{
	"id": "15f44fdc-0250-430a-b984-6abc98d21f01",
	"created_at": "2026-04-06T00:13:44.555791Z",
	"updated_at": "2026-04-10T03:22:11.882767Z",
	"deleted_at": null,
	"sha1_hash": "738078bb4811e35942316e1e3aa33d9947a34a3b",
	"title": "vSkimmer, Another POS malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1440010,
	"plain_text": "vSkimmer, Another POS malware\r\nArchived: 2026-04-05 18:01:09 UTC\r\nWhen i've view this post, content was already removed and member Banned.\r\nvSkimmer - Virtual Skimmer\r\nFunctions:\r\n- Track 2 grabber\r\n- HTTP Loader (Download \u0026 Execute)\r\n- Update bot itself\r\nWorking Modes:\r\n- Online: If internet is reachable it will try to bypass firewalls and communicate to a the control panel.\r\n- Offline: If internet is not reachable it wait for a specific pendrive/flashdrive plugged in and copy logs to it.\r\nServer coded in PHP (can be modified on request to send logs to remote server, via smtp, etc.. )\r\nClient coded in C++ no dependencies, 66kb, cryptable. (can be customized)\r\nhttp://www.xylibox.com/2013/01/vskimmer.html\r\nPage 1 of 10\n\nThe malware check the presence of debugger:\r\nGet PC details (OS,Computer name, GUID for identify you in the POS botnet, etc..)\r\nCheck if the file is executed from %APPDATA% if not add registry persistence, firewall rule, make a copy and execute the\r\ncopy:\r\nhttp://www.xylibox.com/2013/01/vskimmer.html\r\nPage 2 of 10\n\nDetail of the registry persistence:\r\nFirewall rule to allow the malware:\r\nCreate a mutex, thread and get host information:\r\nhttp://www.xylibox.com/2013/01/vskimmer.html\r\nPage 3 of 10\n\nCheck for process:\r\nSome are whitlisted: \"System\", smss.exe, csrss.exe, winlogon.exe, services.exe, lsass.exe, svchost.exe, spoolsv.exe,\r\nwscntfy.exe, alg.exe, mscorsvw.exe, ctfmon.exe, explorer.exe:\r\nAnd when finally a process is found:\r\nRead the process and search for pattern:\r\nhttp://www.xylibox.com/2013/01/vskimmer.html\r\nPage 4 of 10\n\nIf nothing found:\r\nGet infos, Base64 and call the gate via GET request:\r\nAnswer:\r\n• dns: 1 ›› ip: 31.31.196.44 - adresse: WWW.POSTERMINALWORLD.LA\r\nParse the answer:\r\nhttp://www.xylibox.com/2013/01/vskimmer.html\r\nPage 5 of 10\n\nAnswer is reduced to first 3 letters and compared with 'dlx' (Download \u0026 Execute) and 'upd' (Update) if one of these are\r\nfound that mean the bad guys send us an order.\r\nFor example dlx:\r\nOrder is executed and a response is send to the server:\r\nThe part i love with pos malware:\r\nhttp://www.xylibox.com/2013/01/vskimmer.html\r\nPage 6 of 10\n\nOr just a simple \";1234567891234567=12345678912345678900?\" in a txt but it's more gangsta to swipe a card.\r\nSo the algo detect the pattern, the track2 is encoded to base64\r\n And sent to the panel:\r\nNow for the offline mode, get drive:\r\nhttp://www.xylibox.com/2013/01/vskimmer.html\r\nPage 7 of 10\n\nThe flash drive must be named \"KARTOXA007\" (dumps in russian)\r\nCreate dmpz.log:\r\nNow let's have a look on the panel:\r\nhttp://www.xylibox.com/2013/01/vskimmer.html\r\nPage 8 of 10\n\nPOS Terminals:\r\nDump download:\r\nCommands:\r\nhttp://www.xylibox.com/2013/01/vskimmer.html\r\nPage 9 of 10\n\nSettings:\r\nDumped.. :)\r\nSample:\r\nhttps://www.virustotal.com/file/bb12fc4943857d8b8df1ea67eecc60a8791257ac3be12ae44634ee559da91bc0/analysis/1358237597\r\nUnpack:\r\nhttps://www.virustotal.com/file/4fba64ad3a7e1daf8ca2d65c3f9b03a49083b7af339b995422c01a1a96532ca3/analysis/1358238314\r\nThanks Zora for the sample :)\r\nSource: http://www.xylibox.com/2013/01/vskimmer.html\r\nhttp://www.xylibox.com/2013/01/vskimmer.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://www.xylibox.com/2013/01/vskimmer.html"
	],
	"report_names": [
		"vskimmer.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434424,
	"ts_updated_at": 1775791331,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/738078bb4811e35942316e1e3aa33d9947a34a3b.pdf",
		"text": "https://archive.orkl.eu/738078bb4811e35942316e1e3aa33d9947a34a3b.txt",
		"img": "https://archive.orkl.eu/738078bb4811e35942316e1e3aa33d9947a34a3b.jpg"
	}
}