Some new POS malware I found on a compromised Backoffice server.
MD5 hash: a5a89dc69c4d3fa47a88b379179626c7
SHA1 hash: d2b1dccbb3a3a6e0ed5d55a89b4c04af192b414a
- crypted/packed with a VB crypter
- drops itself to %APPDATA\NET Framework\msdll32.exe, creates also two files in the same location: nt01.dat, nthome.dat
- tries to communicate with two HTTP panels, at least to fetch some configs:
Code: Select allwww.localhost0x2.net/config/config_01.bin
lucky-dumps.biz/config/config_01.bin
 
from the first one gets the file with the following encrypted and base64 encoded data:
Code: Select allgJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2c
gJycmNLHx4Sdi4ORxYydhZibxoqBkg==
 
- creates a MUTEX "_NEW_HOOK10"
- adds itself to autorun
http://camas.comodo.com/cgi-bin/submit? ... ec498571a6
I didn't try to decrypt/unpack it because I'm not home and no tools here.
https://www.virustotal.com/en/file/639a ... 386174185/