SYMBOLCOMMON_NAMEaka. SYNONYMS
win.remexi (Back to overview)

Remexi

aka: CACHEMONEY

Actor(s): APT39, Chafer

There is no description at this point.

References
2020-05-21BitdefenderLiviu Arsene, Bogdan Rusu
@techreport{arsene:20200521:iranian:d9e1468, author = {Liviu Arsene and Bogdan Rusu}, title = {{Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia}}, date = {2020-05-21}, institution = {Bitdefender}, url = {https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf}, language = {English}, urldate = {2020-05-23} } Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
MimiKatz Remexi
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:c242388, author = {SecureWorks}, title = {{COBALT HICKMAN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-hickman}, language = {English}, urldate = {2020-05-23} } COBALT HICKMAN
MimiKatz Remexi APT39
2019-02-14Twitter (@QW5kcmV3)Andrew Thompson
@online{thompson:20190214:unpacking:1ff2299, author = {Andrew Thompson}, title = {{Tweet on unpacking Remexi payload}}, date = {2019-02-14}, organization = {Twitter (@QW5kcmV3)}, url = {https://twitter.com/QW5kcmV3/status/1095833216605401088}, language = {English}, urldate = {2020-01-27} } Tweet on unpacking Remexi payload
Remexi
2019-01-30Kaspersky LabsDenis Legezo
@online{legezo:20190130:chafer:bb3ce4d, author = {Denis Legezo}, title = {{Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities}}, date = {2019-01-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/chafer-used-remexi-malware/89538/}, language = {English}, urldate = {2019-12-20} } Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities
Remexi APT39
2018-02-28SymantecSecurity Response Attack Investigation Team
@online{team:20180228:chafer:552bafb, author = {Security Response Attack Investigation Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-01-09} } Chafer: Latest Attacks Reveal Heightened Ambitions
Remexi APT39
2018-02-28SymantecCritical Attack Discovery and Intelligence Team
@online{team:20180228:chafer:5b5b77b, author = {Critical Attack Discovery and Intelligence Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-04-21} } Chafer: Latest Attacks Reveal Heightened Ambitions
MimiKatz Remexi
2015-12-07SymantecSymantec
@techreport{symantec:20151207:backdoorcadelspy:6a40e51, author = {Symantec}, title = {{Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise}}, date = {2015-12-07}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf}, language = {English}, urldate = {2020-01-06} } Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise
CadelSpy Remexi
2015-12-07SymantecSecurity Response
@online{response:20151207:iranbased:5e7136f, author = {Security Response}, title = {{Iran-based attackers use back door threats to spy on Middle Eastern targets}}, date = {2015-12-07}, organization = {Symantec}, url = {https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets}, language = {English}, urldate = {2020-04-21} } Iran-based attackers use back door threats to spy on Middle Eastern targets
CadelSpy Remexi Cadelle
Yara Rules
[TLP:WHITE] win_remexi_auto (20230125 | Detects win.remexi.)
rule win_remexi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.remexi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 c706ffffffff e8???????? 83c404 }
            // n = 4, score = 300
            //   56                   | push                esi
            //   c706ffffffff         | mov                 dword ptr [esi], 0xffffffff
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_1 = { 8b35???????? 890d???????? 68???????? 41 50 a3???????? c705????????02000000 }
            // n = 7, score = 200
            //   8b35????????         |                     
            //   890d????????         |                     
            //   68????????           |                     
            //   41                   | inc                 ecx
            //   50                   | push                eax
            //   a3????????           |                     
            //   c705????????02000000     |     

        $sequence_2 = { 8945e0 8945e4 8945e8 b802000000 51 }
            // n = 5, score = 200
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   b802000000           | mov                 eax, 2
            //   51                   | push                ecx

        $sequence_3 = { 890d???????? ffd6 6a00 6a00 }
            // n = 4, score = 200
            //   890d????????         |                     
            //   ffd6                 | call                esi
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_4 = { 8bf0 51 56 ff15???????? 85c0 }
            // n = 5, score = 200
            //   8bf0                 | mov                 esi, eax
            //   51                   | push                ecx
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_5 = { e8???????? 83ec1c 8bcc 89642430 6aff 53 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83ec1c               | sub                 esp, 0x1c
            //   8bcc                 | mov                 ecx, esp
            //   89642430             | mov                 dword ptr [esp + 0x30], esp
            //   6aff                 | push                -1
            //   53                   | push                ebx

        $sequence_6 = { c705????????01000000 c705????????00000000 ff15???????? 8b0d???????? 51 ff15???????? }
            // n = 6, score = 200
            //   c705????????01000000     |     
            //   c705????????00000000     |     
            //   ff15????????         |                     
            //   8b0d????????         |                     
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_7 = { 57 894710 ff15???????? 6a00 6a00 6a01 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   894710               | mov                 dword ptr [edi + 0x10], eax
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a01                 | push                1

        $sequence_8 = { 53 50 ff15???????? 3dffffff00 }
            // n = 4, score = 200
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   3dffffff00           | cmp                 eax, 0xffffff

        $sequence_9 = { ff15???????? 6a10 8d4ddc 8bf0 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   6a10                 | push                0x10
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]
            //   8bf0                 | mov                 esi, eax

        $sequence_10 = { 8b5104 50 8955e0 ff15???????? }
            // n = 4, score = 200
            //   8b5104               | mov                 edx, dword ptr [ecx + 4]
            //   50                   | push                eax
            //   8955e0               | mov                 dword ptr [ebp - 0x20], edx
            //   ff15????????         |                     

        $sequence_11 = { ff15???????? 8bf0 85f6 7513 8b45d8 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7513                 | jne                 0x15
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]

        $sequence_12 = { c705????????01000000 c705????????00000000 ffd6 83ffff 7407 }
            // n = 5, score = 200
            //   c705????????01000000     |     
            //   c705????????00000000     |     
            //   ffd6                 | call                esi
            //   83ffff               | cmp                 edi, -1
            //   7407                 | je                  9

        $sequence_13 = { eb0a 4839942480000000 74d6 4d85ff }
            // n = 4, score = 100
            //   eb0a                 | jmp                 0xc
            //   4839942480000000     | dec                 eax
            //   74d6                 | cmp                 dword ptr [esp + 0x80], edx
            //   4d85ff               | je                  0xffffffd8

        $sequence_14 = { ff15???????? 85c0 7424 837c242403 751d b9e8030000 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   85c0                 | dec                 ebp
            //   7424                 | test                edi, edi
            //   837c242403           | test                eax, eax
            //   751d                 | je                  0x26
            //   b9e8030000           | cmp                 dword ptr [esp + 0x24], 3

        $sequence_15 = { 488d15158b0100 4c63c8 418d4902 83f901 }
            // n = 4, score = 100
            //   488d15158b0100       | lea                 ecx, [esp + 0x510]
            //   4c63c8               | dec                 eax
            //   418d4902             | mov                 dword ptr [esp + 0x518], 0
            //   83f901               | dec                 eax

        $sequence_16 = { e8???????? cc 488d0da6ff0100 e8???????? }
            // n = 4, score = 100
            //   e8????????           |                     
            //   cc                   | lea                 edx, [0x133d9]
            //   488d0da6ff0100       | dec                 eax
            //   e8????????           |                     

        $sequence_17 = { 0f85f9020000 66833b43 7531 66394b02 752b 4c8d05f7380100 }
            // n = 6, score = 100
            //   0f85f9020000         | mov                 ecx, ebx
            //   66833b43             | dec                 eax
            //   7531                 | lea                 edx, [0x18b15]
            //   66394b02             | dec                 esp
            //   752b                 | arpl                ax, cx
            //   4c8d05f7380100       | inc                 ecx

        $sequence_18 = { 90 48c784240805000000000000 488d8c2410050000 e8???????? 48c784241805000000000000 }
            // n = 5, score = 100
            //   90                   | jne                 0x1f
            //   48c784240805000000000000     | mov    ecx, 0x3e8
            //   488d8c2410050000     | nop                 
            //   e8????????           |                     
            //   48c784241805000000000000     | dec    eax

        $sequence_19 = { ff15???????? 488d15d9330100 483305???????? 488bcb }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   488d15d9330100       | mov                 dword ptr [esp + 0x508], 0
            //   483305????????       |                     
            //   488bcb               | dec                 eax

        $sequence_20 = { ff15???????? 488bd8 4885c0 0f8481000000 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   488bd8               | lea                 ecx, [ecx + 2]
            //   4885c0               | cmp                 ecx, 1
            //   0f8481000000         | int3                

    condition:
        7 of them and filesize < 614400
}
[TLP:WHITE] win_remexi_w0   (20170410 | No description)
rule win_remexi_w0 {
    meta:
        author = "Symantec"
        source = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi"
        malpedia_version = "20170410"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $c1   = { 00 3C 65 78 69 74 3E 00 }    /* <exit>  */
        $c2   = { 00 3C 69 64 3E 00 }          /* <id>    */
        $c3   = { 00 3C 72 65 6D 3E 00 }       /* <rem>   */
        $c4   = { 00 3C 63 6C 6F 73 65 3E 00}  /* <close> */
        $c5   = { 00 57 49 4E 00 }             /* WIN     */
        $c6   = { 00 63 6D 64 2E 65 78 65 00 } /* cmd.exe */
        $c7   = { 00 49 44 00 }                /* ID      */ 
        $c8   = { 00 72 65 6D 00 }             /* rem     */
        $d1   = "\\SEA.pdb"
        $d2   = "\\mas.pdb"
        $s1  = "Connecting to the server..."
        $s2  = "cmd.exe /c sc stop sea & sc start sea"
        $s3  = "SYSTEM\\CurrentControlSet\\services\\SEA\\Parameters"
        $s4  = "RecvWrit()-Read_Sock-Failed"
        $s5  = "ReadPipeSendSock()"
    condition:
        (4 of ($c*) and (2 of ($s*) or any of ($d*))) or (5 of ($c*) and any of ($s*))
}
Download all Yara Rules