SYMBOLCOMMON_NAMEaka. SYNONYMS
win.retefe (Back to overview)

Retefe

aka: Tsukuba, Werdlod
URLhaus      

Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.

References
2019-05-23Vulnerability.ch BlogCorsin Camichel
@online{camichel:20190523:analysing:9a4f909, author = {Corsin Camichel}, title = {{Analysing "Retefe" with Sysmon and Splunk}}, date = {2019-05-23}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/}, language = {English}, urldate = {2019-07-09} } Analysing "Retefe" with Sysmon and Splunk
Retefe
2019-05-02ProofpointBryan Campbell, Proofpoint Threat Insight Team
@online{campbell:20190502:2019:1fe00f6, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{2019: The Return of Retefe}}, date = {2019-05-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe}, language = {English}, urldate = {2019-12-20} } 2019: The Return of Retefe
Dok Retefe SmokeLoader
2019-03-09Github (cocaman)Corsin Camichel
@online{camichel:20190309:retefe:3414337, author = {Corsin Camichel}, title = {{retefe: Artefacts from various retefe campaigns}}, date = {2019-03-09}, organization = {Github (cocaman)}, url = {https://github.com/cocaman/retefe}, language = {English}, urldate = {2020-01-13} } retefe: Artefacts from various retefe campaigns
Retefe
2018-12-30Github (Tomasuh)Tomasuh
@online{tomasuh:20181230:retefe:96e64b4, author = {Tomasuh}, title = {{Retefe unpacker}}, date = {2018-12-30}, organization = {Github (Tomasuh)}, url = {https://github.com/Tomasuh/retefe-unpacker}, language = {English}, urldate = {2020-01-07} } Retefe unpacker
Retefe
2018-11-08GovCERT.chGovCERT.ch
@online{govcertch:20181108:reversing:87c494c, author = {GovCERT.ch}, title = {{Reversing Retefe}}, date = {2018-11-08}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/35/reversing-retefe}, language = {English}, urldate = {2019-11-21} } Reversing Retefe
Retefe
2017-09-22ThreatpostTom Spring
@online{spring:20170922:eternalblue:a6be32b, author = {Tom Spring}, title = {{EternalBlue Exploit Used in Retefe Banking Trojan Campaign}}, date = {2017-09-22}, organization = {Threatpost}, url = {https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/}, language = {English}, urldate = {2020-01-08} } EternalBlue Exploit Used in Retefe Banking Trojan Campaign
Retefe
2017-08-03GovCERT.chGovCERT.ch
@online{govcertch:20170803:retefe:07f6df3, author = {GovCERT.ch}, title = {{The Retefe Saga}}, date = {2017-08-03}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/33/the-retefe-saga}, language = {English}, urldate = {2020-01-13} } The Retefe Saga
Retefe Dok Retefe
2015-08-20Palo Alto Networks Unit 42Brandon Levene, Robert Falcone, Josh Grunzweig, Bryan Lee, Ryan Olson
@online{levene:20150820:retefe:b3a0c4f, author = {Brandon Levene and Robert Falcone and Josh Grunzweig and Bryan Lee and Ryan Olson}, title = {{Retefe Banking Trojan Targets Sweden, Switzerland and Japan}}, date = {2015-08-20}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/}, language = {English}, urldate = {2019-12-20} } Retefe Banking Trojan Targets Sweden, Switzerland and Japan
Retefe
Yara Rules
[TLP:WHITE] win_retefe_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_retefe_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85f6 7410 6a09 56 }
            // n = 4, score = 1200
            //   85f6                 | test                esi, esi
            //   7410                 | je                  0x12
            //   6a09                 | push                9
            //   56                   | push                esi

        $sequence_1 = { 51 8bf8 ffd6 85c0 }
            // n = 4, score = 1200
            //   51                   | push                ecx
            //   8bf8                 | mov                 edi, eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax

        $sequence_2 = { 68f5000000 50 ff15???????? b801000000 }
            // n = 4, score = 1200
            //   68f5000000           | push                0xf5
            //   50                   | push                eax
            //   ff15????????         |                     
            //   b801000000           | mov                 eax, 1

        $sequence_3 = { e8???????? 6a08 e8???????? 894604 83c404 8bc6 e8???????? }
            // n = 7, score = 800
            //   e8????????           |                     
            //   6a08                 | push                8
            //   e8????????           |                     
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   83c404               | add                 esp, 4
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     

        $sequence_4 = { 52 e8???????? 8b4e04 8901 }
            // n = 4, score = 800
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   8901                 | mov                 dword ptr [ecx], eax

        $sequence_5 = { 8901 8b4e04 33c0 83c404 }
            // n = 4, score = 800
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   33c0                 | xor                 eax, eax
            //   83c404               | add                 esp, 4

        $sequence_6 = { 8b4e04 40 3b4104 72ec }
            // n = 4, score = 800
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   40                   | inc                 eax
            //   3b4104               | cmp                 eax, dword ptr [ecx + 4]
            //   72ec                 | jb                  0xffffffee

        $sequence_7 = { 6ac2 6acd 6acf 6a59 }
            // n = 4, score = 800
            //   6ac2                 | push                -0x3e
            //   6acd                 | push                -0x33
            //   6acf                 | push                -0x31
            //   6a59                 | push                0x59

        $sequence_8 = { 56 8b7508 750b b801000000 0fafc6 5e 5d }
            // n = 7, score = 800
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   750b                 | jne                 0xd
            //   b801000000           | mov                 eax, 1
            //   0fafc6               | imul                eax, esi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp

        $sequence_9 = { 6a59 6a0d 6acb 6abd 6a4c 6a10 }
            // n = 6, score = 800
            //   6a59                 | push                0x59
            //   6a0d                 | push                0xd
            //   6acb                 | push                -0x35
            //   6abd                 | push                -0x43
            //   6a4c                 | push                0x4c
            //   6a10                 | push                0x10

        $sequence_10 = { 6a5a 6a79 6ace 6aac }
            // n = 4, score = 800
            //   6a5a                 | push                0x5a
            //   6a79                 | push                0x79
            //   6ace                 | push                -0x32
            //   6aac                 | push                -0x54

        $sequence_11 = { 6aa4 6a26 6a38 6ad7 6aa2 }
            // n = 5, score = 800
            //   6aa4                 | push                -0x5c
            //   6a26                 | push                0x26
            //   6a38                 | push                0x38
            //   6ad7                 | push                -0x29
            //   6aa2                 | push                -0x5e

        $sequence_12 = { 50 e8???????? 88043e 46 83c404 3bf3 }
            // n = 6, score = 600
            //   50                   | push                eax
            //   e8????????           |                     
            //   88043e               | mov                 byte ptr [esi + edi], al
            //   46                   | inc                 esi
            //   83c404               | add                 esp, 4
            //   3bf3                 | cmp                 esi, ebx

        $sequence_13 = { 56 8d85c4e3ffff 50 e8???????? }
            // n = 4, score = 100
            //   56                   | push                esi
            //   8d85c4e3ffff         | lea                 eax, [ebp - 0x1c3c]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_14 = { 56 8b048da0bf4200 57 8b7d10 897dd0 894dd4 8b441818 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   8b048da0bf4200       | mov                 eax, dword ptr [ecx*4 + 0x42bfa0]
            //   57                   | push                edi
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   897dd0               | mov                 dword ptr [ebp - 0x30], edi
            //   894dd4               | mov                 dword ptr [ebp - 0x2c], ecx
            //   8b441818             | mov                 eax, dword ptr [eax + ebx + 0x18]

        $sequence_15 = { 6a00 6afd 8b08 50 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   6afd                 | push                -3
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   50                   | push                eax

        $sequence_16 = { e8???????? 8b4c2430 8bd3 83c414 c1c205 8901 8b4c243c }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   8bd3                 | mov                 edx, ebx
            //   83c414               | add                 esp, 0x14
            //   c1c205               | rol                 edx, 5
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b4c243c             | mov                 ecx, dword ptr [esp + 0x3c]

        $sequence_17 = { 85c0 740e 50 e8???????? 83a6a0bf420000 59 }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   740e                 | je                  0x10
            //   50                   | push                eax
            //   e8????????           |                     
            //   83a6a0bf420000       | and                 dword ptr [esi + 0x42bfa0], 0
            //   59                   | pop                 ecx

        $sequence_18 = { 50 e8???????? 0fb7d8 8d44244c }
            // n = 4, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   0fb7d8               | movzx               ebx, ax
            //   8d44244c             | lea                 eax, [esp + 0x4c]

        $sequence_19 = { 57 8b7c2410 83eb01 7426 8b44240c }
            // n = 5, score = 100
            //   57                   | push                edi
            //   8b7c2410             | mov                 edi, dword ptr [esp + 0x10]
            //   83eb01               | sub                 ebx, 1
            //   7426                 | je                  0x28
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]

        $sequence_20 = { c745fcffffffff 8bf0 8b5508 83c9ff 83c2f0 f00fc14a0c }
            // n = 6, score = 100
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   8bf0                 | mov                 esi, eax
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   83c9ff               | or                  ecx, 0xffffffff
            //   83c2f0               | add                 edx, -0x10
            //   f00fc14a0c           | lock xadd           dword ptr [edx + 0xc], ecx

        $sequence_21 = { 7d2a 8d442418 8d0490 8944243c 83ff04 }
            // n = 5, score = 100
            //   7d2a                 | jge                 0x2c
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   8d0490               | lea                 eax, [eax + edx*4]
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax
            //   83ff04               | cmp                 edi, 4

        $sequence_22 = { 6a14 59 2be9 895c2414 8d43ff 896c2418 }
            // n = 6, score = 100
            //   6a14                 | push                0x14
            //   59                   | pop                 ecx
            //   2be9                 | sub                 ebp, ecx
            //   895c2414             | mov                 dword ptr [esp + 0x14], ebx
            //   8d43ff               | lea                 eax, [ebx - 1]
            //   896c2418             | mov                 dword ptr [esp + 0x18], ebp

        $sequence_23 = { 83b8a800000000 7512 8b04bda0bf4200 807c302900 7504 32c0 }
            // n = 6, score = 100
            //   83b8a800000000       | cmp                 dword ptr [eax + 0xa8], 0
            //   7512                 | jne                 0x14
            //   8b04bda0bf4200       | mov                 eax, dword ptr [edi*4 + 0x42bfa0]
            //   807c302900           | cmp                 byte ptr [eax + esi + 0x29], 0
            //   7504                 | jne                 6
            //   32c0                 | xor                 al, al

        $sequence_24 = { 742c 6683f926 7526 33c0 8d1430 0fb70a 6685c9 }
            // n = 7, score = 100
            //   742c                 | je                  0x2e
            //   6683f926             | cmp                 cx, 0x26
            //   7526                 | jne                 0x28
            //   33c0                 | xor                 eax, eax
            //   8d1430               | lea                 edx, [eax + esi]
            //   0fb70a               | movzx               ecx, word ptr [edx]
            //   6685c9               | test                cx, cx

        $sequence_25 = { 55 8bec 8b4510 ff751c ff30 }
            // n = 5, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   ff751c               | push                dword ptr [ebp + 0x1c]
            //   ff30                 | push                dword ptr [eax]

        $sequence_26 = { 330c8590244300 8b442410 c1e808 0fb6c0 330c8590204300 }
            // n = 5, score = 100
            //   330c8590244300       | xor                 ecx, dword ptr [eax*4 + 0x432490]
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   c1e808               | shr                 eax, 8
            //   0fb6c0               | movzx               eax, al
            //   330c8590204300       | xor                 ecx, dword ptr [eax*4 + 0x432090]

        $sequence_27 = { 6bc618 57 8db8a4bd4200 57 ff15???????? }
            // n = 5, score = 100
            //   6bc618               | imul                eax, esi, 0x18
            //   57                   | push                edi
            //   8db8a4bd4200         | lea                 edi, [eax + 0x42bda4]
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_28 = { 72f3 8d45e4 c645f800 50 6a01 6a00 ff15???????? }
            // n = 7, score = 100
            //   72f3                 | jb                  0xfffffff5
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   c645f800             | mov                 byte ptr [ebp - 8], 0
            //   50                   | push                eax
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 843776
}
Download all Yara Rules