win.retefe (Back to overview)

Retefe

aka: Tsukuba, Werdlod
URLhaus      

Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.

References
https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe
https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/
https://github.com/cocaman/retefe
https://www.govcert.admin.ch/blog/33/the-retefe-saga
https://github.com/Tomasuh/retefe-unpacker
https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/
https://www.govcert.admin.ch/blog/35/reversing-retefe
https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/
Yara Rules
[TLP:WHITE] win_retefe_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_retefe_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 8bf8 ffd6 85c0 0f8????????? }
            // n = 4, score = 1200
            //   8bf8                 | mov                 edi, eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   0f8?????????         |                     

        $sequence_1 = { 51 8bf8 ffd6 85c0 0f8????????? 85ff 0f8????????? }
            // n = 7, score = 1200
            //   51                   | push                ecx
            //   8bf8                 | mov                 edi, eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   0f8?????????         |                     
            //   85ff                 | test                edi, edi
            //   0f8?????????         |                     

        $sequence_2 = { 8bf8 ffd6 85c0 0f8????????? 85ff }
            // n = 5, score = 1200
            //   8bf8                 | mov                 edi, eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   0f8?????????         |                     
            //   85ff                 | test                edi, edi

        $sequence_3 = { 51 8bf8 ffd6 85c0 }
            // n = 4, score = 1200
            //   51                   | push                ecx
            //   8bf8                 | mov                 edi, eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax

        $sequence_4 = { 51 8bf8 ffd6 85c0 0f8????????? }
            // n = 5, score = 1200
            //   51                   | push                ecx
            //   8bf8                 | mov                 edi, eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   0f8?????????         |                     

        $sequence_5 = { 85f6 74?? 6a09 56 ff15???????? 56 ff15???????? }
            // n = 7, score = 1200
            //   85f6                 | test                esi, esi
            //   74??                 |                     
            //   6a09                 | push                9
            //   56                   | push                esi
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_6 = { 68f5000000 50 ff15???????? b801000000 }
            // n = 4, score = 1200
            //   68f5000000           | push                0xf5
            //   50                   | push                eax
            //   ff15????????         |                     
            //   b801000000           | mov                 eax, 1

        $sequence_7 = { 51 8bf8 ffd6 85c0 0f8????????? 85ff }
            // n = 6, score = 1200
            //   51                   | push                ecx
            //   8bf8                 | mov                 edi, eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   0f8?????????         |                     
            //   85ff                 | test                edi, edi

        $sequence_8 = { ff15???????? 8d45e0 50 68708a4200 ff15???????? }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax
            //   68708a4200           | push                0x428a70
            //   ff15????????         |                     

        $sequence_9 = { 8b442418 46 83fe04 7c?? }
            // n = 4, score = 100
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   46                   | inc                 esi
            //   83fe04               | cmp                 esi, 4
            //   7c??                 |                     

        $sequence_10 = { 8d859ceeffff 50 68b9000000 e8???????? 50 8d8578bdffff }
            // n = 6, score = 100
            //   8d859ceeffff         | lea                 eax, [ebp - 0x1164]
            //   50                   | push                eax
            //   68b9000000           | push                0xb9
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d8578bdffff         | lea                 eax, [ebp - 0x4288]

        $sequence_11 = { 8b5c240c 55 56 57 85db 74?? 8b7c2414 }
            // n = 7, score = 100
            //   8b5c240c             | mov                 ebx, dword ptr [esp + 0xc]
            //   55                   | push                ebp
            //   56                   | push                esi
            //   57                   | push                edi
            //   85db                 | test                ebx, ebx
            //   74??                 |                     
            //   8b7c2414             | mov                 edi, dword ptr [esp + 0x14]

        $sequence_12 = { b93cbf4200 e8???????? ff35???????? e8???????? }
            // n = 4, score = 100
            //   b93cbf4200           | mov                 ecx, 0x42bf3c
            //   e8????????           |                     
            //   ff35????????         |                     
            //   e8????????           |                     

        $sequence_13 = { 330c85901c4300 8bc2 c1e810 890f 0fb6c8 }
            // n = 5, score = 100
            //   330c85901c4300       | xor                 ecx, dword ptr [eax*4 + 0x431c90]
            //   8bc2                 | mov                 eax, edx
            //   c1e810               | shr                 eax, 0x10
            //   890f                 | mov                 dword ptr [edi], ecx
            //   0fb6c8               | movzx               ecx, al

        $sequence_14 = { 8b7c2434 6a40 ff74243c 897c2420 57 e8???????? }
            // n = 6, score = 100
            //   8b7c2434             | mov                 edi, dword ptr [esp + 0x34]
            //   6a40                 | push                0x40
            //   ff74243c             | push                dword ptr [esp + 0x3c]
            //   897c2420             | mov                 dword ptr [esp + 0x20], edi
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_15 = { 894ddc c745e008344100 e9???????? c745e004344100 }
            // n = 4, score = 100
            //   894ddc               | mov                 dword ptr [ebp - 0x24], ecx
            //   c745e008344100       | mov                 dword ptr [ebp - 0x20], 0x413408
            //   e9????????           |                     
            //   c745e004344100       | mov                 dword ptr [ebp - 0x20], 0x413404

        $sequence_16 = { 8bec 56 8bf1 8d4604 c70628564200 }
            // n = 5, score = 100
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   8d4604               | lea                 eax, [esi + 4]
            //   c70628564200         | mov                 dword ptr [esi], 0x425628

        $sequence_17 = { bb1c944200 3bf3 73?? 57 8b3e 85ff 74?? }
            // n = 7, score = 100
            //   bb1c944200           | mov                 ebx, 0x42941c
            //   3bf3                 | cmp                 esi, ebx
            //   73??                 |                     
            //   57                   | push                edi
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   85ff                 | test                edi, edi
            //   74??                 |                     

        $sequence_18 = { 3de4000000 73?? 8b04c538114100 5d }
            // n = 4, score = 100
            //   3de4000000           | cmp                 eax, 0xe4
            //   73??                 |                     
            //   8b04c538114100       | mov                 eax, dword ptr [eax*8 + 0x411138]
            //   5d                   | pop                 ebp

        $sequence_19 = { 74?? 85f6 75?? 68c0b94200 e8???????? 59 }
            // n = 6, score = 100
            //   74??                 |                     
            //   85f6                 | test                esi, esi
            //   75??                 |                     
            //   68c0b94200           | push                0x42b9c0
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_20 = { 0fb64c2404 83c0eb 83f806 77?? }
            // n = 4, score = 100
            //   0fb64c2404           | movzx               ecx, byte ptr [esp + 4]
            //   83c0eb               | add                 eax, -0x15
            //   83f806               | cmp                 eax, 6
            //   77??                 |                     

        $sequence_21 = { 8b4550 6685c0 74?? 83ff01 7f?? }
            // n = 5, score = 100
            //   8b4550               | mov                 eax, dword ptr [ebp + 0x50]
            //   6685c0               | test                ax, ax
            //   74??                 |                     
            //   83ff01               | cmp                 edi, 1
            //   7f??                 |                     

        $sequence_22 = { 59 8d4dbc e8???????? 68b4964200 }
            // n = 4, score = 100
            //   59                   | pop                 ecx
            //   8d4dbc               | lea                 ecx, [ebp - 0x44]
            //   e8????????           |                     
            //   68b4964200           | push                0x4296b4

        $sequence_23 = { 8945fc 56 68d4084100 68cc084100 68d4084100 6a18 e8???????? }
            // n = 7, score = 100
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi
            //   68d4084100           | push                0x4108d4
            //   68cc084100           | push                0x4108cc
            //   68d4084100           | push                0x4108d4
            //   6a18                 | push                0x18
            //   e8????????           |                     

    condition:
        7 of them
}
Download all Yara Rules