> Family · unclassified-pe32-nfe-loader_

~/packetpursuit $ cat /intel/families/unclassified-pe32-nfe-loader.md

typeentityconfidencelowcreated2026-06-06updated2026-06-06malware-familyloaderdropperpebankerpersistencedefense-evasionc2mitre-attck

unclassified-pe32-nfe-loader

Brazilian-Portuguese NFe-themed dropper family built with MinGW GCC. Distinguished by a custom AES-like block cipher for payload decryption, runtime API resolution, environment fingerprinting via GetSystemMetrics, and the lure string Reemitir_NotaFiscal. Only one sample known as of June 2026.

Overview

The unclassified-pe32-nfe-loader cluster is a stripped PE32 DLL dropper whose sole known sample (ded59ec4) was uploaded to MalwareBazaar in May 2026. It targets the Brazilian Nota Fiscal Eletrônica (NFe) ecosystem using a Portuguese-language social-engineering lure (Reemitir_NotaFiscal == "Reissue Tax Invoice"). The binary decrypts an embedded second-stage payload with a lightweight 16-byte block cipher, drops it to %TEMP%\wnd_<hex>.exe, elevates via ShellExecuteExA with the runas verb, and self-erases.

Build Stack

  • Compiler: GCC/MinGW (i686-w64-mingw32) — linker version 2.44, 9 sections including .text2 ^[sample ded59ec4/rabin2-info.txt]
  • Language: C (rabin2 lang: c)
  • Form factor: PE32 DLL, Windows GUI subsystem
  • Size: 487 KB — moderate; .rdata dominated by repeated MIT-license chaff (~90% filler)
  • Signing: Unsigned
  • Stripping: Full strip (no symbols, no PDB)

Deploy / TTPs

Technique Implementation
Defence Evasion (T1027) Custom AES-like block cipher decrypts embedded payload at runtime; strings XOR-encrypted per-string with varying keys.
Defence Evasion (T1497) Fingerprinting gate via GetSystemMetrics (screen width, monitor count, virtual-screen width), GetStockObject, SHGetSpecialFolderPathA(CSIDL_APPDATA), and SHGetFileInfoA. Results XOR-folded into a 32-bit hash.
Privilege Escalation (T1106) ShellExecuteExA with "runas" verb and window title "Reemitir_NotaFiscal".
Execution (T1055) Decrypted payload written to %TEMP%\wnd_<hex>.exe and launched in a new process.
Indicator Removal (T1070.004) DeleteFileA against both the dropped .exe and the original DLL.
Discovery (T1082) System metrics enumeration (screen resolution, monitor count).

Variants / Aliases

  • ded59ec4 — 487 KB encrypted payload DLL, May 2026 build
  • ac20be18 — 4 KB launcher stub, same build timestamp, loads core.dllMainCall

Capabilities

  • custom-aes-like-payload-decryption
  • runtime-api-resolution-getprocaddress
  • environment-fingerprinting-getsystemmetrics
  • shell-elevate-runas
  • self-deletion-post-execution
  • portuguese-nfe-social-engineering-lure
  • mit-license-chaff-padding

Notable Analyses

  • /intel/analyses/ded59ec4522cc19e2ae926ba1938452f70d8739d687154b9150141dc79af294c.html — Deep static analysis of payload DLL (no CAPE detonation)
  • /intel/analyses/ac20be185f5e5d931516336e80d7c3fd3adda6519418877de50181acf6986873.html — Launcher stub analysis: 4 KB MinGW PE32, same build timestamp, loads core.dllMainCall

Related Entities

  • nfedigitalcom — Brazilian Delphi/VCL-based NFe certificate-stealing family; different build stack but shared targeting context.