SYMBOLCOMMON_NAMEaka. SYNONYMS
win.retefe (Back to overview)

Retefe

aka: Tsukuba, Werdlod
VTCollection     URLhaus      

Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.

References
2019-05-23Vulnerability.ch BlogCorsin Camichel
Analysing "Retefe" with Sysmon and Splunk
Retefe
2019-05-02ProofpointBryan Campbell, Proofpoint Threat Insight Team
2019: The Return of Retefe
Dok Retefe SmokeLoader
2019-03-09Github (cocaman)Corsin Camichel
retefe: Artefacts from various retefe campaigns
Retefe
2018-12-30Github (Tomasuh)Tomasuh
Retefe unpacker
Retefe
2018-11-08GovCERT.chGovCERT.ch
Reversing Retefe
Retefe
2017-09-22ThreatpostTom Spring
EternalBlue Exploit Used in Retefe Banking Trojan Campaign
Retefe
2017-08-03GovCERT.chGovCERT.ch
The Retefe Saga
Retefe Dok Retefe
2015-08-20Palo Alto Networks Unit 42Brandon Levene, Bryan Lee, Josh Grunzweig, Robert Falcone, Ryan Olson
Retefe Banking Trojan Targets Sweden, Switzerland and Japan
Retefe
Yara Rules
[TLP:WHITE] win_retefe_auto (20260504 | Detects win.retefe.)
rule win_retefe_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.retefe."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 8bf8 ffd6 85c0 }
            // n = 4, score = 1200
            //   51                   | push                ecx
            //   8bf8                 | mov                 edi, eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax

        $sequence_1 = { 68f5000000 50 ff15???????? b801000000 }
            // n = 4, score = 1200
            //   68f5000000           | push                0xf5
            //   50                   | push                eax
            //   ff15????????         |                     
            //   b801000000           | mov                 eax, 1

        $sequence_2 = { 6a3b 6a95 6ae7 6a07 6a22 }
            // n = 5, score = 800
            //   6a3b                 | push                0x3b
            //   6a95                 | push                -0x6b
            //   6ae7                 | push                -0x19
            //   6a07                 | push                7
            //   6a22                 | push                0x22

        $sequence_3 = { 6a90 6a19 6ad6 6a2c 6ad3 6a13 }
            // n = 6, score = 800
            //   6a90                 | push                -0x70
            //   6a19                 | push                0x19
            //   6ad6                 | push                -0x2a
            //   6a2c                 | push                0x2c
            //   6ad3                 | push                -0x2d
            //   6a13                 | push                0x13

        $sequence_4 = { 50 8b4204 ffd0 8b85e8efffff 6a00 8d8ddcefffff 51 }
            // n = 7, score = 800
            //   50                   | push                eax
            //   8b4204               | mov                 eax, dword ptr [edx + 4]
            //   ffd0                 | call                eax
            //   8b85e8efffff         | mov                 eax, dword ptr [ebp - 0x1018]
            //   6a00                 | push                0
            //   8d8ddcefffff         | lea                 ecx, [ebp - 0x1024]
            //   51                   | push                ecx

        $sequence_5 = { 894604 83c404 8bc6 e8???????? }
            // n = 4, score = 800
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   83c404               | add                 esp, 4
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     

        $sequence_6 = { 8b450c 3978fc 7e10 8b40f4 }
            // n = 4, score = 800
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   3978fc               | cmp                 dword ptr [eax - 4], edi
            //   7e10                 | jle                 0x12
            //   8b40f4               | mov                 eax, dword ptr [eax - 0xc]

        $sequence_7 = { 6adb 6a52 6af1 6a72 6a8a 6a3f }
            // n = 6, score = 800
            //   6adb                 | push                -0x25
            //   6a52                 | push                0x52
            //   6af1                 | push                -0xf
            //   6a72                 | push                0x72
            //   6a8a                 | push                -0x76
            //   6a3f                 | push                0x3f

        $sequence_8 = { 6a17 6a31 6a1b 6a24 6a5a 6a3d }
            // n = 6, score = 800
            //   6a17                 | push                0x17
            //   6a31                 | push                0x31
            //   6a1b                 | push                0x1b
            //   6a24                 | push                0x24
            //   6a5a                 | push                0x5a
            //   6a3d                 | push                0x3d

        $sequence_9 = { e8???????? 6a08 e8???????? 894604 83c404 }
            // n = 5, score = 800
            //   e8????????           |                     
            //   6a08                 | push                8
            //   e8????????           |                     
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   83c404               | add                 esp, 4

        $sequence_10 = { 52 e8???????? 8b4e04 8901 }
            // n = 4, score = 800
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   8901                 | mov                 dword ptr [ecx], eax

        $sequence_11 = { 8b4e04 40 3b4104 72ec }
            // n = 4, score = 800
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   40                   | inc                 eax
            //   3b4104               | cmp                 eax, dword ptr [ecx + 4]
            //   72ec                 | jb                  0xffffffee

        $sequence_12 = { 8b4e04 8901 8b4e04 33c0 83c404 }
            // n = 5, score = 800
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   33c0                 | xor                 eax, eax
            //   83c404               | add                 esp, 4

        $sequence_13 = { 50 e8???????? 88043e 46 83c404 3bf3 75ec }
            // n = 7, score = 600
            //   50                   | push                eax
            //   e8????????           |                     
            //   88043e               | mov                 byte ptr [esi + edi], al
            //   46                   | inc                 esi
            //   83c404               | add                 esp, 4
            //   3bf3                 | cmp                 esi, ebx
            //   75ec                 | jne                 0xffffffee

        $sequence_14 = { 668908 8d85c4efffff bf???????? 50 }
            // n = 4, score = 100
            //   668908               | mov                 word ptr [eax], cx
            //   8d85c4efffff         | lea                 eax, [ebp - 0x103c]
            //   bf????????           |                     
            //   50                   | push                eax

        $sequence_15 = { c745fcffffffff 8935???????? 8b06 51 8bfc }
            // n = 5, score = 100
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   8935????????         |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   51                   | push                ecx
            //   8bfc                 | mov                 edi, esp

        $sequence_16 = { e8???????? 83a6a0bf420000 59 83c604 81fe00020000 72dd b001 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83a6a0bf420000       | and                 dword ptr [esi + 0x42bfa0], 0
            //   59                   | pop                 ecx
            //   83c604               | add                 esi, 4
            //   81fe00020000         | cmp                 esi, 0x200
            //   72dd                 | jb                  0xffffffdf
            //   b001                 | mov                 al, 1

        $sequence_17 = { 756e 85d2 756a 8b3d???????? 8db7ff1f0000 }
            // n = 5, score = 100
            //   756e                 | jne                 0x70
            //   85d2                 | test                edx, edx
            //   756a                 | jne                 0x6c
            //   8b3d????????         |                     
            //   8db7ff1f0000         | lea                 esi, [edi + 0x1fff]

        $sequence_18 = { 83c001 89442414 0f8429010000 55 }
            // n = 4, score = 100
            //   83c001               | add                 eax, 1
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   0f8429010000         | je                  0x12f
            //   55                   | push                ebp

        $sequence_19 = { 8d442410 50 ffd3 8b450c 2dd0070000 }
            // n = 5, score = 100
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   2dd0070000           | sub                 eax, 0x7d0

        $sequence_20 = { 894c243c 8d48fd 83e10f 8d7007 }
            // n = 4, score = 100
            //   894c243c             | mov                 dword ptr [esp + 0x3c], ecx
            //   8d48fd               | lea                 ecx, [eax - 3]
            //   83e10f               | and                 ecx, 0xf
            //   8d7007               | lea                 esi, [eax + 7]

        $sequence_21 = { c70021000000 e9???????? 894ddc c745e008344100 e9???????? c745e004344100 }
            // n = 6, score = 100
            //   c70021000000         | mov                 dword ptr [eax], 0x21
            //   e9????????           |                     
            //   894ddc               | mov                 dword ptr [ebp - 0x24], ecx
            //   c745e008344100       | mov                 dword ptr [ebp - 0x20], 0x413408
            //   e9????????           |                     
            //   c745e004344100       | mov                 dword ptr [ebp - 0x20], 0x413404

        $sequence_22 = { 40 83f81d 7cf1 eb07 8b0cc5fc3c4100 }
            // n = 5, score = 100
            //   40                   | inc                 eax
            //   83f81d               | cmp                 eax, 0x1d
            //   7cf1                 | jl                  0xfffffff3
            //   eb07                 | jmp                 9
            //   8b0cc5fc3c4100       | mov                 ecx, dword ptr [eax*8 + 0x413cfc]

        $sequence_23 = { 6bf030 03348da0bf4200 837e18ff 740c 837e18fe 7406 }
            // n = 6, score = 100
            //   6bf030               | imul                esi, eax, 0x30
            //   03348da0bf4200       | add                 esi, dword ptr [ecx*4 + 0x42bfa0]
            //   837e18ff             | cmp                 dword ptr [esi + 0x18], -1
            //   740c                 | je                  0xe
            //   837e18fe             | cmp                 dword ptr [esi + 0x18], -2
            //   7406                 | je                  8

        $sequence_24 = { f2c3 f2e953070000 53 56 57 6a00 68a00f0000 }
            // n = 7, score = 100
            //   f2c3                 | bnd ret             
            //   f2e953070000         | bnd jmp             0x759
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a00                 | push                0
            //   68a00f0000           | push                0xfa0

        $sequence_25 = { 8364240400 56 57 8b7c2418 57 }
            // n = 5, score = 100
            //   8364240400           | and                 dword ptr [esp + 4], 0
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7c2418             | mov                 edi, dword ptr [esp + 0x18]
            //   57                   | push                edi

        $sequence_26 = { 8bfe e9???????? 33db 33c0 }
            // n = 4, score = 100
            //   8bfe                 | mov                 edi, esi
            //   e9????????           |                     
            //   33db                 | xor                 ebx, ebx
            //   33c0                 | xor                 eax, eax

        $sequence_27 = { 0f87ed010000 ff24855c664000 ff36 68???????? 6a00 }
            // n = 5, score = 100
            //   0f87ed010000         | ja                  0x1f3
            //   ff24855c664000       | jmp                 dword ptr [eax*4 + 0x40665c]
            //   ff36                 | push                dword ptr [esi]
            //   68????????           |                     
            //   6a00                 | push                0

        $sequence_28 = { 56 e8???????? 85c0 0f8425ffffff 56 }
            // n = 5, score = 100
            //   56                   | push                esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8425ffffff         | je                  0xffffff2b
            //   56                   | push                esi

        $sequence_29 = { 83e03f c1ff06 6bd830 8b04bda0bf4200 }
            // n = 4, score = 100
            //   83e03f               | and                 eax, 0x3f
            //   c1ff06               | sar                 edi, 6
            //   6bd830               | imul                ebx, eax, 0x30
            //   8b04bda0bf4200       | mov                 eax, dword ptr [edi*4 + 0x42bfa0]

    condition:
        7 of them and filesize < 843776
}
Download all Yara Rules