Remexi (Malware Family)

Remexi

aka: CACHEMONEY

Actor(s): APT39, Chafer

VTCollection

Remexi is a highly advanced and stealthy malware discovered in recent times. It employs sophisticated evasion techniques to infiltrate target systems and networks undetected. This malware utilizes various propagation vectors, including exploit kits, social engineering tactics, and compromised websites. Once inside a system, Remexi establishes persistence through rootkit capabilities and leverages coAmmand-and-control infrastructure to receive and execute malicious commands. It possesses keylogging and data exfiltration capabilities, enabling it to steal sensitive information such as login credentials and financial data. Additionally, Remexi can download and execute additional payloads, making it adaptable and capable of evolving its malicious activities over time.

References

2020-05-21 ⋅ Bitdefender ⋅ Bogdan Rusu, Liviu Arsene
Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
MimiKatz Remexi

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
COBALT HICKMAN
MimiKatz Remexi APT39

2019-02-14 ⋅ Twitter (@QW5kcmV3) ⋅ Andrew Thompson
Tweet on unpacking Remexi payload
Remexi

2019-01-30 ⋅ Kaspersky Labs ⋅ Denis Legezo
Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities
Remexi APT39

2018-02-28 ⋅ Symantec ⋅ Security Response Attack Investigation Team
Chafer: Latest Attacks Reveal Heightened Ambitions
Remexi APT39

2018-02-28 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
Chafer: Latest Attacks Reveal Heightened Ambitions
MimiKatz Remexi

2015-12-07 ⋅ Symantec ⋅ Symantec
Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise
CadelSpy Remexi

2015-12-07 ⋅ Symantec ⋅ Security Response
Iran-based attackers use back door threats to spy on Middle Eastern targets
CadelSpy Remexi Cadelle

Yara Rules

[TLP:WHITE] win_remexi_auto (20260504 | Detects win.remexi.)

rule win_remexi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.remexi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 c706ffffffff e8???????? 83c404 }
            // n = 4, score = 300
            //   56                   | push                esi
            //   c706ffffffff         | mov                 dword ptr [esi], 0xffffffff
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_1 = { 50 ff15???????? 8b0d???????? 8b35???????? 890d???????? }
            // n = 5, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b0d????????         |                     
            //   8b35????????         |                     
            //   890d????????         |                     

        $sequence_2 = { ff15???????? 6a10 8d4ddc 8bf0 51 56 ff15???????? }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   6a10                 | push                0x10
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]
            //   8bf0                 | mov                 esi, eax
            //   51                   | push                ecx
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_3 = { 41 50 a3???????? c705????????02000000 890d???????? ffd6 }
            // n = 6, score = 200
            //   41                   | inc                 ecx
            //   50                   | push                eax
            //   a3????????           |                     
            //   c705????????02000000     |     
            //   890d????????         |                     
            //   ffd6                 | call                esi

        $sequence_4 = { e8???????? 83ec1c 8bcc 89642430 6aff 53 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83ec1c               | sub                 esp, 0x1c
            //   8bcc                 | mov                 ecx, esp
            //   89642430             | mov                 dword ptr [esp + 0x30], esp
            //   6aff                 | push                -1
            //   53                   | push                ebx

        $sequence_5 = { 8945e8 b802000000 51 668945dc }
            // n = 4, score = 200
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   b802000000           | mov                 eax, 2
            //   51                   | push                ecx
            //   668945dc             | mov                 word ptr [ebp - 0x24], ax

        $sequence_6 = { 8b45d8 8b4818 8b5104 50 8955e0 }
            // n = 5, score = 200
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   8b4818               | mov                 ecx, dword ptr [eax + 0x18]
            //   8b5104               | mov                 edx, dword ptr [ecx + 4]
            //   50                   | push                eax
            //   8955e0               | mov                 dword ptr [ebp - 0x20], edx

        $sequence_7 = { 8907 894704 894708 6a01 89470c }
            // n = 5, score = 200
            //   8907                 | mov                 dword ptr [edi], eax
            //   894704               | mov                 dword ptr [edi + 4], eax
            //   894708               | mov                 dword ptr [edi + 8], eax
            //   6a01                 | push                1
            //   89470c               | mov                 dword ptr [edi + 0xc], eax

        $sequence_8 = { ff15???????? 8bf0 85f6 7513 8b45d8 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7513                 | jne                 0x15
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]

        $sequence_9 = { 53 50 ff15???????? 3dffffff00 }
            // n = 4, score = 200
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   3dffffff00           | cmp                 eax, 0xffffff

        $sequence_10 = { 53 83cbff 57 8b3d???????? }
            // n = 4, score = 200
            //   53                   | push                ebx
            //   83cbff               | or                  ebx, 0xffffffff
            //   57                   | push                edi
            //   8b3d????????         |                     

        $sequence_11 = { c705????????ffffffff c705????????01000000 c705????????00000000 ffd6 83ffff 7407 }
            // n = 6, score = 200
            //   c705????????ffffffff     |     
            //   c705????????01000000     |     
            //   c705????????00000000     |     
            //   ffd6                 | call                esi
            //   83ffff               | cmp                 edi, -1
            //   7407                 | je                  9

        $sequence_12 = { 8945e0 8945e4 8945e8 b802000000 }
            // n = 4, score = 200
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   b802000000           | mov                 eax, 2

        $sequence_13 = { 014b30 bf???????? b903000000 8b742418 }
            // n = 4, score = 100
            //   014b30               | add                 dword ptr [ebx + 0x30], ecx
            //   bf????????           |                     
            //   b903000000           | mov                 ecx, 3
            //   8b742418             | mov                 esi, dword ptr [esp + 0x18]

        $sequence_14 = { 488d058da00100 c3 4053 4883ec20 488bd9 488d0d7ca00100 483bd9 }
            // n = 7, score = 100
            //   488d058da00100       | dec                 eax
            //   c3                   | mov                 ecx, dword ptr [esp + 0x70]
            //   4053                 | dec                 eax
            //   4883ec20             | mov                 dword ptr [esp + 0x88], 0xf
            //   488bd9               | dec                 eax
            //   488d0d7ca00100       | mov                 dword ptr [esp + 0x80], 0
            //   483bd9               | mov                 byte ptr [esp + 0x70], 0

        $sequence_15 = { 015330 41 894b0c e9???????? }
            // n = 4, score = 100
            //   015330               | add                 dword ptr [ebx + 0x30], edx
            //   41                   | inc                 ecx
            //   894b0c               | mov                 dword ptr [ebx + 0xc], ecx
            //   e9????????           |                     

        $sequence_16 = { 015330 e9???????? 8b5314 3b5318 0f8d23020000 }
            // n = 5, score = 100
            //   015330               | add                 dword ptr [ebx + 0x30], edx
            //   e9????????           |                     
            //   8b5314               | mov                 edx, dword ptr [ebx + 0x14]
            //   3b5318               | cmp                 edx, dword ptr [ebx + 0x18]
            //   0f8d23020000         | jge                 0x229

        $sequence_17 = { 015930 3b542408 0f8d10ffffff 8d3c52 }
            // n = 4, score = 100
            //   015930               | add                 dword ptr [ecx + 0x30], ebx
            //   3b542408             | cmp                 edx, dword ptr [esp + 8]
            //   0f8d10ffffff         | jge                 0xffffff16
            //   8d3c52               | lea                 edi, [edx + edx*2]

        $sequence_18 = { 488b8c24a0000000 e8???????? 48c78424b80000000f000000 4c89bc24b0000000 c68424a000000000 }
            // n = 5, score = 100
            //   488b8c24a0000000     | cmp                 eax, -3
            //   e8????????           |                     
            //   48c78424b80000000f000000     | ja    0x1a
            //   4c89bc24b0000000     | test                eax, eax
            //   c68424a000000000     | jne                 0x14

        $sequence_19 = { 488b4c2470 e8???????? 48c78424880000000f000000 48c784248000000000000000 c644247000 41b806000000 488d151b3d0200 }
            // n = 7, score = 100
            //   488b4c2470           | nop                 
            //   e8????????           |                     
            //   48c78424880000000f000000     | dec    eax
            //   48c784248000000000000000     | mov    ecx, dword ptr [ecx]
            //   c644247000           | dec                 eax
            //   41b806000000         | lea                 eax, [ecx - 1]
            //   488d151b3d0200       | dec                 eax

        $sequence_20 = { 016b04 83c41c 5b 5e }
            // n = 4, score = 100
            //   016b04               | add                 dword ptr [ebx + 4], ebp
            //   83c41c               | add                 esp, 0x1c
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi

        $sequence_21 = { 488d15c7780200 480f45d0 881f 381a 740e 4883cbff 90 }
            // n = 7, score = 100
            //   488d15c7780200       | inc                 ecx
            //   480f45d0             | mov                 ecx, edx
            //   881f                 | cdq                 
            //   381a                 | sub                 eax, edx
            //   740e                 | dec                 eax
            //   4883cbff             | lea                 edx, [0x278c7]
            //   90                   | dec                 eax

        $sequence_22 = { 015518 8b5d14 85db 0f8565fbffff }
            // n = 4, score = 100
            //   015518               | add                 dword ptr [ebp + 0x18], edx
            //   8b5d14               | mov                 ebx, dword ptr [ebp + 0x14]
            //   85db                 | test                ebx, ebx
            //   0f8565fbffff         | jne                 0xfffffb6b

        $sequence_23 = { 488b09 488d41ff 4883f8fd 7714 ff15???????? 85c0 750a }
            // n = 7, score = 100
            //   488b09               | cmovne              edx, eax
            //   488d41ff             | mov                 byte ptr [edi], bl
            //   4883f8fd             | cmp                 byte ptr [edx], bl
            //   7714                 | je                  0x14
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   750a                 | or                  ebx, 0xffffffff

        $sequence_24 = { 015330 8a10 eb84 8a5001 }
            // n = 4, score = 100
            //   015330               | add                 dword ptr [ebx + 0x30], edx
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   eb84                 | jmp                 0xffffff86
            //   8a5001               | mov                 dl, byte ptr [eax + 1]

        $sequence_25 = { 7532 b902010209 e8???????? 90 48837b1810 7208 }
            // n = 6, score = 100
            //   7532                 | jne                 0x34
            //   b902010209           | mov                 ecx, 0x9020102
            //   e8????????           |                     
            //   90                   | nop                 
            //   48837b1810           | dec                 eax
            //   7208                 | cmp                 dword ptr [ebx + 0x18], 0x10

        $sequence_26 = { 438d0401 4c8d1d31490100 418bca 99 2bc2 }
            // n = 5, score = 100
            //   438d0401             | jb                  0xa
            //   4c8d1d31490100       | inc                 ebx
            //   418bca               | lea                 eax, [ecx + eax]
            //   99                   | dec                 esp
            //   2bc2                 | lea                 ebx, [0x14931]

        $sequence_27 = { 016b24 89e8 83c44c 5b }
            // n = 4, score = 100
            //   016b24               | add                 dword ptr [ebx + 0x24], ebp
            //   89e8                 | mov                 eax, ebp
            //   83c44c               | add                 esp, 0x4c
            //   5b                   | pop                 ebx

        $sequence_28 = { 488b01 8a08 880a 33c9 488d1c32 4c8d05c71a0100 }
            // n = 6, score = 100
            //   488b01               | inc                 ecx
            //   8a08                 | mov                 eax, 6
            //   880a                 | dec                 eax
            //   33c9                 | lea                 edx, [0x23d1b]
            //   488d1c32             | dec                 eax
            //   4c8d05c71a0100       | mov                 ecx, dword ptr [esp + 0xa0]

    condition:
        7 of them and filesize < 614400
}

[TLP:WHITE] win_remexi_w0 (20170410 | No description)

rule win_remexi_w0 {
    meta:
        author = "Symantec"
        source = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi"
        malpedia_version = "20170410"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $c1   = { 00 3C 65 78 69 74 3E 00 }    /* <exit>  */
        $c2   = { 00 3C 69 64 3E 00 }          /* <id>    */
        $c3   = { 00 3C 72 65 6D 3E 00 }       /* <rem>   */
        $c4   = { 00 3C 63 6C 6F 73 65 3E 00}  /* <close> */
        $c5   = { 00 57 49 4E 00 }             /* WIN     */
        $c6   = { 00 63 6D 64 2E 65 78 65 00 } /* cmd.exe */
        $c7   = { 00 49 44 00 }                /* ID      */ 
        $c8   = { 00 72 65 6D 00 }             /* rem     */
        $d1   = "\\SEA.pdb"
        $d2   = "\\mas.pdb"
        $s1  = "Connecting to the server..."
        $s2  = "cmd.exe /c sc stop sea & sc start sea"
        $s3  = "SYSTEM\\CurrentControlSet\\services\\SEA\\Parameters"
        $s4  = "RecvWrit()-Read_Sock-Failed"
        $s5  = "ReadPipeSendSock()"
    condition:
        (4 of ($c*) and (2 of ($s*) or any of ($d*))) or (5 of ($c*) and any of ($s*))
}

Download all Yara Rules

Remexi Propose Change

References

Yara Rules

Remexi