Banco de la República (eBROU) Phishing Kit g5d6u78z

Detects a Banco de la República phishing kit using a form action URL and CSS files that only appear in this kit. Deployed often on replit.com.

References

IOK Rule (edit)

title: Banco de la República (eBROU) Phishing Kit g5d6u78z
description: |
    Detects a Banco de la República phishing kit using a form action URL and CSS files that only appear in this kit.
    Deployed often on `replit.com`.
references:
  - https://urlscan.io/result/cc2a1241-1e5f-4062-acb8-1f03f0f381ae/
  - https://ebanking.brou.com.uy/frontend/loginStep1

detection:

  form:
    html|contains:
      - action="index2.php"
      
  image:
    requests|contains: 'selectArrowDown.b3a49a7d.svg'

  css:
    html|contains|all:
      - 2.d18bb301.chunk.css
      - main.8d29879f.chunk.css

  condition: (form and css and image) or (form and css)

tags:
  - kit
  - target.banco_de_la_republica
  - target_country.uruguay