SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dexter (Back to overview)

Dexter

aka: LusyPOS

Dexter is a computer virus or point of sale malware which infects computers running Microsoft Windows and was discovered by IT security firm Seculert, in December 2012. It infects PoS systems worldwide and steals sensitive information such as Credit Card and Debit Card information.

References
2012-12-23Contagio DumpMila Parkour
@online{parkour:20121223:dec:04b8065, author = {Mila Parkour}, title = {{Dec 2012 Dexter - POS Infostealer samples and information}}, date = {2012-12-23}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html}, language = {English}, urldate = {2019-12-20} } Dec 2012 Dexter - POS Infostealer samples and information
Dexter
2012-12-21Trend MicroJason Pantig
@online{pantig:20121221:infostealer:775f6fa, author = {Jason Pantig}, title = {{Infostealer Dexter Targets Checkout Systems}}, date = {2012-12-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/}, language = {English}, urldate = {2020-01-08} } Infostealer Dexter Targets Checkout Systems
Dexter
2012-12-12Volatility LabsMichael Hale Ligh
@online{ligh:20121212:unpacking:612f008, author = {Michael Hale Ligh}, title = {{Unpacking Dexter POS "Memory Dump Parsing" Malware}}, date = {2012-12-12}, organization = {Volatility Labs}, url = {https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html}, language = {English}, urldate = {2020-01-13} } Unpacking Dexter POS "Memory Dump Parsing" Malware
Dexter
Yara Rules
[TLP:WHITE] win_dexter_auto (20230808 | Detects win.dexter.)
rule win_dexter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.dexter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b5508 83c201 895508 8d45f4 }
            // n = 4, score = 400
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   83c201               | add                 edx, 1
            //   895508               | mov                 dword ptr [ebp + 8], edx
            //   8d45f4               | lea                 eax, [ebp - 0xc]

        $sequence_1 = { c705????????00000000 a1???????? 0305???????? 8945fc 8b4d0c }
            // n = 5, score = 400
            //   c705????????00000000     |     
            //   a1????????           |                     
            //   0305????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_2 = { eb17 837df400 7511 6a01 e8???????? }
            // n = 5, score = 400
            //   eb17                 | jmp                 0x19
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   7511                 | jne                 0x13
            //   6a01                 | push                1
            //   e8????????           |                     

        $sequence_3 = { 50 e8???????? 83c410 8b4df8 51 6a00 8b15???????? }
            // n = 7, score = 400
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   8b15????????         |                     

        $sequence_4 = { 7507 b801000000 eb0d 8b4dfc 83c101 }
            // n = 5, score = 400
            //   7507                 | jne                 9
            //   b801000000           | mov                 eax, 1
            //   eb0d                 | jmp                 0xf
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   83c101               | add                 ecx, 1

        $sequence_5 = { 52 6a00 ff15???????? 68???????? 68???????? }
            // n = 5, score = 400
            //   52                   | push                edx
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   68????????           |                     
            //   68????????           |                     

        $sequence_6 = { e8???????? 83c404 0fbed8 c1e304 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   0fbed8               | movsx               ebx, al
            //   c1e304               | shl                 ebx, 4

        $sequence_7 = { 68e8030000 ff15???????? e9???????? 833d????????00 741e 8b0d???????? }
            // n = 6, score = 400
            //   68e8030000           | push                0x3e8
            //   ff15????????         |                     
            //   e9????????           |                     
            //   833d????????00       |                     
            //   741e                 | je                  0x20
            //   8b0d????????         |                     

        $sequence_8 = { 8b5510 8a45f9 8802 8b4d10 83c101 }
            // n = 5, score = 400
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8a45f9               | mov                 al, byte ptr [ebp - 7]
            //   8802                 | mov                 byte ptr [edx], al
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   83c101               | add                 ecx, 1

        $sequence_9 = { 8b0d???????? 51 ff15???????? 6aff 8b15???????? }
            // n = 5, score = 400
            //   8b0d????????         |                     
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   6aff                 | push                -1
            //   8b15????????         |                     

    condition:
        7 of them and filesize < 98304
}
Download all Yara Rules