678\r\nhttp://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html\r\nPage 7 of 8\n\npcap and traffic same as above.\r\nASCI Strings\r\nRSDSB\r\nU:\\FirmWork\\Studio\\Common\\Bin.exe\r\nAssistCoop.exe\r\n?FancyBack@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\n?OptimusIO@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\n?OptionWindowGear@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\n?RegardSeven@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\n?RightApocoloptus@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\n7\r\n560566573de9df114677881cf4090e79\r\n======================================================================\r\n28a26fe50e2d4e2b541ae083aa0236bd484c7eb3b30cf9b5a7f4d579e77bf438\r\nApplication Data\\aewtm\\aewtm.exe\r\nURL\r\nhttp://193.107.17.126:80/test/gateway.php\r\nASCI Strings\r\nRSDS\r\nU:\\FirmWork\\Studio\\Common\\Bin.exe\r\nAssistCoop.exe\r\n?FancyBack@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\n?OptimusIO@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\n?OptionWindowGear@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\n?RegardSeven@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z\r\nSource: http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html\r\nhttp://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html"
	],
	"report_names": [
		"dexter-pos-infostealer-samples-and.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434134,
	"ts_updated_at": 1775791266,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4832b722a70d53bedc78a1205a129eb32210ec6a.pdf",
		"text": "https://archive.orkl.eu/4832b722a70d53bedc78a1205a129eb32210ec6a.txt",
		"img": "https://archive.orkl.eu/4832b722a70d53bedc78a1205a129eb32210ec6a.jpg"
	}
}