unclassified-pe32-nfe-loader: ded59ec4 — MinGW AES-like dropper, Brazilian NFe lure

Executive Summary

A stripped PE32 DLL (487 KB, May 2026 compilation) built with MinGW GCC. It decrypts an embedded payload from .rdata with a custom AES-like block cipher, drops it to %TEMP%\wnd_<hex>.exe, elevates via ShellExecuteExA with the Portuguese lure string "Reemitir_NotaFiscal", and deletes both the dropped file and the original DLL. No C2 strings are visible; all Win32 APIs are resolved at runtime via GetProcAddress after a string-decryption bootstrap. Static-only — CAPE skipped due to no Windows guest.

What It Is

Family ascription: unclassified-pe32-nfe-loader (low confidence). The Portuguese string "Reemitir_NotaFiscal" («Reissue Tax Invoice») places the lure in the Brazilian NFe certificate-fraud ecosystem, but the MinGW build stack and custom AES-like cipher differ sharply from the Delphi/VCL-based nfedigitalcom cluster ^[entities/nf edigitalcom.md]. No other sample in the corpus shares these strings. ^[strings.txt:55]

How It Works

Bootstrap — String Decryption & API Resolution

1. String decryption. fcn.68005870 walks every obfuscated C-string in .rdata and in-place decrypts it with a single-byte XOR key that varies per string (keys: 0xC6, 0x9A, 0x43, 0x1C, 0x7A, 0xBF, 0xA1, 0x67, 0x2D, 0xE4, 0xE5 …). ^[r2:fcn.68005870]
2. Import table minimalism. The binary exposes only 12 imports through the IAT: DeleteFileA, GetModuleHandleA, GetProcAddress, LoadLibraryA from KERNEL32.dll; SHGetFileInfoA, SHGetSpecialFolderPathA, ShellExecuteExA from SHELL32.dll; GetDC, GetDesktopWindow, GetSystemMetrics, ReleaseDC from USER32.dll; and GetStockObject from GDI32.dll. ^[pefile.txt:332]
3. Dynamic thunk table. fcn.680066e0 resolves ~25 additional APIs by passing encrypted names to GetProcAddress / LoadLibraryA and stores the resulting pointers in a global table starting at 0x68078228. Notable resolved APIs: VirtualAlloc, VirtualFree, CreateFileA, ReadFile, WriteFile, GetTempPathA, GetTempFileNameA, MoveFileA, DeleteFileA, ShellExecuteExA, SHGetSpecialFolderPathA. ^[r2:fcn.680066e0]
4. Environment fingerprinting. fcn.68007540 calls GetSystemMetrics (0, 0x4E, 0x4F = screen width, monitor count, virtual-screen width), GetStockObject, GetDesktopWindow, GetDC, SHGetSpecialFolderPathA(CSIDL_APPDATA=0x1A), and SHGetFileInfoA("C:"). Each result is XOR-accumulated into dword [0x68078224], producing a fingerprint hash. This is likely an anti-sandbox / anti-VM gate. ^[r2:fcn.68007540]

Payload Decryption & Execution

5. Key schedule & S-box generation. fcn.680080b0 generates a 256-byte substitution table at 0x68078120 using a custom affine transform (rotations, XORs, final constant 0x63) — structurally similar to AES S-box generation but with a simplified inverse step. fcn.68008100 derives round keys from a 32-byte seed. ^[r2:fcn.680080b0] ^[r2:fcn.68008100]
6. Block cipher. fcn.68008230 implements a 16-byte block cipher with: (a) byte-permutation matching AES ShiftRows, (b) SubBytes via section..text2 (a 256-byte lookup table in the .text2 section), (c) XOR with round keys, and (d) an inverse permutation block. This is best described as a lightweight AES-128-like custom cipher. ^[r2:fcn.68008230]
7. Decryption loop. fcn.68008580 allocates a 0x8000-byte buffer (VirtualAlloc), runs the block cipher over the embedded ciphertext, and XORs the result with a keystream to produce the plaintext payload. ^[r2:fcn.68008580]
8. Drop & execute. MainCall (export ordinal 2) builds a temp path %TEMP%\wnd_<hex>.exe, writes the decrypted payload, and launches it via ShellExecuteExA with the verb "runas" and window title "Reemitir_NotaFiscal". ^[r2:sym.core.dll_MainCall] ^[strings.txt:55]
9. Self-erasure. After the child process is created, the DLL overwrites its internal key buffers with nulls and calls DeleteFileA against both the dropped .exe and the original DLL. ^[r2:fcn.680086f0]

Artifacts & Embedded Data

Decompiled Behavior

Entry point (DllMain@12): Returns 1 immediately; does nothing. This is a decoy entry to defeat naive DLL-load analysis. ^[r2:entry0]

Real entry (MainCall):

• Calls fcn.68005870 → decrypt all strings.
• Calls fcn.680074f0 → resolve LoadLibraryA / GetProcAddress thunks.
• Calls fcn.680066e0 → resolve extended API table.
• Calls fcn.68007780 → PRNG / key schedule (produces internal state stored at 0x680782c0).
• Calls fcn.68007540 → environment fingerprint (stores hash at 0x68078224).
• If fingerprint passes, calls fcn.68006ea0 → derive temp path.
• Calls fcn.68007260 → likely sets up the 0xBB8 ms delay (Sleep(3000)).
• Calls fcn.68008580 → decrypt embedded payload.
• Calls fcn.680086f0 → ShellExecuteExA with "runas", window title "Reemitir_NotaFiscal".
• Calls DeleteFileA on original DLL and cleans handles. ^[r2:sym.core.dll_MainCall]

C2 Infrastructure

No hardcoded domains, IPs, or URLs recovered. The binary is a pure dropper — all network activity would occur in the decrypted data.bin payload. The static footprint is clean by design. ^[strings.txt]

Interesting Tidbits

• Linguistic clue: "Reemitir_NotaFiscal" and the sample_token_* naming convention (English tokens with hex suffixes) suggest a Brazilian-Portuguese operator with English-language tooling or config. ^[strings.txt:55]
• Chaff density: ~90% of the .rdata section is repeated MIT-license text, XML stubs, and fake HTTP/JSON payloads. This serves two purposes: inflating entropy to mask the real ciphertext, and polluting string-based signatures. ^[binwalk.txt] ^[strings.txt:58-96]
• Recent compilation: May 15 2026 — less than one month old at time of analysis. Fast turnaround between build and MalwareBazaar upload. ^[pefile.txt:38]
• Anti-debug by omission: No overt IsDebuggerPresent or NtQueryInformationProcess checks; instead, the binary relies on GetSystemMetrics fingerprinting and the minimal IAT to delay analysis. ^[r2:fcn.68007540]
• Dynamic-analysis resistant: CAPE could not detonate because no Windows guest exists. Static-only. ^[dynamic-analysis.md]

How To Mess With It (Homelab Replication)

Toolchain: MinGW-w64 i686-w64-mingw32-gcc 13.x (or similar) Target: PE32 DLL, Windows GUI subsystem

1. Write a minimal DLL with a dummy DllMain and a real MainCall export.
2. Embed an encrypted payload in .rdata using a simple AES-128 ECB or CBC encryption.
3. Implement a string-decryption bootstrap: store XOR-encrypted strings in .rdata, decrypt at DllMain or MainCall.
4. Resolve APIs dynamically with LoadLibraryA → GetProcAddress and store in a global function-pointer table.
5. Add environment fingerprinting via GetSystemMetrics(0), GetSystemMetrics(0x4E), GetSystemMetrics(0x4F), SHGetSpecialFolderPathA(0x1A), and XOR-fold the results into a sanity-check hash.
6. Verify: run strings on your reproducer — the real strings should not appear until after the XOR bootstrap executes.

Deployable Signatures

YARA Rule

rule unclassified_pe32_nfe_loader {
    meta:
        description = "MinGW PE32 DLL dropper with AES-like decryption, Brazilian NFe lure"
        author = "PacketPursuit"
        date = "2026-06-06"
        hash = "ded59ec4522cc19e2ae926ba1938452f70d8739d687154b9150141dc79af294c"
    strings:
        $s1 = "Reemitir_NotaFiscal" ascii wide
        $s2 = "data.bin" ascii wide
        $s3 = "perm.bin" ascii wide
        $s4 = "sample_token_" ascii wide
        $s5 = "0123456789abcdef" ascii wide
        $s6 = "wnd_" ascii wide
        $s7 = "runas" ascii wide
        // MIT license chaff (repeated)
        $chaff = "Permission is hereby granted, free of charge, to any person obtaining a copy of this software" ascii
    condition:
        uint16(0) == 0x5A4D and
        pe.is_dll() and
        pe.machine == pe.MACHINE_I386 and
        pe.number_of_sections == 9 and
        pe.linker_version.major == 2 and
        pe.linker_version.minor == 44 and
        pe.section_named(".text2") and
        4 of ($s*) and
        $chaff
}

Sigma Rule

title: Brazilian NFe Loader Dropper Execution
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - CommandLine|contains: 'Reemitir_NotaFiscal'
        - CommandLine|contains: 'runas'
        - ParentImagePath|endswith: 'core.dll'
        - ImagePath|re: '\\wnd_[0-9a-f]{8}\.exe'
    condition: selection
falsepositives:
    - Unlikely; the string combination is specific to this malware family.
level: high

IOC List

Behavioral Fingerprint

On execution, this DLL immediately resolves LoadLibraryA, GetProcAddress, and ~20 additional Win32 APIs via a global thunk table. It calls GetSystemMetrics three times (screen width, monitor count, virtual-screen width), GetStockObject, SHGetSpecialFolderPathA(CSIDL_APPDATA), and SHGetFileInfoA, XOR-folding the results into a 32-bit hash. Within ~3 seconds it allocates a 32 KB memory buffer, decrypts an embedded payload with a 16-byte block cipher resembling AES (ShiftRows + SubBytes + round-key XOR), writes the plaintext to %TEMP%\wnd_<hex>.exe, and launches it elevated via ShellExecuteExA with the verb "runas" and the window title "Reemitir_NotaFiscal". Both the dropped file and the original DLL are deleted immediately after process creation.

Detection Signatures

References

• Artifact ID: 08874f85-8320-4522-8f53-19699084cf39 ^[metadata.json]
• MalwareBazaar / OpenCTI source (dll, malware-bazaar labels) ^[triage.json]
• Related entity: nfedigitalcom — different build stack (Delphi/VCL), shared Brazilian NFe targeting context

Provenance

• file / exiftool / pefile — static header parsing
• radare2 v5.9.8 — analysis level 3, decompilation via pdc
• strings — raw ASCII/Unicode extraction
• binwalk — embedded artifact enumeration
• capa — signatures not installed (skipped)
• floss — failed due to CLI flag typo (not re-run)
• CAPE — skipped, no Windows guest available

Analysis completed: 2026-06-06