SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dexter (Back to overview)

Dexter

aka: LusyPOS

Dexter is a computer virus or point of sale malware which infects computers running Microsoft Windows and was discovered by IT security firm Seculert, in December 2012. It infects PoS systems worldwide and steals sensitive information such as Credit Card and Debit Card information.

References
2012-12-23Contagio DumpMila Parkour
@online{parkour:20121223:dec:04b8065, author = {Mila Parkour}, title = {{Dec 2012 Dexter - POS Infostealer samples and information}}, date = {2012-12-23}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html}, language = {English}, urldate = {2019-12-20} } Dec 2012 Dexter - POS Infostealer samples and information
Dexter
2012-12-21Trend MicroJason Pantig
@online{pantig:20121221:infostealer:775f6fa, author = {Jason Pantig}, title = {{Infostealer Dexter Targets Checkout Systems}}, date = {2012-12-21}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/}, language = {English}, urldate = {2020-01-08} } Infostealer Dexter Targets Checkout Systems
Dexter
2012-12-12Volatility LabsMichael Hale Ligh
@online{ligh:20121212:unpacking:612f008, author = {Michael Hale Ligh}, title = {{Unpacking Dexter POS "Memory Dump Parsing" Malware}}, date = {2012-12-12}, organization = {Volatility Labs}, url = {https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html}, language = {English}, urldate = {2020-01-13} } Unpacking Dexter POS "Memory Dump Parsing" Malware
Dexter
Yara Rules
[TLP:WHITE] win_dexter_auto (20230125 | Detects win.dexter.)
rule win_dexter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.dexter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 e8???????? 68???????? e8???????? 83c404 83f801 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   e8????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   83f801               | cmp                 eax, 1

        $sequence_1 = { 833d????????00 764c a1???????? 2b05???????? a3???????? 8b0d???????? }
            // n = 6, score = 400
            //   833d????????00       |                     
            //   764c                 | jbe                 0x4e
            //   a1????????           |                     
            //   2b05????????         |                     
            //   a3????????           |                     
            //   8b0d????????         |                     

        $sequence_2 = { e9???????? 833d????????00 741e 8b0d???????? 51 ff15???????? 85c0 }
            // n = 7, score = 400
            //   e9????????           |                     
            //   833d????????00       |                     
            //   741e                 | je                  0x20
            //   8b0d????????         |                     
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_3 = { ff15???????? a3???????? 6a05 68???????? e8???????? }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   a3????????           |                     
            //   6a05                 | push                5
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_4 = { e9???????? 8b0d???????? 3b0d???????? 740e 8b15???????? 3b15???????? }
            // n = 6, score = 400
            //   e9????????           |                     
            //   8b0d????????         |                     
            //   3b0d????????         |                     
            //   740e                 | je                  0x10
            //   8b15????????         |                     
            //   3b15????????         |                     

        $sequence_5 = { 83c404 83f801 7505 e9???????? 8b0d???????? 3b0d???????? 740e }
            // n = 7, score = 400
            //   83c404               | add                 esp, 4
            //   83f801               | cmp                 eax, 1
            //   7505                 | jne                 7
            //   e9????????           |                     
            //   8b0d????????         |                     
            //   3b0d????????         |                     
            //   740e                 | je                  0x10

        $sequence_6 = { 8b15???????? 8955fc 8b45fc 50 ff15???????? 8b0d???????? }
            // n = 6, score = 400
            //   8b15????????         |                     
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b0d????????         |                     

        $sequence_7 = { ff15???????? 85c0 750a 6a01 e8???????? 83c404 68d0070000 }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   6a01                 | push                1
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   68d0070000           | push                0x7d0

        $sequence_8 = { 50 8b4d10 51 ff15???????? 8b55f8 52 8b4510 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   52                   | push                edx
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_9 = { 51 ff15???????? 85c0 750a 6a01 e8???????? }
            // n = 6, score = 400
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   6a01                 | push                1
            //   e8????????           |                     

    condition:
        7 of them and filesize < 98304
}
Download all Yara Rules