{
	"id": "0b7731a4-577b-4b42-9e8d-9e556c39a334",
	"created_at": "2026-04-06T00:09:30.513225Z",
	"updated_at": "2026-04-10T13:11:24.526216Z",
	"deleted_at": null,
	"sha1_hash": "4a3e567c21704b18efa60471f4297564a5993dec",
	"title": "Alina 3.4 (POS Malware)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 660078,
	"plain_text": "Alina 3.4 (POS Malware)\r\nArchived: 2026-04-05 18:39:36 UTC\r\nThe malware come from: http://vxvault.siri-urz.net/ViriFiche.php?ID=23179\r\nHosted on the site of a deputy.\r\nGetPCname:\r\nCreate a mutex:\r\nhttp://www.xylibox.com/2013/02/alina-34-pos-malware.html\r\nPage 1 of 4\n\nCreate /%appdata%/java.exe\r\nIf the malware can't he will try with different name (jusched.exe, jucheck.exe, desktop.exe, dwm.exe, win-firewall.exe, adobeflash.exe)\r\nIf all names are take and in read only mode the malware is trapped on infinit loop :)))\r\nWrite the file:\r\nand if he fail to write he will Copy it:\r\nAdd a registry persistence:\r\nLaunch the process:\r\nhttp://www.xylibox.com/2013/02/alina-34-pos-malware.html\r\nPage 2 of 4\n\nEncode something (i've not checked what)\r\nCall the C\u0026C\r\nAnd fail because the first is dead, so retry with 208.98.63.228\r\nBackend info:\r\n208.98.63.228:\r\nOrgName: Sharktech\r\nOrgId: SHARK-7\r\nAddress: 100 Pinehurst Ct.\r\nCity: Missoula\r\nStateProv: MT\r\nPostalCode: 59803\r\nCountry: US\r\nhttp://www.xylibox.com/2013/02/alina-34-pos-malware.html\r\nPage 3 of 4\n\nhttp://xxx.98.63.228/main.php\r\nhttp://xxx.98.63.228/info.php\r\nhttp://xxx.98.63.228/test.php\r\nhttp://xxx.98.63.228/test2.php\r\nhttp://xxx.98.63.228/api.php\r\nhttp://xxx.98.63.228/config.php\r\nhttp://xxx.98.63.228/autoupdate.php\r\nhttp://xxx.98.63.228/404.html\r\nhttp://xxx.98.63.228/wordpress/admin.php\r\nhttp://xxx.98.63.228/forum/admin.php\r\nhttp://xxx.98.63.228/blog/admin.php\r\nhttp://xxx.98.63.228/blog/export.php\r\nhttp://xxx.98.63.228/blog/config.php\r\nhttp://xxx.98.63.228/blog/front/stats.php\r\nhttp://xxx.98.63.228/blog/front/cards.php\r\nhttp://xxx.98.63.228/blog/front/settings.php\r\nhttp://xxx.98.63.228/blog/front/logs.php\r\nThis one is cool because coder leaved comments for each action...\r\nI tried to trigger it to send data but i've not succeeded yet.\r\nI will see the rest later.\r\nAlina is interesting i've found many version: http://www.kernelmode.info/forum/viewtopic.php?\r\nf=16\u0026t=1756\u0026start=40#p18008\r\nStill i've not checked these files for the moment, i don't know differences.\r\nSource: http://www.xylibox.com/2013/02/alina-34-pos-malware.html\r\nhttp://www.xylibox.com/2013/02/alina-34-pos-malware.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://www.xylibox.com/2013/02/alina-34-pos-malware.html"
	],
	"report_names": [
		"alina-34-pos-malware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434170,
	"ts_updated_at": 1775826684,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4a3e567c21704b18efa60471f4297564a5993dec.pdf",
		"text": "https://archive.orkl.eu/4a3e567c21704b18efa60471f4297564a5993dec.txt",
		"img": "https://archive.orkl.eu/4a3e567c21704b18efa60471f4297564a5993dec.jpg"
	}
}