{
	"id": "f781bb78-782f-45b4-ac1c-dba6a24bb77d",
	"created_at": "2026-04-06T00:07:32.137458Z",
	"updated_at": "2026-04-10T03:21:00.628294Z",
	"deleted_at": null,
	"sha1_hash": "9471ba8e86ad27d2f7ccacf3cfe7818a42d3cb32",
	"title": "vSkimmer, Another POS malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1440033,
	"plain_text": "vSkimmer, Another POS malware\r\nArchived: 2026-04-05 17:56:41 UTC\r\nWhen i've view this post, content was already removed and member Banned.\r\nvSkimmer - Virtual Skimmer\r\nFunctions:\r\n- Track 2 grabber\r\n- HTTP Loader (Download \u0026 Execute)\r\n- Update bot itself\r\nWorking Modes:\r\n- Online: If internet is reachable it will try to bypass firewalls and communicate to a the control panel.\r\n- Offline: If internet is not reachable it wait for a specific pendrive/flashdrive plugged in and copy logs to it.\r\nServer coded in PHP (can be modified on request to send logs to remote server, via smtp, etc.. )\r\nClient coded in C++ no dependencies, 66kb, cryptable. (can be customized)\r\nhttps://www.xylibox.com/2013/01/vskimmer.html\r\nPage 1 of 10\n\nThe malware check the presence of debugger:\r\nGet PC details (OS,Computer name, GUID for identify you in the POS botnet, etc..)\r\nCheck if the file is executed from %APPDATA% if not add registry persistence, firewall rule, make a copy and execute the\r\ncopy:\r\nhttps://www.xylibox.com/2013/01/vskimmer.html\r\nPage 2 of 10\n\nDetail of the registry persistence:\r\nFirewall rule to allow the malware:\r\nCreate a mutex, thread and get host information:\r\nhttps://www.xylibox.com/2013/01/vskimmer.html\r\nPage 3 of 10\n\nCheck for process:\r\nSome are whitlisted: \"System\", smss.exe, csrss.exe, winlogon.exe, services.exe, lsass.exe, svchost.exe, spoolsv.exe,\r\nwscntfy.exe, alg.exe, mscorsvw.exe, ctfmon.exe, explorer.exe:\r\nAnd when finally a process is found:\r\nRead the process and search for pattern:\r\nhttps://www.xylibox.com/2013/01/vskimmer.html\r\nPage 4 of 10\n\nIf nothing found:\r\nGet infos, Base64 and call the gate via GET request:\r\nAnswer:\r\n• dns: 1 ›› ip: 31.31.196.44 - adresse: WWW.POSTERMINALWORLD.LA\r\nParse the answer:\r\nhttps://www.xylibox.com/2013/01/vskimmer.html\r\nPage 5 of 10\n\nAnswer is reduced to first 3 letters and compared with 'dlx' (Download \u0026 Execute) and 'upd' (Update) if one of these are\r\nfound that mean the bad guys send us an order.\r\nFor example dlx:\r\nOrder is executed and a response is send to the server:\r\nThe part i love with pos malware:\r\nhttps://www.xylibox.com/2013/01/vskimmer.html\r\nPage 6 of 10\n\nOr just a simple \";1234567891234567=12345678912345678900?\" in a txt but it's more gangsta to swipe a card.\r\nSo the algo detect the pattern, the track2 is encoded to base64\r\n And sent to the panel:\r\nNow for the offline mode, get drive:\r\nhttps://www.xylibox.com/2013/01/vskimmer.html\r\nPage 7 of 10\n\nThe flash drive must be named \"KARTOXA007\" (dumps in russian)\r\nCreate dmpz.log:\r\nNow let's have a look on the panel:\r\nhttps://www.xylibox.com/2013/01/vskimmer.html\r\nPage 8 of 10\n\nPOS Terminals:\r\nDump download:\r\nCommands:\r\nhttps://www.xylibox.com/2013/01/vskimmer.html\r\nPage 9 of 10\n\nSettings:\r\nDumped.. :)\r\nSample:\r\nhttps://www.virustotal.com/file/bb12fc4943857d8b8df1ea67eecc60a8791257ac3be12ae44634ee559da91bc0/analysis/1358237597\r\nUnpack:\r\nhttps://www.virustotal.com/file/4fba64ad3a7e1daf8ca2d65c3f9b03a49083b7af339b995422c01a1a96532ca3/analysis/1358238314\r\nThanks Zora for the sample :)\r\nSource: https://www.xylibox.com/2013/01/vskimmer.html\r\nhttps://www.xylibox.com/2013/01/vskimmer.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.xylibox.com/2013/01/vskimmer.html"
	],
	"report_names": [
		"vskimmer.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434052,
	"ts_updated_at": 1775791260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9471ba8e86ad27d2f7ccacf3cfe7818a42d3cb32.pdf",
		"text": "https://archive.orkl.eu/9471ba8e86ad27d2f7ccacf3cfe7818a42d3cb32.txt",
		"img": "https://archive.orkl.eu/9471ba8e86ad27d2f7ccacf3cfe7818a42d3cb32.jpg"
	}
}