{
	"id": "ff1b5f4b-3c90-401c-bef7-c4774d6a116f",
	"created_at": "2026-04-06T00:19:29.898624Z",
	"updated_at": "2026-04-10T13:11:21.139014Z",
	"deleted_at": null,
	"sha1_hash": "1af033d7c8457237141ee6bc66be8d7637f21d70",
	"title": "The evolution of Brazilian Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3989262,
	"plain_text": "The evolution of Brazilian Malware\r\nBy Thiago Marques\r\nPublished: 2016-03-31 · Archived: 2026-04-05 13:44:51 UTC\r\nIntroduction\r\nBrazilian malware continues to evolve day by day, making it increasingly sophisticated. If you want to know how\r\nthe various malicious programs work nowadays, you can jump to the corresponding section here. Meanwhile,\r\nbefore that, we would like to show how the techniques used by Brazilian cybercriminals have changed, becoming\r\nmore advanced and increasingly complex.\r\nTaking a look at the wider picture we can see that the authors are improving their techniques in order to increase\r\nmalware lifetime as well as their profits.\r\nSome time ago, analyzing and detecting Brazilian malware was something that could be done pretty fast due to no\r\nobfuscation, no anti-debugging technique, no encryption, plain-text only communication, etc. The code itself used\r\nto be written in Delphi and Visual Basic 6, with a lot of big images inside making it a huge file, as well as poor\r\nexception handling where the process would regularly crash.\r\nNowadays, the scenario is not the same; the attackers are investing time and money to develop solutions where the\r\nmalicious payload is completely hidden under a lot of obfuscation and code protection. They do still use Delphi\r\nand VB, but have also adopted other languages like .NET and the code quality is much better than before, making\r\nit clear to us that they have moved to a new level.\r\nLet’s walk through some samples showing the difference between what we used to find a few years ago and the\r\nthreats being delivered today.\r\nWhat we used to find\r\nKeylogger\r\nIn the beginning, the first samples used to steal banking information from customers were simple keyloggers,\r\nmost of them using code publicly available with some minor customizations in order to log only specific\r\nsituations. At the time it was sufficient since banking websites were not using any kind of protection against this\r\nthreat.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 1 of 37\n\nPublic keylogger source code\r\nCode implemented on malicious binary\r\nThe code was pretty simple; it just used the function GetAsyncKeyState in order to check the state of each key\r\nand then logged it as necessary. Most of the keyloggers were not using any obfuscation to hide the targets, helping\r\nin the identification of such attacks.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 2 of 37\n\nPlaintext strings used to detect navigation\r\nPhishing Trojan\r\nAfter the banks introduced virtual keyboard to their systems, the use of keyloggers was no longer effective. To\r\nbypass these protections, the Brazilian bad guys started developing mouselogger malware and later Phishing\r\nTrojans.\r\nThis type of malware was using DDE (Dynamic Data Exchange) in order to get the current URL opened in the\r\nbrowser; this method still works nowadays, but most of these malicious programs have updated their code to use\r\nOLE Automation instead of DDE because it provides more advanced options.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 3 of 37\n\nCode using DDE to get URL information\r\nAfter getting the current URL the malware just checks if the URL is in the target list. If found, the malware would\r\nshow a phishing screen asking for banking information.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 4 of 37\n\nPhishing Trojan being shown inside Internet Explorer\r\nAt this time the malware was not using any kind of encryption or encoding – all strings were plaintext making the\r\nanalysis easier.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 5 of 37\n\nMalware strings without any encryption/encoding\r\nThe stolen information is then sent to the attacker by email.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 6 of 37\n\nEmail containing the stolen information\r\nHosts\r\nIn order to steal information without making it easy to identify a phishing Trojan they started redirecting users to\r\nmalicious web pages by changing the hosts file to resolve the banking domain names to hardcoded servers. In this\r\nway, after infection it would be more transparent to the user increasing the chances of a successful attack.\r\nData written to the hosts file in order to redirect access\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 7 of 37\n\nCode used to write data to host file\r\nThese types of attack were very effective at the time, while not all anti-malware vendors were able to identify and\r\nblock them. We can still see some samples using host modifications, but they are not so effective anymore.\r\nAnti-rootkit\r\nAt this stage they realized that anti-malware solutions and internet banking security plugins were making their\r\nwork more difficult. They then started to focus their efforts on removing security solutions before running the\r\nmalicious payload in order to increase the chances of a successful execution and to keep running on the infected\r\nmachine for much longer.\r\nNothing could be better than using well known command line tools that already have this capability –and most of\r\nthem are already allowlisted.\r\nRegRun Partizan\r\nThis tool is a Native Executable which runs on system startup before the Win32 subsystem starts up. It is able to\r\ndelete files and registry keys even if they are protected by Kernel mode drivers, since it is executed before the\r\ndrivers are loaded to the system. The commands to be executed are specified on the .RRI file as shown below.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 8 of 37\n\nPartizan RRI script containing the list of files to remove\r\nThe Avenger\r\nA Windows driver designed to remove persistent files and registry keys. The commands to be executed on the\r\nsystem are written to a script that will be read by the driver once it starts.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 9 of 37\n\nThe Avenger GUI and script to delete security solutions\r\nGmer\r\nGmer is a well-known rootkit detector and remover with lots of functions to detect rootkit activities on the system\r\nas well as delete files by using its own device driver. As it has a command-line interface, it is easy to remove\r\nprotected files.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 10 of 37\n\nBAT file using GMER’s killfile function to remove security solution\r\nMore details about banking Trojans using GMER to uninstall security software can be found in a separate\r\nblogpost.\r\nMalicious Bootloader\r\nAfter using anti-rootkits Brazil’s cybercriminals went deeper and started to develop their own bootloaders, tailored\r\nexclusively to remove the security solutions from user’s machine. The downloader is in charge of installing the\r\nmalicious files and then rebooting the machine. After reboot the malicious bootloader can remove the desired files\r\nfrom the system.\r\nBasically, the malware replaces the original NTLDR, the bootloader for Windows NT-based systems up to\r\nWindows XP, to a modified version of GRUB.\r\nModified GRUB loader acting as NTLDR\r\nThis loader will read the menu.lst file that points to the malicious files already installed on the system xp-msantivirus and xp-msclean.\r\nMenu.lst file containing the parameters to execute malicious commands\r\nWhen executed the malware will remove files related to security solutions and then restore the original NTLDR\r\nfiles that were previously renamed to NTLDR.old.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 11 of 37\n\nCommands executed to remove security modules and restore the original NTLDR\r\nWhat we have nowadays\r\nAutomation\r\nMost banks were using machine identification to prevent unauthorized attempts to perform operations using the\r\nstolen information. To bypass this the bad guys started performing the malicious operations from the infected\r\nmachine, by using Internet Explorer Automation (formerly OLE automation) to interact with the page content.\r\nThe first samples using this type of attack were Browser Helper Objects (BHOs) that could detect a transfer\r\ntransaction and then change the destination account, sending the money to the attacker instead of the real\r\ndestination.\r\nLater, the same method was heavily used in Boleto attacks, where they were using automation to get the inputted\r\nbarcode and then replace it with the fraudulent one.\r\nSince this method only works for Internet Explorer, the malware needs to force the user to access internet banking\r\nvia that browser. Therefore, it implements a timer which checks if Firefox or Chrome is being used and then kills\r\nthe process.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 12 of 37\n\nCode to avoid use of Chrome and Firefox\r\nWhen an instance of IE is found, the malware will search for a tab instance in order to be able to read the window\r\ntext and then to know which URL is being accessed.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 13 of 37\n\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 14 of 37\n\nFinding the tab handle and obtaining the URL being accessed\r\nSearch for target’s specific titles\r\nAs the automation will process the page structure, it needs to know if the victim is on the page to input the Boleto\r\ninformation. It installs a handle to the event OnDocumentComplete in order to collect the full URL as soon as it is\r\nloaded and then checks if the user is on the target page.\r\nSearch for target’s specific pages\r\nAfter confirming that the user is on the target page, the malware will process the page structure and install a\r\nhandler to the submit button, then it can take control of the execution right after the user has submitted the page\r\nand then process the inputted content.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 15 of 37\n\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 16 of 37\n\nSearch for a specific textbox and get the inputted data\r\nAfter collecting the inputted data, it can be processed and then changed to the malicious content before submitting\r\nthe page.\r\nFor those samples we could find, string obfuscation, debugger detection and virtual machine detection as well as\r\nthis method mean they are not as easy to detect as other attacks involving phishing Trojans and hosts.\r\nCode Obfuscation and RunPE\r\nLooking for new ways to bypass detection, Brazilian criminals started using obfuscation in order to hide the parts\r\nof code that perform their main operations.\r\nIn the code below the coder has encrypted the original code of the function used to download the malicious\r\npayload; on a static analysis you cannot figure out what the purpose of this function is.\r\nEncrypted downloader function\r\nIn runtime the malware will call the function to decrypt this code prior to executing it.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 17 of 37\n\nDecrypt code call\r\nDecryption routine\r\nAs we can see in the code above, the decryption is a simple sub operation using the key 0x42 on the encrypted\r\nbyte – a simple and fast way to hide parts of code.\r\nDecrypted downloader function\r\nIn order to avoid detection by a network firewall, the downloaded file is encrypted using its own encryption\r\nfunction.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 18 of 37\n\nEncrypted file\r\nDecrypted file\r\nThe encryption function is also hidden by using the same method used in the download function – after decrypting\r\nthe code we can find a XOR-based encryption combined with a shift-right operation on the XOR key.\r\nAfter decrypting the file, it will not be executed using the normal methods usually found in malicious code. To\r\nhide the process on the machine the malware uses a trick known as RunPE where the code will execute a clean\r\nprocess (like iexplorer.exe or explorer.exe) in a suspended state and then modify its memory content to the\r\nmalicious code and execute.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 19 of 37\n\nCode launching clean process as suspended state\r\nAfter creating the process in a suspended state the code will write the new code to the memory space, set the new\r\nEIP for execution and then resume the thread.\r\nWriting malicious code and resuming the thread\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 20 of 37\n\nInternet explorer process hosting the malicious file\r\nSince the malicious code is running on the memory space allocated to Internet Explorer, using tools like Process\r\nExplorer to verify the publisher signature does not work because they check the signature of the process on the\r\ndisk.\r\nIt was clear that they had moved on completely from using beginner’s code to a much more professional\r\ndevelopment and we realized it was time to update the analysis process for Brazilian malware. We are sure most\r\nof this evolution happened due to contact and the exchange of knowledge with other malware scenes, mostly those\r\nin Eastern Europe, which we described in this article.\r\nAutoIt Crypto\r\nAutoIt is now often used as a downloader and crypto for the final payload in order to bypass detection. After being\r\ncompiled the AutoIt script is encrypted and embedded to the generated binary which makes it necessary to extract\r\nthe original script before analyzing its code.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 21 of 37\n\nLooking for a better way to hide the final payload, the Brazilian cybercriminals have developed a new crypto\r\nusing AutoIt language where the decrypted payload is executed by using a RunPE technique.\r\nAutoIt Crypto execution flow\r\nThe crypto uses two different methods to store the encrypted file: the first one is by using the FileInstall function\r\nthat already exists on AutoIt, and the other one is embedding the file at the end of the binary.\r\nWhen using the second method the crypto writes a key which is used to mark where the encrypted payload content\r\nstarts and is then able to find the content to decrypt. On the sample below, the key used is a short version of “Sei\r\nque ganharei 20K” which means “I know that I will win R$ 20,000”.\r\nKey used to mark where the encrypted payload starts\r\nAutoIt Crypto main code\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 22 of 37\n\nAfter reading the encrypted payload it decrypts the content using the decryption key “VENCIVINICI” and then\r\nexecutes the malicious payload using RunPE.\r\nThe decryption function code is not written in AutoIt – it is written in C language. After being compiled the bytes\r\nare included in the code as a string and then mapped to memory and executed by using CallWindowProc API.\r\nDecryption function implementation\r\nWe found the following algorithms being implemented as the encryption/compression method for this crypto:\r\nRC4\r\nXXTEA\r\nAES\r\nLZMA\r\nZLIB\r\nThe use of AutoIt for malware development is not something new, but in the middle of 2014 we saw a wave of\r\nattacks using AutoIt in Brazil, as we can see on the graph below.\r\nTrojan.Win32.Autoit: number of users attacked in Brazil\r\nMSIL Database\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 23 of 37\n\nAnother type of malware that emerged recently was malware developed in .NET instead of Visual Basic 6.0 and\r\nDelphi, following a trend we saw worldwide. It is not hard to find a downloader written in .NET. Anyway, some\r\nsamples of Trojan-Banker.MSIL.Lanima grabbed our attention when we found some of them were not using\r\nfunctions commonly used to download the payload.\r\nDownload function\r\nAs we can see in the picture above this samples does not use any download function because it uses SQL Server to\r\nhost the binary content and then just uses an SQL command to retrieve the content and save to disk.\r\nThe strings are encoded with base64 and encrypted with Triple DES algorithm in order to hide the text related to\r\nthe main actions of the malware.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 24 of 37\n\nDecrypt function\r\nThis family of malware is very prevalent in Brazil and China:\r\nMSIL Crypto\r\nFollowing the same method used by AutoIt Crypto the bad guys developed another crypto, this time using .NET\r\nlanguage. The process to extract the real executable is almost the same as AutoIt Crypto but it has an intermediate\r\nmodule which is responsible for extracting the final payload.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 25 of 37\n\nLooking at the main module we have a .NET code and the main function of this main module is to extract and\r\nload the embedded DLL.\r\n.NET Crypto execution flow\r\nCrypto main function\r\nAs we can see, the function above will split the binary content by using the separator string\r\n“cdpapxalZZZsssAAA” and use the second block which contains the encrypted code of the Loader DLL.\r\nLoader DLL encrypted content\r\nThen it is time to decrypt it by calling the function named “fantasma” (or “ghost” in English), the official name\r\nused for this crypto in the forums is PolyRevDecrypt which is basically an XOR operation between the encrypted\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 26 of 37\n\nbyte, the last byte of the encrypted buffer and one byte of the password provided to the function.\r\nDecryption function\r\nAfter being decrypted, the code will be loaded and executed by the function “docinho” (or “candy” in English).\r\nFunction to load and execute the DLL\r\nThe code of the library is almost the same as the main executable except that now it will use the second block of\r\nthe split content.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 27 of 37\n\nLoader DLL main function\r\nRAT\r\nIn a bid to reduce the losses related to cyber attacks, banks implemented two-factor authentication using a\r\nhardware token and SMS token for online banking transactions in addition to the solutions already in place like\r\nmachine identification. To solve this problem the cybercriminals have created a remote administration tool\r\nspecially developed to request the information required to process internet banking transactions.\r\nRAT execution flow\r\nThe browser watcher will monitor the user browser and see if any of the target banks are accessed; if they are, it\r\nwill decompress and execute the RAT Client and notify the C\u0026C about the new infection.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 28 of 37\n\nInternet banking access monitoring\r\nThe strings used by this malware are encrypted using their own encryption routine. After decrypting it we are able\r\nto identify the targets as well as the important parts of the code.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 29 of 37\n\nDecrypted strings\r\nFor this type of infection it is common for the bad guys to create a way to manage the attacks. Here we can see the\r\nnumber of computers infected on the same day, keeping in mind that this number means the amount of users that\r\nhave accessed internet banking while the malware was running on their computer.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 30 of 37\n\nC\u0026C panel showing the list of infected users\r\nThe RAT Client will connect to the server to alert the attacker that a new victim is accessing the internet banking\r\nsystem. It is then possible to execute the attack in real time.\r\nRAT Server showing a new victim is connected\r\nAt this stage the attacker just needs to wait for the user to login and then proceed with the attack. When the user is\r\nalready logged in, the attacker can see the user screen, lock it and control the execution as well as ask for specific\r\ninformation that will help him to steal the account, like:\r\nToken\r\nAccess card code\r\nDate of birth\r\nAccount password\r\nInternet banking password\r\nElectronic signature\r\nTo prevent the user from seeing that the computer is being remotely controlled, this RAT has a function that\r\nsimulates an update for the bank security plugin showing a progress bar and disabling all user interactions.\r\nMeanwhile, the attacker can perform the banking operations by using the active browser section because the\r\noverlay screen is not shown to the attacker.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 31 of 37\n\nLock screen simulating an update\r\nIf some information is requested to confirm the transaction, e.g. SMS token, the attacker can ask the victim who\r\nwill think the information is necessary in order to proceed with the update process.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 32 of 37\n\nScreen asking for token code\r\nAs soon as the user provides the information, the attacker can enter it on the internet banking screen, bypassing\r\nthe 2FA used in the transaction.\r\nInformation received from the victim\r\nRansomware\r\nBrazilian cybercriminals not only work with banking malware – they are also exploring other types of attacks\r\ninvolving ransomware. Some years ago, we found TorLocker which contains details inside the malware code\r\nsuggesting that the developer is from Brazil.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 33 of 37\n\nCode containing some strings suggesting the author is from Brazil\r\nAs we can see in the image above, we found the sentence highlighted in blue: “Filho de Umbanda não cai!”\r\n(“Umbanda’s son never falls down”). Umbanda is an unorthodox religion in Brazil. The name marked in red is the\r\nnickname of the author and it also uses the extension .d74 for the encrypted files. This user is very active on\r\nunderground forums looking for malicious services in Brazil.\r\nWe also found other references, like the use of a service in Brazil to get the victim IP in order to notify about an\r\ninfection.\r\nRequest to a Brazilian service to obtain the victim IP\r\nSome months ago, we found another ransomware program based on the Hidden Tear source code that was\r\nmodified to target Brazilian users, differing from the initial program that was found targeting English- and\r\nJapanese-speaking users.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 34 of 37\n\nVictim’s machine showing messages in Portuguese, asking to pay in order to receive the files\r\nWhy they evolve\r\nWe have sufficient evidence that Brazilian criminals are cooperating with the Eastern European gangs involved\r\nwith ZeuS, SpyEye and other malware created in the region. This collaboration directly affects the quality and\r\nthreat level of local Brazilian malware, as its authors are adding new techniques to their creations and getting\r\ninspiration to copy some of the features used in the malware originating from Eastern Europe. Brazilian\r\ncybercriminals are not only developing the quality of their code but also using the cybercrime infrastructure from\r\nabroad.\r\nWe saw the first sign of this ‘partnership’ in the development of malware using malicious PAC scripts. This\r\ntechnique was heavily exploited by Brazilian malware starting in 2011 and was later adopted by Russian banking\r\nTrojan Capper. This cooperation continued as Brazilian criminals started to use the infrastructure of banking\r\nTrojans from Eastern Europe – the Trojan-Downloader.Win32.Crishi was the first to use DGA domains hosted\r\nat bulletproof companies from Ukraine. Also the Boleto malware adopted the massive usage of fast flux domains,\r\naiming to avoid the takedown of C2s – we saw that with the “bagaça” (bagasse in Portuguese) domains, registered\r\nusing anonymous services, which hosted crimeware and boleto stuff and was resolving different IPs for every\r\nrequest.\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 35 of 37\n\nThe “bagaça” domains: fast flux and bulletproof from Eastern Europe\r\nOther strong signs of their cooperation are the constant presence of Brazilian cybercriminals on Russian or Eastern\r\nEuropean underground forums. It’s not unusual to find Brazilian criminals on Russian underground forums\r\nlooking for samples, buying new crimeware and ATM/PoS malware, or negotiating and offering their services.\r\nThe results of this cooperation can be seen in the development of new techniques adopted in Brazilian malware.\r\nThe Brazilian malicious author of TorLocker negotiating in a Russian underground forum\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 36 of 37\n\nThese facts show how Brazilian cybercriminals are adopting new techniques as a result of collaboration with their\r\nEuropean counterparts. We believe this is only the tip of the iceberg, as this kind of exchange tends to increase\r\nover the years as Brazilian crime develops and looks for new ways to attack businesses and regular people.\r\nConclusion\r\nCybercrime in Brazil has changed drastically in the last few years, as it shifted from simple keyloggers built from\r\npublic source code to tailored remote administration tools that can run a complete attack by using the victim\r\nmachine.\r\nMalware that used to show a phishing screen as soon as it was executed is now completely reactive and waits for a\r\nvalid session in order to start the job.\r\nThat means that the criminals are investing much more money and time in order to develop their malicious code,\r\nenhancing anti-debugging techniques and then running the malware undetected for much longer.\r\nAs we know, they are in touch with cybercriminals from Eastern Europe, mainly Russians, where they exchange\r\ninformation, malware source code and services that will be used in Brazilian attacks. We can see that many of the\r\nattacks used in Brazil were first seen in Russian malware as well as Brazilian techniques later being used in\r\nRussian attacks.\r\nBased on that, we can expect to find Brazilian malware with enhanced code obfuscations, anti-debugging tricks,\r\nencryption algorithms and secure communications making our work much harder than now.\r\nSource: https://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nhttps://securelist.com/the-evolution-of-brazilian-malware/74325/#rat\r\nPage 37 of 37",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/the-evolution-of-brazilian-malware/74325/#rat"
	],
	"report_names": [
		"#rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434769,
	"ts_updated_at": 1775826681,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1af033d7c8457237141ee6bc66be8d7637f21d70.pdf",
		"text": "https://archive.orkl.eu/1af033d7c8457237141ee6bc66be8d7637f21d70.txt",
		"img": "https://archive.orkl.eu/1af033d7c8457237141ee6bc66be8d7637f21d70.jpg"
	}
}