{
	"id": "e9099813-9359-416a-901f-ecfd8d7e7550",
	"created_at": "2026-04-06T00:11:23.93543Z",
	"updated_at": "2026-04-10T03:20:39.750843Z",
	"deleted_at": null,
	"sha1_hash": "5ce1ccf58750278f5bcf1242a7422b8eb6656e04",
	"title": "Backdoor: Win32/Hesetox.A: vSkimmer POS Malware Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 507456,
	"plain_text": "Backdoor: Win32/Hesetox.A: vSkimmer POS Malware Analysis\r\nBy Author\r\nArchived: 2026-04-05 13:20:30 UTC\r\nSource: VirusShare\r\nMalware Family:  RAM Scraper\r\nStatic Analysis Tools: pestudio, CFF Explorer, PEID, BinText, IDA Pro\r\nDynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, Comodo\r\n Reports:\r\n(1) Comodo:\r\nhttp://camas.comodo.com/cgi-bin/submit?file=e8bd8aba01ebbe2b9afa5b8c3d56a27363687b5b6963ce593b94a6fd2d831e2a\r\n(2) VirusTotal:\r\nhttps://www.virustotal.com/en/file/e8bd8aba01ebbe2b9afa5b8c3d56a27363687b5b6963ce593b94a6fd2d831e2a/analysis/1451089742\r\n I . Static Analysis: \r\n Target machine: Intel 386 or later processors and compatible processors\r\nCompilation Timestamp: 2012-12-21 23:30:50\r\nEntry Point: 0x00009D12\r\nFile type: Win32 EXE\r\nNumber of Sections: 5\r\nMD5: 53950faf49ccb19b83b786eadedfe591\r\nSHA256: e8bd8aba01ebbe2b9afa5b8c3d56a27363687b5b6963ce593b94a6fd2d831e2a\r\n File size: 224.5 KB (229888 bytes )\r\n Detection ratio: 47 / 54\r\n PE imports:\r\n[+] ADVAPI32.dll\r\n[+] KERNEL32.DLL\r\n[+] SHELL32.dll\r\n[+] USER32.dll\r\n[+] WS2_32.dll\r\n[+] Urlmon.dll\r\nRed Flags:\r\nThe file transfers control to a Debugger.\r\nThe count (13) of Authorization functions reached the maximum (1) threshold.\r\nThe count (9) of Registry functions reached the maximum (1) threshold.\r\nThe count (15) of Memory Management functions reached the maximum (1) threshold.\r\nThe count (5) of Tool Help functions reached the maximum (1) threshold.\r\nThe count (3) of Error Handling functions reached the maximum (1) threshold.\r\nThe count (7) of Debugging functions reached the maximum (1) threshold.\r\nThe count (9) of Console functions reached the maximum (1) threshold.\r\nThe count (11) of Dynamic-Link Library functions reached the maximum (1) threshold.\r\nhttp://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis\r\nPage 1 of 8\n\nThe count (35) of Process and Thread functions reached the maximum (1) threshold.\r\nThe count (5) of SEH functions reached the maximum (1) threshold.\r\nThe count (19) of File Management functions reached the maximum (1) threshold.\r\nThe count (134) of blacklisted strings reached the maximum (30) threshold.\r\nThe count (8) of deprecated imported functions reached the maximum (5) threshold.\r\nThe count (78) of imported blacklisted functions reached the maximum (1) threshold.\r\nThe first section (name:.text) is writable.\r\nThe last section (name:.reloc) is executable.\r\nThe count (2) of Writable and Executable sections reached the maximum (0) threshold.\r\nThe file contains self-modifying code.\r\nThe count (2) of executable sections reached the maximum (1) threshold.\r\nThe file references a URL (www.wrotjywvpzpwectb.in) unknown by virustotal.\r\nThe count (7) of antidebug imported functions reached the maximum (1) threshold.\r\nThe file modifies the registry.\r\nThe file references child Processes.\r\nThe file opts for Address Space Layout Randomization (ASLR) as mitigation technique.\r\nThe file checksum (0x00000000) is invalid.\r\nThe file has no Version.\r\nThe file is not signed with a Digital Certificate.\r\n*The file references 1 MIME64 encoding string(s).\r\n \r\nHere some interesting strings:\r\nhttp://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis\r\nPage 2 of 8\n\nHere is the Regular Expression that extracts credit card data from memory:\r\n ;?[3-9]{1}[0-9]{12,19}[D=\\\\u0061][0-9]{6,20}\r\n II. Dynamic Analysis:\r\nWhitelisted the following processes during the RAM scraping function:\r\nCreated mutex “Heistenberg2337”\r\nLaunched the following processes:\r\nhttp://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis\r\nPage 3 of 8\n\ne8bd8aba01ebbe2b9afa5b8c3d56a27363687b5b6963ce593b94a6fd2d831e2a.exe 1332\r\nsvchost.exe 1912\r\nExplorer.EXE 1420\r\nGrooveMonitor.exe 1640\r\nctfmon.exe 1652\r\nEstablished drive name “KARTOXA007” and filename for the data as “dmpz.log”:\r\nEstablished persistence in the following hive as “PCICompliant SCard”:\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nAnti-Reverse Engineering\r\ndetails\r\n.reloc with unusual entropies 7.57915704423\r\nsource\r\nStatic Parser\r\nDropped files\r\ndetails\r\n\"system.ini\" has type \"ASCII text, with CRLF line terminators\"\r\nsource\r\nDropped File\r\n Network Related\r\nFound potential URL in binary/memory\r\ndetails\r\nPattern match: \"www.wrotjywvpzpwectb.in\"\r\nPattern match: \"http://mumbaibuildersforum.com/images/logo.gif\"\r\nPattern match: \"http://ucakambulans-tr.com/logo.gif\"\r\nhttp://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis\r\nPage 4 of 8\n\nPattern match: \"http://gadahospital.com/images/button.gif\"\r\nPattern match: \"http://www.revaengg.com/images/logo.gif\"\r\nPattern match: \"http://ambulansfabrikasi.com/images/button.gif\"\r\nPattern match: \"http://sizinajansiniz.com/logo.gif\"\r\nPattern match: \"http://arslanzeminmakina.com/images/button.gif\"\r\nPattern match: \"http://theadhyayana.in/image/logo.gif\"\r\nPattern match: \"http://www.sanalpetrol.com/logo.gif\"\r\nPattern match: \"http://aircharge.in/images/logo.gif\"\r\nsource\r\nString\r\nContacts domains\r\ndetails\r\n\"mumbaibuildersforum.com\"\r\n\"ucakambulans-tr.com\"\r\n\"gadahospital.com\"\r\n\"www.revaengg.com\"\r\n\"sizinajansiniz.com\"\r\n\"arslanzeminmakina.com\"\r\n\"theadhyayana.in\"\r\n\"www.sanalpetrol.com\"\r\n\"www.turkteknoloji.net\"\r\n\"aircharge.in\"\r\n\"ambulansfabrikasi.com\"\r\nsource\r\nNetwork Traffic\r\nUses a User Agent typical for browsers, although no browser was ever launched\r\ndetails\r\nFound user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728) and\r\n“PCICompliant/3.33nt”\r\nsource\r\nNetwork Traffic\r\nSends UDP traffic\r\ndetails\r\n\"UDP connection to 200.149.51.210\"\r\n\"UDP connection to 92.105.5.6\"\r\n\"UDP connection to 148.120.209.123\"\r\n\"UDP connection to 201.87.155.227\"\r\n\"UDP connection to 169.215.181.213\"\r\n\"UDP connection to 221.125.48.10\"\r\n\"UDP connection to 201.244.62.163\"\r\n\"UDP connection to 157.88.233.221\"\r\nDNS query:\r\n64.4.10.33:123\r\nwww.wrotjywvpzpwectb.in IN A +\r\nhttp://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis\r\nPage 5 of 8\n\nHTTP query:\r\nwww.wrotjywvpzpwectb.in GET /api/process.php?\r\nxy=ZmRlOWE4NTctNjhkNS00Y2Q5LWI1YWUtNmFlMmE0OGY1MTFifGF6fDIuMS4xMnw1LjEuMnxTQU5EQk9YQXxVc2Vy\r\nHTTP/1.1\r\nSuspicious and POS scraping APIs\r\ndetails\r\nCopyFileA\r\nGetModuleFileNameA\r\nGetModuleHandleA\r\nSleep\r\nCheckRemoteDebuggerPresent\r\nIsDebuggerPresent\r\nReadProcessMemory\r\nProcess32Next\r\nOpenProcess\r\nProcess32First\r\nCreateToolhelp32Snapshot\r\nGetDriveTypeA\r\nCreateFileA\r\nGetVersionExA\r\nGetComputerNameA\r\nCreateFileW\r\nGetCommandLineA\r\nExitThread\r\nCreateThread\r\nGetProcAddress\r\nGetModuleHandleW\r\nWriteFile\r\nGetModuleFileNameW\r\nGetStartupInfoW\r\nGetTickCount\r\nTerminateProcess\r\nUnhandledExceptionFilter\r\nLoadLibraryW\r\nRegCreateKeyExA\r\nOpenProcessToken\r\nGetUserNameA\r\nRegOpenKeyA\r\nRegCloseKey\r\nShellExecuteA\r\nURLDownloadToFileA\r\nWSAStartup (Ordinal #115)\r\nsocket (Ordinal #23)\r\nconnect (Ordinal #4)\r\nsend (Ordinal #19)\r\nrecv (Ordinal #16)\r\nclosesocket (Ordinal #3)\r\nhttp://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis\r\nPage 6 of 8\n\nIII. Yara Signature:\r\n rule Backdoor_Win32_vSkimmer_POS : POS_BDR\r\n{\r\nmeta:\r\n         author = \"Vitali Kremez\"\r\n         date = \"2015-12-26\"\r\n         description = \"Detected vSkimmer POS\"\r\n         hash0 = \"53950faf49ccb19b83b786eadedfe591\"\r\n         sample_filetype = \"exe\"\r\n strings:\r\n         $mutex = “Heistenberg2337”\r\n         $string0 = \"KARTOXA007\"\r\n         $string1 = “dmpz.log\"\r\n         $string2 = \"August\"\r\n         $string3 = \"www.wrotjywvpzpwectb.in\"\r\n         $string4 = \"$basic_ofstream@DU\"\r\n         $string5 = \"alg.exe\"\r\n         $string6 = \"FDPjGS\"\r\n         $string7 = \"gjP$k-\"\r\n         $string8 = \" SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"\r\n          $string9 = \"User-Agent: PCICompliant/3.33\"\r\n         $string10 = \"F\\\\PjMS\"\r\n         $string11 = \"Ezeb]z\"\r\n         $string12 = \"j h (B\"\r\n         $string13 = \"spanish-peru\"\r\n         $string14 = \"UTF-16LE\"\r\n         $string15 = \"$basic_streambuf@DU\"\r\n         $string16 = \"pL $T,\"\r\n         $string17 = \"This indicates a bug in your application.\" wide\r\ncondition:\r\n         6 of them and all of ($mutex*) and filesize\u003c225KB\r\n}\r\n Sourcefire Rule:\r\nalert tcp any any -\u003e any any (msg:\" vSkimmer POS Backdoor Alert\"; flow:to_server,established; content:”/api/process.php?\r\nxy=”; “www.wrotjywvpzpwectb.in”; “mumbaibuildersforum.com”; “ucakambulans-tr.com”; \"gadahospital.com\";\r\n\"www.revaengg.com\"; \"sizinajansiniz.com\"; \"arslanzeminmakina.com\"; \"theadhyayana.in\"; “www.sanalpetrol.com”;\r\n“www.turkteknoloji.net”;\"aircharge.in\"; “ambulansfabrikasi.com”; “PCICompliant/3.33nt”;  noncase; pcre:\"/.*\r\n(portal1/gateway.php).*/”; pcre: “/.*(?xy=).*/\";classtype: Trojan-activity)\r\n IV: vSkimmer Profile:\r\n Registry Persistence: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nMutex: Heistenberg2337\r\nGate Path: www.wrotjywvpzpwectb.in   via /api/process.php?xy=\r\n Flashdrive: KARTOXA007\r\nLogs File: dmpz.log\r\nProcessName: svchost\r\nhttp://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis\r\nPage 7 of 8\n\nSource: http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis\r\nhttp://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis"
	],
	"report_names": [
		"-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434283,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5ce1ccf58750278f5bcf1242a7422b8eb6656e04.pdf",
		"text": "https://archive.orkl.eu/5ce1ccf58750278f5bcf1242a7422b8eb6656e04.txt",
		"img": "https://archive.orkl.eu/5ce1ccf58750278f5bcf1242a7422b8eb6656e04.jpg"
	}
}