Inside agenteV2: How Brazilian Attackers Use Fake Court Summons to Steal Banking Credentials in Real Time

Key Takeaways

• agenteV2 is an interactive banking trojan enabling real-time, operator-assisted financial fraud via live screen streaming and remote shell.
• The initial vector is a highly convincing phishing email impersonating a Brazilian federal court summons with a password-protected PDF.
• The malware uses a Pastebin dead-drop resolver to dynamically retrieve its C2 IP, making IP blocklists ineffective.
• The core payload is a Nuitka-compiled Python DLL, evading traditional AV and complicating reverse engineering.
• Persistence is achieved via two Scheduled Tasks running at highest privileges and a Registry Run key.

Affected Systems

• Windows endpoints
• Chromium-based browsers (Chrome, Edge, Brave, Opera)
• Brazilian financial institutions (Itaú, Banco do Brasil, Caixa Econômica Federal, Bradesco, Santander, Inter, Stone)
• Cryptocurrency wallet extensions

Attack Chain

The attack begins with a phishing email containing a password-protected PDF that tricks the user into downloading a VBS script. The VBS script downloads two executables (reiniciar.exe and wifi_driver.exe) and establishes persistence via Scheduled Tasks. wifi_driver.exe acts as a container that extracts and loads a Nuitka-compiled Python DLL (agenteV2_historico_detect.dll). This DLL resolves its C2 server via a Pastebin dead-drop, establishes a persistent WebSocket connection for live screen streaming and remote shell access, and clones browser databases to steal credentials.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: No
• Snort/Suricata Rules: Yes
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: ANY.RUN, Suricata

The article provides a YARA rule (Win_Stealer_AgenteV2_Nuitka) to detect the Nuitka-compiled core stealer DLL, and lists several Suricata SIDs for detecting the network behavior.

Detection Engineering Assessment

EDR Visibility: Medium — The malware uses in-memory execution and Nuitka compilation to evade static analysis, but its behavior (spawning schtasks, writing to Program Files, registry modifications) is highly visible to EDR. Network Visibility: High — The malware uses a consistent JA3 fingerprint, beacons every ~60 seconds over port 8443, and resolves C2 via a public Pastebin URL, providing strong network detection opportunities. Detection Difficulty: Moderate — While the payload is obfuscated and compiled to native code, the persistence mechanisms (schtasks /rl highest) and network patterns (Pastebin dead-drop, JA3 hash) provide reliable detection points.

Required Log Sources

• Process Creation (Event ID 4688)
• Scheduled Task Creation (Event ID 4698)
• Registry Events (Event ID 4657)
• Network Connections
• File Creation

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for WScript.exe spawning cmd.exe to create scheduled tasks with highest privileges.	Process Creation (Event ID 4688)	Persistence	Low
Search for non-browser processes initiating outbound TLS connections on port 8443.	Network Connections	Command and Control	Medium
Identify processes writing PE files to unusual directories like C:\Program Files (x86)\Wi-fi.	File Creation	Execution	Low
Monitor for network connections to pastebin.com/raw/* from non-browser processes.	Network Connections / DNS	Command and Control	Low

Control Gaps

• Email gateway sandboxes failing to inspect password-protected PDFs
• Traditional AV failing to detect Nuitka-compiled payloads

Key Behavioral Indicators

• WScript.exe spawning cmd.exe with schtasks
• Creation of C:\Program Files (x86)\Wi-fi\ directory
• JA3 hash a48c0d5f95b1ef98f560f324fd275da1

False Positive Assessment

• Low - The combination of specific JA3 hashes, Pastebin URLs, and specific directory paths like C:\Program Files (x86)\Wi-fi\ makes the IOCs highly specific to this threat.

Recommendations

Immediate Mitigation

• Block domains odaracani.online and nuevaprodeciencia.club
• Block IPs 69.49.241.120 and 38.242.246.176
• Isolate hosts showing signs of compromise
• Reset all banking, email, and crypto passwords for affected users

Infrastructure Hardening

• Implement network detection rules for JA3 hash a48c0d5f95b1ef98f560f324fd275da1
• Deploy Suricata rules for WinHTTP EXE downloads
• Block or alert on access to pastebin.com/raw/0RmxqY57

User Protection

• Deploy behavioral EDR rules to catch WScript.exe spawning schtasks
• Monitor for unauthorized creation of scheduled tasks with highest privileges

Security Awareness

• Train employees to recognize fake judicial summons and the risks of password-protected PDFs
• Establish a clear reporting process for suspicious legal or financial emails

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment
• T1204.002 - User Execution: Malicious File
• T1059.005 - Command and Scripting Interpreter: Visual Basic
• T1140 - Deobfuscate/Decode Files or Information
• T1027 - Obfuscated Files or Information
• T1036.005 - Masquerading: Match Legitimate Name or Location
• T1105 - Ingress Tool Transfer
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
• T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
• T1113 - Screen Capture
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1571 - Non-Standard Port
• T1012 - Query Registry
• T1082 - System Information Discovery
• T1083 - File and Directory Discovery
• T1057 - Process Discovery
• T1518.001 - Software Discovery: Security Software Discovery
• T1102.001 - Web Service: Dead Drop Resolver
• T1071.001 - Application Layer Protocol: Web Protocols

Additional IOCs

• Ips:
  • 69[.]49[.]241[.]120 - Shared IP for both delivery domains
  • 172[.]66[.]171[.]73 - Cloudflare proxy for Pastebin dead-drop
• Domains:
  • vmi3003111[.]contaboserver[.]net - C2 server hostname
• Urls:
  • hxxps://odaracani[.]online/index.php?id=3df947b3 - Gate unique per-victim tracking ID
  • hxxps://nuevaprodeciencia[.]club/cert.php - Redirect chain step 1
  • hxxps://nuevaprodeciencia[.]club/cord.php - Redirect chain step 2
  • hxxps://nuevaprodeciencia[.]club/br77b/download.php - Redirect to payload landing
  • hxxps://nuevaprodeciencia[.]club/br77b/arquivos/download.php?id_69bb7d47c15e9 - Payload landing page
  • hxxps://nuevaprodeciencia[.]club/br77b/arquivos/download/base.php?LpHQPCBwX=766760 - Configuration / stage data
  • hxxps://nuevaprodeciencia[.]club/br77b/arquivos/download/reiniciar.exe - Payload: reiniciar.exe
  • hxxps://nuevaprodeciencia[.]club/br77b/arquivos/download/msedge03.exe - Payload: msedge03.exe
  • hxxps://nuevaprodeciencia[.]club/br77b/arquivos/download/msedge04.exe - Payload: wifi_driver.exe (served as msedge04.exe)
  • hxxps://nuevaprodeciencia[.]club/br77b/iayjaskyeiagds.php - C2 initial checkin endpoint (called by VBS loader)
• File Hashes:
  • 285fea57345d838916153c4d8f43ab6c (MD5) - intimacaojudicial.eml
  • 8a87d63110eeb782bb621b5f3154ca80bdcf5de7 (SHA1) - intimacaojudicial.eml
• Registry Keys:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MonitorSystem - Registry Run key for persistence
• File Paths:
  • C:\Program Files (x86)\Wi-fi\wifi_driver.exe - Container binary
  • C:\Program Files (x86)\Wi-fi\reiniciar.exe - Secondary container
  • C:\Users\*\Downloads\0124_INTMACAO_.vbs - VBS Loader (delivered)
  • C:\Users\*\AppData\Local\Temp\0124_INTMACAO_.vbs - VBS Loader (decoded)
  • C:\Users\*\AppData\Local\Temp\onefile_*\agenteV2_historico_detect.dll - Core stealer DLL
• Command Lines:
  • Purpose: Create scheduled task for persistence | Tools: schtasks.exe, cmd.exe | Stage: Persistence | cmd.exe /c schtasks /create /f /tn "RunAsAdmin_Executar"
  • Purpose: Create scheduled task for persistence | Tools: schtasks.exe, cmd.exe | Stage: Persistence | cmd.exe /c schtasks /create /f /tn "RunAsAdmin_AutoUpdate"
  • Purpose: Elevate privileges without UAC prompt | Tools: wscript.exe | Stage: Privilege Escalation | /elevated /fromtask
• Other:
  • a48c0d5f95b1ef98f560f324fd275da1 - JA3 Client TLS fingerprint
  • 15af977ce25de452b96affa2addb1036 - JA3S Server TLS response fingerprint