{
	"id": "8d35c49d-7dc3-4d5a-b552-786ff81182a4",
	"created_at": "2026-04-06T00:10:37.932869Z",
	"updated_at": "2026-04-10T03:20:00.429748Z",
	"deleted_at": null,
	"sha1_hash": "b772f6d15d7a3517a373fcb095c7313508e510f8",
	"title": "AbaddonPOS: A new point of sale threat linked to Vawtrak | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 500676,
	"plain_text": "AbaddonPOS: A new point of sale threat linked to Vawtrak |\r\nProofpoint US\r\nBy November 11, 2015 Darien Huss\r\nPublished: 2015-11-11 · Archived: 2026-04-05 12:58:12 UTC\r\nUPDATED 11/24/2015\r\nPoint of sale (PoS) malware has been implicated in some of the biggest recent data breaches, striking retailers,\r\nrestaurants, hospitality and organizations from a variety of industries, and often targeting consumers in the US. [1]\r\nOnce considered too difficult to carry out to be practical for cybercriminals, the retail breaches of late 2013\r\ndemonstrated that these attacks are both feasible and highly profitable for cybercriminals, and PoS malware has\r\nsince continued to evolve and grow in both variety and sophistication. [2]\r\nProofpoint threat researchers recently detected a new addition to PoS malware landscape. Named AbaddonPOS by\r\nProofpoint researchers, this sample was initially discovered as it was being downloaded in the process of a\r\nVawtrak infection. This use of additional payloads to enhance attack capabilities offers another example of efforts\r\nby threat actors to expand their target surfaces through the delivery of multiple payloads in a single campaign, in\r\nthis case by including potential PoS terminals. This post will analyze AbaddonPOS; discuss the observed infection\r\nvectors; and expose, details on the downloader used to retrieve this new PoS malware. We will also provide\r\nevidence to demonstrate that the downloader malware and PoS malware are closely related, perhaps even written\r\nby the same actor or actors.\r\nKnown infection vectors\r\nOn October 8, Proofpoint researchers observed Vawtrak [3] (project ID 5) downloading TinyLoader, a downloader\r\nthat uses a custom protocol for downloading executable payloads from its command and control (C2) server.\r\nTinyLoader was then used to download another downloader in the form of shellcode, which then downloaded\r\nAbaddonPOS. Although this infection vector was initially specific to Vawtrak’s project ID 5, we have also since\r\nobserved it delivered in project IDs 6, 9, 10, 12, and 13. The project ID’s are most easily observed with Vawtrak\r\nC2 traffic, as they are stored encoded in the PHPSESSID cookie value. Using the cookie value we provided as an\r\nexample in our research on Vawtrak enables us to see it in a decoded state (Fig. 1). Bytes 4-7 contain the project\r\nID in little-endian byte order. \r\nFigure 1: Decoded Vawtrak cookie displaying campaign/project ID\r\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 1 of 17\n\nIn addition to observing AbaddonPOS as it was delivered by an Angler EK → Bedep → Vawtrak infection\r\n(Cyphort, [4]) and Angler EK → Bedep (bypassing Vawtrak), Proofpoint researchers have also observed this\r\ninfection behavior delivered by weaponized Microsoft® Office documents downloading Pony → Vawtrak (Fig. 2).\r\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 2 of 17\n\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 3 of 17\n\nFigure 2: AbaddonPOS infection chain\r\nTinyLoader\r\nTinyLoader’s sole purpose in this infection chain is to retrieve executable instructions from the C2, which allows\r\nthe attackers to execute their own custom shellcode on infected machines in addition to downloading and\r\nexecuting additional malware payloads. True to its name, TinyLoader is typically 2-5KB in size. One notable\r\ncharacteristic of TinyLoader is that prior to contacting its single hardcoded C2 IP address, the malware will first\r\ncheck to see if it is running as an x64 or x86 process using the IsWow64Process Windows API (Fig 3.).\r\nTinyLoader selects a value based on the result of this API call, and the result is then used to tell the C2 which\r\nexecutable code should be downloaded to the infected client.\r\nFigure 3: TinyLoader API call checking for x86 or x64\r\nAs shown in Figure 3 above, 0x84 is used with x86 processes while 0xBA is used with x64 processes; however,\r\nthe values used for each architecture vary depending on the variant. Once the correct architecture is selected,\r\nTinyLoader builds a packet to send to the C2 to initiate the payload download process. Prior to retrieving the\r\ndownloader that downloads AbaddonPOS, we have observed TinyLoader first retrieve a copy of itself (this step\r\nmay vary slightly), which is then used as a persistence method by adding a registry key to\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run (Fig. 4). TinyLoader may also download a DLL\r\nversion of itself, in which case the registry key observed is similar to the following: regsvr32.exe /s\r\n“C:\\PROGRA~2\\[a-zA-Z0-9]+\\.dll”\r\nFigure 4: Example of TinyLoader persistence registry key\r\nOnce the persistent payload is written to disk, another payload is downloaded by TinyLoader in the form of\r\nshellcode (Fig. 5), the purpose of which is to manually craft a HTTP request that is then used to download an\r\nAbaddonPOS payload (Fig. 6). \r\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 4 of 17\n\nFigure 5: TinyLoader binary protocol retrieving shellcode\r\nFigure 6: HTTP request retrieving AbaddonPOS variant, crafted by shellcode\r\nAbaddonPOS\r\nAbaddonPOS is another addition to the PoS malware category, which has attracted a significant amount of\r\nattention from malware authors over the years. [4] Similar to TinyLoader, AbaddonPOS is a relatively small\r\npackage, with most samples being 5KB in size. While the core functionality of this new addition is fairly simple, it\r\ncontains several features that merit analysis and further discussion: anti-analysis, code obfuscation, persistence,\r\nlocating credit card data, and a custom protocol for exfiltrating data.\r\nAnti-analysis and obfuscation\r\nAbaddonPOS implements several basic anti-analysis and obfuscation techniques to hinder manual and automated\r\nanalysis techniques. For example, AbaddonPOS employs a CALL instruction to push a function parameter onto\r\nthe stack rather than simply using, for instance, the more common PUSH instruction. A CALL instruction pushes\r\nthe next address onto the stack, which is typically used as a return address following a RETN instruction. In this\r\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 5 of 17\n\ncase, the CALL instruction is used to push the address containing a string (Fig. 7): specifically, the address\r\ncontaining the string “devil_host” is pushed onto the stack, which is then used as a mutex.\r\nFigure 7: AbaddonPOS using CALL instruction to hinder static analysis\r\nMost of AbaddonPOS’ code is not obfuscated or packed, with the exception of the code used to encode and\r\ntransmit stolen credit card data. This shellcode is encoded using a 4-byte XOR key; however the key is not\r\nhardcoded. Instead, using the first 4-bytes of the decoded shellcode, the malware iterates over all possible 4-byte\r\nXOR keys until the correct one is found by checking the result against the hardcoded instructions: 0x5589E58B\r\n(Fig. 8). Once the XOR result matches the hardcoded instructions, then the correct key has been found and the\r\nmalware continues to decode the shellcode using that key.\r\nFigure 8: AbaddonPOS shellcode decoding routine\r\nLocating credit card data\r\nAbaddonPOS searches for credit cards by reading the memory of all processes except itself by first blacklisting its\r\nown PID using the GetCurrentProcessId API. To find credit card data, AbaddonPOS roughly follows this process:\r\n1. Search for 3, 4, 5, or 6 string characters, indicating the first number of a potential credit card\r\n2. Credit card number length \u003e= 13 and \u003c= 19\r\n3. Valid track delimiter (track 1: “^”, track 2: “=”, or “D”)\r\n4. Track 1 max length: 120, Track 2 max length: 60\r\n5. Additional checks based on whether track 1 or track 2 delimiters were found\r\n6. Check credit card number with the Luhn algorithm\r\nThe AbaddonPOS sample with md5 hash: f63e0a7ca8349e02342c502157ec485d was analyzed for the process\r\nabove. The slightly older version of AbaddonPOS may contain slightly modified functionality, including not\r\nallowing “D” as a track 2 delimiter.\r\nExfiltrating stolen credit card data\r\nAlthough many of the different PoS malware families rely on HTTP to exfiltrate data, AbaddonPOS uses a custom\r\nbinary protocol. Communication and exfiltration of credit card data is carried out by the decoded shellcode\r\ndiscussed above. A single hardcoded IP address is used as the C2 address, as well as the encoding routine that is\r\nused to obfuscate exfiltrated data. An example of the network traffic generated during a single credit card data\r\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 6 of 17\n\nexfiltration attempt is shown in Figure 9.As a result of this analysis, Proofpoint created and published ET Pro\r\nIDPS signatures (ID’s 2814677-2814680) to detect exfiltration attempts on October 30.\r\nFigure 9: AbaddonPOS exfiltrating encoded credit card data to C2\r\nThe first four bytes of the network traffic are the length of the encoded data, while the following four bytes are the\r\nvalue of the process handle returned by OpenProcess. The subsequent bytes are the encoded exfiltrated data,\r\nwhich in a decoded state follows this format:\r\n[credit card data] ***[process name]\r\nTo encode the data, the malware first XORs four bytes of the plaintext with the process handle, followed by a\r\nsecond XOR with a hardcoded 4-byte key. The exfiltration network traffic in Figure 9 is shown in its plaintext\r\nstate in Figure 10. \r\nFigure 10: Plaintext exfiltrated credit card data and process name\r\nThe following Python script can be used to decode the network traffic, provided it has been encoded using the\r\ntechnique described above:\r\nimport sys,struct,hexdump\r\nfilename = sys.argv[1]\r\nwith open(filename, 'rb') as f:\r\n c2_traffic = f.read()\r\nencoded_size = struct.unpack('\u003cI',c2_traffic[:4])[0]\r\nopenprocess_handle = c2_traffic[4:8]\r\nencoded = c2_traffic[8:]\r\nkey = [0x22,0x11,0xAA,0xFF]\r\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 7 of 17\n\ndecoded = ''\r\nfor i in range(encoded_size):\r\n decoded += chr((ord(encoded[i])^key[i%4])^ord(openprocess_handle[i%4]))\r\nprint 'Decoded AbaddonPOS exfiltration network traffic:'\r\nhexdump.hexdump(decoded)\r\nAbaddonPOS Variations\r\nOf the samples Proofpoint researchers have discovered and analyzed so far, very few samples seem to have had\r\nany functionality added or removed. While “devil_host” is the most prominent mutex used by this malware, we\r\nhave also found a sample that uses “devil_kor” (md5, a55843235cd8e36c7e254c5c05662a5b), and another that\r\nuses “DeviL_Task” (md5, ac03e0e9f70136adede78872e45f6182). We also observed a slightly updated version of\r\nAbaddonPOS (see IOCs) where almost all functionality was relocated to the encoded shellcode. In these updated\r\nsamples the mutex “MG_REX” was used and the credit card search algorithm was also modified by adding ‘D’ as\r\na valid track 2 delimiter.\r\nConnecting the dots\r\nTinyLoader has now been in development for at least a year, with a first sighting reported on January 16, 2015.\r\nOver the past year, TinyLoader has undergone several developmental changes, including:\r\nSwitching from UDP protocol to TCP\r\nRemoving process and UUID reporting\r\nAdding different anti-analysis\r\nAdding obfuscation and encoding\r\nWith the emergence of AbaddonPOS, it was quickly apparent that TinyLoader and AbaddonPOS are closely\r\nconnected, and not simply because TinyLoader was used as the downloader. The code of TinyLoader and\r\nAbaddonPOS share some important similarities, including:\r\nAnti-analysis (CALL to push strings onto stack)\r\nObfuscation (encoding shellcode using exact same encoding routine)\r\nThe similarities with code excerpts including a timeline according to Proofpoint data are provided below (Fig. 11).\r\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 8 of 17\n\nFigure 11: Code history comparison for TinyLoader and AbaddonPOS\r\nConclusion\r\nThe practice of threat actors to increase their target surfaces by leveraging a single campaign to deliver multiple\r\npayloads is by now a well-established practice. While using this technique to deliver point of sale malware is less\r\ncommon, the approach of the US holiday shopping season gives cybercriminals ample reason to maximize the\r\nreturn on their campaigns by distributing a new, powerful PoS malware that can capture the credit and debit card\r\ntransactions of holiday shoppers.\r\nUPDATE November 24, 2015\r\nFurther research on TinyLoader and AbaddonPOS turned up samples indicating that this threat has been in the\r\nwild since at least August 2015. The current earliest known samples of AbaddonPOS include:\r\n266ce6d907a90e83da0083eee06af123 -\u003e svchost_bin -\u003e 50.7.138.138:13131 -\u003e Compilation timestamp 2015-08-\r\n19 22:29:46\r\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 9 of 17\n\n91992a1cac7f15e899b22d9a53cabf71 -\u003e svchost_bin -\u003e 50.7.124.172:13131\r\n538482356b4eb4e0552d16b08d5c2908 -\u003e svchost_bin -\u003e 50.7.124.172:13131\r\n05134cd6a50440b2c6d9ef62d2c2c3a3 -\u003e svchost_bin -\u003e 50.7.124.172:13131\r\n7b137055fd40c39bdc76d27ff4fc82ed -\u003e 50.7.124.172:15151 -\u003e Location:\r\n[hxxp://50.7.71[.]99/970/ad06b6e922623e436c7a.exe], downloaded by TinyLoader.C (md5:\r\n4aa0ca129358b82a285e0d069a36e7fb)\r\n7e49d646cb74718dcce21d3d3ad948d1 -\u003e svchost_bin -\u003e 50.7.124.172:14141 -\u003e Location:\r\n[hxxp://50.7.71[.]99/upload/7e49d646cb.exe], downloaded by TinyLoader.C (md5:\r\n3733bb7a96e3091183d80b7a4914c830)\r\nc7db01ba6b73188640e0fb65aab0d535 -\u003e svchost_bin -\u003e 50.7.124.172:15151\r\nThe earliest versions of AbaddonPOS are distinguished primarily by fact that it first targets track data delimiters\r\n(\"=\" and \"^\") for finding potential credit card data instead of a beginning number (\"3\", \"4\", \"5\", and \"6\").\r\nThree earlier versions of AbaddonPOS have been identified (credit: Nick Hoffman):\r\n81055d3e6ab2f349f334a87b090041dc -\u003e svchost_bin -\u003e 50.7.138[.]138:13030\r\nda0cd8228745081b58594103163d22b8 -\u003e svchost_sin -\u003e 50.7.138[.]138:13030\r\n04b68e4f4c7583201397d6674a3e2503 -\u003e svchost_ghost -\u003e 50.7.138[.]138:14040\r\nThe primary difference between these versions and the AbaddonPOS version analyzed in the original post is that\r\nthese other versions contain a process blacklist: these processes will not be scanned for credit card data. The\r\nimplementation is unique in that it searches only the first four bytes of each process; if those four bytes match,\r\nthen it will search two more; and if those match as well, that process will be skipped. (Fig. 12) The blacklist\r\ncontained the following partial process names:\r\nsvchso\r\niexplo\r\nsmss.e\r\ncsrss.\r\nwinlog\r\nlsass.\r\nspools\r\nalg.ex\r\nfirefo\r\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 10 of 17\n\nchrome\r\nwinini\r\nsteam.\r\nskype.\r\ndwm.ex.\r\nFigure 12: AbaddonPOS svchost.exe blacklist instructions\r\nProofpoint researchers discovered the following additional hashes for AbaddonPOS:\r\n4a85feef07d4aed664624331cdbcdd66 -\u003e DeviL_TasK -\u003e 5.8.60[.]23:21920\r\n6ac78bc0bd16273c654cec105567c73e -\u003e no startup mutex -\u003e 5.8.60[.]23:21930\r\n6b02efef0580dce8e49d27196cff6825 -\u003e M_RAY -\u003e 193.28.179[.]13:20930\r\n6f1d8ca36190668163f005c7f2c9007f -\u003e M_RAY -\u003e 193.28.179[.]13:20950\r\n421dfc4856262445d12fe110bf4f2c56 -\u003e DeviL_TasK -\u003e 5.8.60[.]23:21940\r\n9646e0a87be71c225f2aa8639354bd4f -\u003e M_RAY -\u003e 193.28.179[.]13:20940\r\n46810f106dbaaff5c3c701c71aa16ee9 -\u003e no startup mutex -\u003e 176.114.0[.]165:21940\r\ne9aeb88d393e6259b5fb520bc7a49ac0 -\u003e M_REX -\u003e 193.28.179[.]105:20910\r\nOther malware that are likely used by these actor(s) include:\r\nTinyLoader.C (md5: aa7897623f64576586e4b6ec99d8ccc6) was used to download Fleercivet/Bagsu, a Trojan\r\nused to commit adfraud (md5: 79dc1ce122f7bddd730d886df1a4739a, location:\r\n[hxxp://50.7.71[.]99/file/bin86crypt_full.exe])\r\nTinyLoader.B (md5: a94c51c5e316d6e3b1cde1f80f99eb94) downloaded Fleercivet (md5:\r\n637b764c78ddda0e1d5351a10b19bcb8, location: [hxxp://50.7.71[.]214/upload/7777.exe])\r\nTinyLoader.C (md5: 739cea68598ae347fae1d983e16a7d27) downloaded ReactorBot/Rovnix (md5:\r\nc755c9532c1ee517b25f98719968e154 and md5: 9a2fb9aa94d78313420c4106108b5fef, location:\r\n[hxxp://80.79.123[.]98/aurum/c.work.exe]\r\nTinyLoader.C (md5: 19516ab9a7169c53bd811c975d5fea7d) was used to download Fleercivet (md5:\r\n227e6b1f3e66f00a4fc683d4f39da904, location: [hxxp://50.7.143[.]61/id_1123.exe]) and a packed TinyLoader.C\r\n(md5: a86b91fda7ec634e44e4b6b7e69ed659, location: [hxxp://50.7.143[.]61/40930.exe] )\r\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 11 of 17\n\nThese actors may have also employed CryptoWall at some point, as the imphash for\r\n227e6b1f3e66f00a4fc683d4f39da904 matches the imphash for a known CryptoWall sample (md5:\r\n2af149845f4d1ce8e712622d3f1ec46e). Both samples are packed, so it is possible that two actors utilized the same\r\npacker/crypter or packing/crypting service.\r\nReferences\r\n[1] https://www.washingtonpost.com/news/the-switch/wp/2014/08/22/secret-service-estimates-type-of-malware-that-led-to-target-breach-is-affecting-over-1000-u-s-businesses/\r\n[2] http://www.cio.com/article/2910024/data-breach/history-repeats-itself-as-pos-breaches-continue-in-2015.html\r\n[3] https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\n[4] http://www.cyphort.com/psychcental-com-infected-with-angler-ek-installs-bedep-vawtrak-and-pos-malware/\r\n[5] http://researchcenter.paloaltonetworks.com/2015/10/understanding-and-preventing-point-of-sale-attacks/\r\nIndicators of Compromise (IOCs)\r\nIDS/IPS Detection (ET signature IDs)\r\nTinyLoader:\r\n2020150-2020153,2020849-2020852,2812523,2812524,2814778,2814779,2814803\r\nTinyDownloader (downloader shellcode HTTP request):\r\n2814810\r\nAbaddonPOS:\r\n2814677-2814680\r\nTinyLoader Samples:\r\n0c77886a3ea42b75fcd860d4d97e72c5\r\na3ea1a008619687bdfef08d2af83f548\r\na53d8212a47bf25eeca87c1e27042686\r\na7a666ab9548fd1f0a8eb8050d8ca483\r\na9cc6736e573ad9e77359062e88114e2\r\naaac35389c9be79c67c4f5c4c630e5d5\r\nb3a057f55a8fa2aad5b8d212a42b4a88\r\nbcf271e83c964eb1fd89e6f1a7b7a62f\r\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 12 of 17\n\nc42f20e2a68b8829b52b8399b7b33bf2\r\nd785592932323f6ddaa121bcdcbceba0\r\ne08aeb0bfcbae33b851af9f8be413111\r\ne92254f9ce7d6f45e907e77de146ef37\r\nec322598eec364a755b5aea70d2a2da8\r\n1c02f2f3fa15cc6a472119389d25983e\r\n1c2a757c63ee418135e89cc8ef0d6e63\r\n2b3704e0acbcbc265d0d08502a9bf373\r\n3a7ac0c907b2c406ab480d4ed2f18161\r\n3f71031ce8ecb0f48847ccb8be86a5fe\r\n4b86cbb2e9f195bef3770d877206068d\r\n6ee164908a94a881032d0649e2bd2505\r\n6f7fabeb9ce76a1d52dbf5a40cbc74e8\r\n7b7ffdd46d1f7ccea146fd9d5a2412ae\r\n7c69dc17977b3431ff15c1ae5927ed0d\r\n7eddbf17a3d1e398621194b0f22402a7\r\n8d6d7a7d77215370d733bda57ef029f4\r\n8df542e35225e0708cd2b3fe5e18ac79\r\n9b340ac013c052ffb2beb29d26009a24\r\n47e5c290f3f443cca027aa344cbf194f\r\n54f1cda856ae921846e27f6d7cc3d795\r\n77f124332a17b3ef6c0b6a799ad0c888\r\n89a19ccb91977d8b1a020f580083d014\r\n9320175f8af07503a2b2eb4d057bac07\r\n885829081f91c6baf458166c3f42e281\r\na1d1ba04f3cb2cc6372b5986fadb1b9f\r\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 13 of 17\n\nTinyLoader C2 IP addresses:\r\n91.234.34[.]44\r\n50.7.138[.]138\r\n149.154.64[.]167\r\n5.8.60[.]23\r\n176.114.0[.]165\r\nAbaddonPOS Samples:\r\n5bf979f90307bac11d13be3031e4c6f9\r\na168fef5d5a3851383946814f15d96a7\r\na55843235cd8e36c7e254c5c05662a5b\r\n1c19494385cb21b7e18252b5abd104f6\r\n2b58f7cb4df18509a743226064b30675\r\n752dcae6eb492263608a06489546098f\r\n976275965fcf19a98da824b1959500c1\r\n227e6b1f3e66f00a4fc683d4f39da904\r\n8ca1278e2821fd2dd19c28725f754577\r\nac03e0e9f70136adede78872e45f6182\r\n12cd4df2264624578919596371edee81\r\n317f9c57f7983e2608d5b2f00db954ff\r\nf63e0a7ca8349e02342c502157ec485d\r\n0900582ba65c70a421b5d21d4ed21f16\r\n4b0db5398f02dae5315f0baff1475807\r\n703f492b2624899ec47b929f65265bbb\r\n5e33b1273b2e2d4cd0986b9873ab4bc4\r\nd11c4a4f76b2bea502b80229a83c30bc\r\ne50edb61e796c6ead88cac53719e2d00\r\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 14 of 17\n\ndc1a975e20eca705c6c78dc24f1290b5\r\n6a6977ea317f0240a3dacc0753257518\r\n5e06563f6303eab10c3cd46f0fd5c2d6\r\n7ef654cdc7c2b54772400e26eb292caf\r\n946be7ddd511ff9f49b5073896346eab\r\nAbaddonPOS Exfiltration C2 IP addresses:\r\n5.8.60[.]23:21910\r\n5.8.60[.]23:21930\r\n50.7.138[.]138:13030\r\n50.7.138[.]138:15050\r\n91.234.34[.]44:20940\r\n91.234.34[.]44:20970\r\n149.154.64[.]167:20910\r\n149.154.64[.]167:20920\r\n149.154.64[.]167:20940\r\n149.154.64[.]167:20940\r\n176.114.0[.]165:20910\r\n176.114.0[.]165:21910\r\n176.114.0[.]165:21940\r\nObserved AbaddonPOS Location URLs:\r\n[hxxp://50.7.143[.]61/f_p/f_940.exe]\r\n[hxxp://50.7.143[.]61/n_p/n_940.exe]\r\n[hxxp://50.7.143[.]61/kor_up.exe]\r\n[hxxp://50.7.143[.]61/f_p/f_910.exe]\r\n[hxxp://50.7.143[.]61/f_p/15050.exe]\r\n[hxxp://50.7.143[.]61/a_p/a_970.exe]\r\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 15 of 17\n\n[hxxp://50.7.143[.]61/x_file/x_910.exe]\r\n[hxxp://50.7.143[.]61/x_file/x_930.exe]\r\n[hxxp://50.7.143[.]61/files/p_910.exe]\r\n[hxxp://50.7.143[.]61/a_p/a_970.exe]\r\n[hxxp://50.7.138[.]138/file_x/x_910.exe]\r\n[hxxp://50.7.138[.]138/file_x/x_930.exe]\r\n[hxxp://50.7.138[.]138/n_940.exe]\r\n[hxxp://50.7.138[.]138/n_910.exe]\r\n[hxxp://50.7.71[.]99/explorer.exe]\r\nAbaddonPOS Yara signature:\r\nrule AbaddonPOS\r\n{\r\n            meta:\r\n                        description = \"AbaddonPOS\"\r\n                        author = \"Darien Huss, Proofpoint\"\r\n                        reference = \"md5,317f9c57f7983e2608d5b2f00db954ff\"\r\n            strings:\r\n                        $s1 = \"devil_host\" fullword ascii\r\n                        $s2 = \"Chrome\" fullword ascii\r\n                        $s3 = \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\" fullword ascii\r\n                        $i1 = { 31 ?? 81 ?? 55 89 E5 8B 74 }\r\n            condition:\r\n                        uint16(0) == 0x5a4d and (all of ($s*) or $i1) and filesize \u003c= 10KB\r\n}\r\nCode Comparison Samples\r\nTinyLoader.A,1e4906b4cfcad2e8d34a4937fa0c93e2\r\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 16 of 17\n\nTinyLoader.B1,c0d530c9724d7c42adab3c7030a2383b\r\nTinyLoader.B2,bd69714997e839618a7db82484819552\r\nTinyLoader.C,739cea68598ae347fae1d983e16a7d27\r\nTinyLoader.D1,7eddbf17a3d1e398621194b0f22402a7\r\nTinyLoader.X64,b10444fcb83c03a5d6395831721fe750\r\nAbaddonPOS,f63e0a7ca8349e02342c502157ec485d\r\nSource: https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nhttps://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak"
	],
	"report_names": [
		"AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak"
	],
	"threat_actors": [],
	"ts_created_at": 1775434237,
	"ts_updated_at": 1775791200,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b772f6d15d7a3517a373fcb095c7313508e510f8.pdf",
		"text": "https://archive.orkl.eu/b772f6d15d7a3517a373fcb095c7313508e510f8.txt",
		"img": "https://archive.orkl.eu/b772f6d15d7a3517a373fcb095c7313508e510f8.jpg"
	}
}