1/4

.. January 30, 2022

Point-of-Sale malware - RTPOS
reversing.fun/posts/2022/01/30/rtpos.html

Jan 30, 2022

RTPOS is a ram scraper used to find credit card data within a process memory address
space. Credit card data is saved into a log file that needs to be manually grabbed by the
malware operators.

Sample:

Filename: alohae.exe 
SHA256: fb749c32b58fd1238f21d48ba1deb60e6fb4546f3a74e211f80a3ed005f9e046 

It supports two command-line options to either install itself as a service or remove the
existing installation:

When executed with the install argument, RTPOS installs itself as a service named
WinLogon with the start type set to auto start:

Service details:

http://reversing.fun/posts/2022/01/30/rtpos.html


2/4

RTPOS creates a file mapping to store the credit card data before saving it to disk:

RTPOS saves the logs with credit card data in a file named sql8514.dat inside the folder
C:\Windows\System32 or C:\Windows\SysWOW64\ if the malware runs in a 64-bit machine:

The malware enters in a loop where it will keep scanning the running processes for credit
card data:



3/4

To read the memory of the targeted processes, RTPOS uses the classic combinations of
Windows APIS:

CreateToolhelp32Snapshot
Process32FirstW/Process32NextW
OpenProcess
VirtualQueryEx
ReadProcessMemory

It will avoid scanning vmtoolsd.exe, System, windbg.exe, and ntsd.exe processes:

The credit card tracks are validated with the Luhn algorithm:



4/4

Example of the content of sql8514.dat: