The VRT often receives malicious email and associated binaries through the ClamAV submission page. We found 78 distinct strings related to banking web sites, from Chase through the Bank of East Asia. The initial C&C communications we observed, a POST with the hex value “DE AD BE EF” is an interesting value to see in network traffic since it is normally used to mark memory; it’s often used as a joke signifying that a given system has been compromised. What we would love to know is what motivated a banking trojan author to use such an easily spotted, well-known string in what is an otherwise well-obfuscated communications protocol.”]
Source: https://blog.talosintelligence.com/2012/07/banking-trojan-spread-via-ups-phish.html