SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dexter (Back to overview)

Dexter

aka: LusyPOS
VTCollection    

Dexter is a computer virus or point of sale malware which infects computers running Microsoft Windows and was discovered by IT security firm Seculert, in December 2012. It infects PoS systems worldwide and steals sensitive information such as Credit Card and Debit Card information.

References
2012-12-23Contagio DumpMila Parkour
Dec 2012 Dexter - POS Infostealer samples and information
Dexter
2012-12-21Trend MicroJason Pantig
Infostealer Dexter Targets Checkout Systems
Dexter
2012-12-12Volatility LabsMichael Hale Ligh
Unpacking Dexter POS "Memory Dump Parsing" Malware
Dexter
Yara Rules
[TLP:WHITE] win_dexter_auto (20260504 | Detects win.dexter.)
rule win_dexter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.dexter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 52 ff15???????? a3???????? c705????????00000000 6a01 }
            // n = 5, score = 400
            //   52                   | push                edx
            //   ff15????????         |                     
            //   a3????????           |                     
            //   c705????????00000000     |     
            //   6a01                 | push                1

        $sequence_1 = { 83c40c eb1a 6a00 6a00 6a00 6a06 8b15???????? }
            // n = 7, score = 400
            //   83c40c               | add                 esp, 0xc
            //   eb1a                 | jmp                 0x1c
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a06                 | push                6
            //   8b15????????         |                     

        $sequence_2 = { 7508 6a00 ff15???????? ff15???????? a3???????? ff15???????? a3???????? }
            // n = 7, score = 400
            //   7508                 | jne                 0xa
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   a3????????           |                     
            //   ff15????????         |                     
            //   a3????????           |                     

        $sequence_3 = { 85c0 7428 8b0d???????? 51 ff15???????? 85c0 750a }
            // n = 7, score = 400
            //   85c0                 | test                eax, eax
            //   7428                 | je                  0x2a
            //   8b0d????????         |                     
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc

        $sequence_4 = { 51 68???????? 8b5508 52 ff15???????? 68???????? }
            // n = 6, score = 400
            //   51                   | push                ecx
            //   68????????           |                     
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   68????????           |                     

        $sequence_5 = { 83fa63 7502 eb44 8b4510 }
            // n = 4, score = 400
            //   83fa63               | cmp                 edx, 0x63
            //   7502                 | jne                 4
            //   eb44                 | jmp                 0x46
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_6 = { a1???????? 0305???????? 8945fc 8b4d0c 51 8b5508 52 }
            // n = 7, score = 400
            //   a1????????           |                     
            //   0305????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   51                   | push                ecx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx

        $sequence_7 = { 52 6a00 ff15???????? 68???????? 68???????? }
            // n = 5, score = 400
            //   52                   | push                edx
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   68????????           |                     
            //   68????????           |                     

        $sequence_8 = { 8bec b801000000 85c0 7428 8b0d???????? }
            // n = 5, score = 400
            //   8bec                 | mov                 ebp, esp
            //   b801000000           | mov                 eax, 1
            //   85c0                 | test                eax, eax
            //   7428                 | je                  0x2a
            //   8b0d????????         |                     

        $sequence_9 = { 6a00 8b0d???????? 51 e8???????? 83c40c c705????????00000000 68???????? }
            // n = 7, score = 400
            //   6a00                 | push                0
            //   8b0d????????         |                     
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   c705????????00000000     |     
            //   68????????           |                     

    condition:
        7 of them and filesize < 98304
}
Download all Yara Rules