{
	"id": "6fcb46b0-347c-4ce2-9fa3-fa78280958a3",
	"created_at": "2026-04-06T00:09:56.188274Z",
	"updated_at": "2026-04-10T03:21:17.214203Z",
	"deleted_at": null,
	"sha1_hash": "8b74bc2c51c71ad3d3849d710aabe2d8807696f0",
	"title": "Neutrino modification for POS-terminals",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 202683,
	"plain_text": "Neutrino modification for POS-terminals\r\nBy Sergey Yunakovsky\r\nPublished: 2017-06-27 · Archived: 2026-04-02 10:41:01 UTC\r\nFrom time to time authors of effective and long-lived Trojans and viruses create new modifications and forks of\r\nthem, like any other software authors. One of the brightest examples amongst them is Zeus (Trojan-Spy.Win32.Zbot, based on classification of “Kaspersky Lab”), which continues to spawn new modifications of\r\nitself each year. In a strange way this malware becomes similar to his prototype from Greek mythology. We can\r\nalso attribute such malware familes as Mirai, NJRat, Andromeda and so on to this “prolific” group. Malware\r\nnamed “Neutrino” takes an important place in this row of well-known trojans, providing various types of\r\ninfection, spreading and a useful payload.\r\nIn this article we analyze a very special species – a variant which could collect credit card information from POS.\r\nProducts of “Kaspersky Lab” detect it as Trojan-Banker.Win32.NeutrinoPOS\r\nMD5 of descripted file: 0CF70BCCFFD1D2B2C9D000DE496D34A1\r\nFirst stage\r\nThe Trojan takes a long “sleep” before it starts. It seems that such code was added to fool some AV sandboxes. To\r\ndetermine the period of delay, the Trojan uses a pseudorandom number generator.\r\nC\u0026C Communication\r\nAt the next stage, the Trojan extracts a C\u0026C-address list from its body. The list is encoded at Base64. After\r\ndecoding, the Trojan tries to find a working C\u0026C, using the following algorithm:\r\nWe should also notice that in the header of each POST-request there is “auth” field, which stays the same for each\r\nsample from family NeutrinoPOS.\r\nhttps://securelist.com/neutrino-modification-for-pos-terminals/78839/\r\nPage 1 of 8\n\nRestored code of C\u0026C-server check\r\nThe C\u0026C address stored at registry branch HKCR\\Sofrware\\alFSVWJBis the same as other variables and data\r\nusedby NeutrinoPOS sample. Branch name differs from the one described here, but after full comparison of both\r\nsamples, we can claim that both samples are the same modification of Neutrino.\r\nC\u0026C Commands\r\nThe described variant contains listed functions:\r\nDownload and start file;\r\nMake screenshot;\r\nSearch process by name;\r\nChange register branches;\r\nSearch file by name on infected host and send it to C\u0026C;\r\nProxy\r\nThe server sends commands in plain view, like “PROXY”, “screenshot” and so on, encoded in base64. Following\r\nanalysis we can claim that in the current versions of Neutrino there is no functions for DDOS attacks.\r\nhttps://securelist.com/neutrino-modification-for-pos-terminals/78839/\r\nPage 2 of 8\n\nImplementation of command control sum calculating\r\nExamples of few commands (marked with red line on screenshot above):\r\nRolxor(“PROXY”) = 0xA53EC5C\r\nRolxor(“screenshot”) = 0xD9FA0E3\r\nhttps://securelist.com/neutrino-modification-for-pos-terminals/78839/\r\nPage 3 of 8\n\nNeutrinoPOS command handler\r\nStealing of credit cards\r\nThe algorithm for stealing credit card information is implemented in the Trojan in quite a simple way and\r\ndescribed as follows:\r\nhttps://securelist.com/neutrino-modification-for-pos-terminals/78839/\r\nPage 4 of 8\n\n1. 1 The Trojans start to work through currently running processes, using CreateToolhelp32Snapshot\\\r\nProcess32FirstW\\Process32NextW.\r\n2. 2 Using OpenProcess\\VirtualQuery\\ReadProcessMemory, the Trojan gets information about the\r\nmemory pages of the process.\r\n3. 3 The Trojan scans the memory pages for string “Track1”, which marks fields of the first track of the\r\nmagnetic card. All described fields going one by one:\r\n4. 4 Collected data sends to server with mark “Track1”.\r\n5. 5 After that, the Trojan starts to extracts next fields with mark “Track2” at the beginning:\r\n6. 6 Collected data sent to server with mark “Track2”\r\nDistribution Statistics\r\nThe largest areas of infection are Russia and Kazakhstan. Nearly 10% of infected computers belong to small\r\nbusiness corporate customers.\r\nhttps://securelist.com/neutrino-modification-for-pos-terminals/78839/\r\nPage 5 of 8\n\nConclusion\r\nAs we can see from the described Trojan Neutrino, despite belonging to an old, well-known and researched\r\nfamily, it continues to bring various surprises to malware analysts and researchers in the form of atypical\r\nfunctionality or application. We can see the same situation with Mirai forks, for example, which generate an\r\nenormous count across all platforms and in different species\r\nGenerally speaking, all publications of malware source code with good architecture and various functionality will\r\ncause interest and attention from malware authors, who will try to use it for nearly all possible ways of illegal\r\nmoney gain. We can assume that right now there may already be new modifications of Neutrino with functionality\r\nfor crypto-currency mining.\r\nMD5\r\nCECBED938B10A6EEEA21EAF390C149C1\r\n66DFBA01AE6E3AFE914F649E908E9457\r\n4DB70AE71452647E87380786E065F31E\r\n9D70C5CDEDA945CE0F21E76363FE13C5\r\nB682DA77708EE148B914AAEC6F5868E1\r\n5AA0ADBD3D2B98700B51FAFA6DBB43FD\r\nA03BA88F5D70092BE64C8787E7BC47DE\r\nD18ACF99F965D6955E2236645B32C491\r\nhttps://securelist.com/neutrino-modification-for-pos-terminals/78839/\r\nPage 6 of 8\n\n3B6211E898B753805581BB41FB483C48\r\n7D28D392BED02F17094929F8EE84234A\r\nC2814C3A0ACB1D87321F9ECFCC54E18C\r\n74404316D9BAB5FF2D3E87CA97DB5F0C\r\n7C6FF28E0C882286FBBC40F27B6AD248\r\n729C89CB125DF6B13FA2666296D11B5A\r\n855D3324F26BE1E3E3F791C29FB06085\r\n2344098C7FA4F859BE1426CE2AD7AE8E\r\nC330C636DE75832B4EC78068BCF0B126\r\nCCBDB9F4561F9565F049E43BEF3E422F\r\n53C557A8BAC43F47F0DEE30FFFE88673\r\nC\u0026C\r\nhxxp://pranavida.cl/director/tasks.php\r\nhxxps://5.101.4.41/panel/tasks.php\r\nhxxps://5.101.4.41/updatepanel/tasks.php\r\nhxxp://jkentnew.5gbfree.com/p/tasks.php\r\nhxxp://124.217.247.72/tasks.php\r\nhxxp://combee84.com/js/css/tasks.php\r\nhxxp://nut29.xsayeszhaifa.bit/newfiz29/logout.php\r\nhxxp://nut29.nsbacknutdoms11war.com/newfiz29/logout.php\r\nhxxp://jbbrother.com/jbb/meaca/obc/pn/tasks.php\r\nhxxp://ns1.posnxqmp.ru/PANEL/tasks.php\r\nhxxp://nut25.nsbacknutdoms11war.com/newfiz25/logout.php\r\nhxxp://propertiesofseyshellseden.com/newfiz21/logout.php\r\nhxxp://n31.propertiesofseyshellseden.com/newfiz31/logout.php\r\nhxxp://propertiesofseyshellseden.com/newfiz21/logout.php\r\nhttps://securelist.com/neutrino-modification-for-pos-terminals/78839/\r\nPage 7 of 8\n\nhxxp://n31.propertiesofseyshellseden.com/newfiz31/logout.php\r\nSource: https://securelist.com/neutrino-modification-for-pos-terminals/78839/\r\nhttps://securelist.com/neutrino-modification-for-pos-terminals/78839/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/neutrino-modification-for-pos-terminals/78839/"
	],
	"report_names": [
		"78839"
	],
	"threat_actors": [],
	"ts_created_at": 1775434196,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b74bc2c51c71ad3d3849d710aabe2d8807696f0.pdf",
		"text": "https://archive.orkl.eu/8b74bc2c51c71ad3d3849d710aabe2d8807696f0.txt",
		"img": "https://archive.orkl.eu/8b74bc2c51c71ad3d3849d710aabe2d8807696f0.jpg"
	}
}