SYMBOLCOMMON_NAMEaka. SYNONYMS
win.retefe (Back to overview)

Retefe

aka: Tsukuba, Werdlod
URLhaus      

Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.

References
2019-05-23Vulnerability.ch BlogCorsin Camichel
@online{camichel:20190523:analysing:9a4f909, author = {Corsin Camichel}, title = {{Analysing "Retefe" with Sysmon and Splunk}}, date = {2019-05-23}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/}, language = {English}, urldate = {2019-07-09} } Analysing "Retefe" with Sysmon and Splunk
Retefe
2019-05-02ProofpointBryan Campbell, Proofpoint Threat Insight Team
@online{campbell:20190502:2019:1fe00f6, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{2019: The Return of Retefe}}, date = {2019-05-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe}, language = {English}, urldate = {2019-12-20} } 2019: The Return of Retefe
Dok Retefe SmokeLoader
2019-03-09Github (cocaman)Corsin Camichel
@online{camichel:20190309:retefe:3414337, author = {Corsin Camichel}, title = {{retefe: Artefacts from various retefe campaigns}}, date = {2019-03-09}, organization = {Github (cocaman)}, url = {https://github.com/cocaman/retefe}, language = {English}, urldate = {2020-01-13} } retefe: Artefacts from various retefe campaigns
Retefe
2018-12-30Github (Tomasuh)Tomasuh
@online{tomasuh:20181230:retefe:96e64b4, author = {Tomasuh}, title = {{Retefe unpacker}}, date = {2018-12-30}, organization = {Github (Tomasuh)}, url = {https://github.com/Tomasuh/retefe-unpacker}, language = {English}, urldate = {2020-01-07} } Retefe unpacker
Retefe
2018-11-08GovCERT.chGovCERT.ch
@online{govcertch:20181108:reversing:87c494c, author = {GovCERT.ch}, title = {{Reversing Retefe}}, date = {2018-11-08}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/35/reversing-retefe}, language = {English}, urldate = {2019-11-21} } Reversing Retefe
Retefe
2017-09-22ThreatpostTom Spring
@online{spring:20170922:eternalblue:a6be32b, author = {Tom Spring}, title = {{EternalBlue Exploit Used in Retefe Banking Trojan Campaign}}, date = {2017-09-22}, organization = {Threatpost}, url = {https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/}, language = {English}, urldate = {2020-01-08} } EternalBlue Exploit Used in Retefe Banking Trojan Campaign
Retefe
2017-08-03GovCERT.chGovCERT.ch
@online{govcertch:20170803:retefe:07f6df3, author = {GovCERT.ch}, title = {{The Retefe Saga}}, date = {2017-08-03}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/33/the-retefe-saga}, language = {English}, urldate = {2020-01-13} } The Retefe Saga
Retefe Dok Retefe
2015-08-20Palo Alto Networks Unit 42Brandon Levene, Robert Falcone, Josh Grunzweig, Bryan Lee, Ryan Olson
@online{levene:20150820:retefe:b3a0c4f, author = {Brandon Levene and Robert Falcone and Josh Grunzweig and Bryan Lee and Ryan Olson}, title = {{Retefe Banking Trojan Targets Sweden, Switzerland and Japan}}, date = {2015-08-20}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/}, language = {English}, urldate = {2019-12-20} } Retefe Banking Trojan Targets Sweden, Switzerland and Japan
Retefe
Yara Rules
[TLP:WHITE] win_retefe_auto (20230125 | Detects win.retefe.)
rule win_retefe_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.retefe."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 8bf8 ffd6 85c0 }
            // n = 4, score = 1200
            //   51                   | push                ecx
            //   8bf8                 | mov                 edi, eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax

        $sequence_1 = { 68f5000000 50 ff15???????? b801000000 }
            // n = 4, score = 1200
            //   68f5000000           | push                0xf5
            //   50                   | push                eax
            //   ff15????????         |                     
            //   b801000000           | mov                 eax, 1

        $sequence_2 = { 6a00 6a01 ff15???????? 8bf0 85f6 7410 6a09 }
            // n = 7, score = 1200
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7410                 | je                  0x12
            //   6a09                 | push                9

        $sequence_3 = { 6af4 6a00 6a49 6a97 6a5f e8???????? 81c47c010000 }
            // n = 7, score = 800
            //   6af4                 | push                -0xc
            //   6a00                 | push                0
            //   6a49                 | push                0x49
            //   6a97                 | push                -0x69
            //   6a5f                 | push                0x5f
            //   e8????????           |                     
            //   81c47c010000         | add                 esp, 0x17c

        $sequence_4 = { 894604 83c404 8bc6 e8???????? }
            // n = 4, score = 800
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   83c404               | add                 esp, 4
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     

        $sequence_5 = { 880c10 8b4e04 40 3b4104 72ec }
            // n = 5, score = 800
            //   880c10               | mov                 byte ptr [eax + edx], cl
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   40                   | inc                 eax
            //   3b4104               | cmp                 eax, dword ptr [ecx + 4]
            //   72ec                 | jb                  0xffffffee

        $sequence_6 = { e8???????? 6a00 6ac8 6afa 6a52 }
            // n = 5, score = 800
            //   e8????????           |                     
            //   6a00                 | push                0
            //   6ac8                 | push                -0x38
            //   6afa                 | push                -6
            //   6a52                 | push                0x52

        $sequence_7 = { 52 e8???????? 8b4e04 8901 }
            // n = 4, score = 800
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   8901                 | mov                 dword ptr [ecx], eax

        $sequence_8 = { 6a1b 6aeb 6a1a 6ad1 }
            // n = 4, score = 800
            //   6a1b                 | push                0x1b
            //   6aeb                 | push                -0x15
            //   6a1a                 | push                0x1a
            //   6ad1                 | push                -0x2f

        $sequence_9 = { 6a0e 6ad8 6a31 6adc 6a14 6ada 6a6d }
            // n = 7, score = 800
            //   6a0e                 | push                0xe
            //   6ad8                 | push                -0x28
            //   6a31                 | push                0x31
            //   6adc                 | push                -0x24
            //   6a14                 | push                0x14
            //   6ada                 | push                -0x26
            //   6a6d                 | push                0x6d

        $sequence_10 = { 8901 8b4e04 33c0 83c404 394104 }
            // n = 5, score = 800
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   33c0                 | xor                 eax, eax
            //   83c404               | add                 esp, 4
            //   394104               | cmp                 dword ptr [ecx + 4], eax

        $sequence_11 = { e8???????? 6a08 e8???????? 894604 83c404 }
            // n = 5, score = 800
            //   e8????????           |                     
            //   6a08                 | push                8
            //   e8????????           |                     
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   83c404               | add                 esp, 4

        $sequence_12 = { 52 8b55fc 8d45f8 50 8d4df0 51 6a00 }
            // n = 7, score = 800
            //   52                   | push                edx
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   8d4df0               | lea                 ecx, [ebp - 0x10]
            //   51                   | push                ecx
            //   6a00                 | push                0

        $sequence_13 = { c745e018344100 e9???????? c745e020344100 e9???????? c745e028344100 e9???????? }
            // n = 6, score = 100
            //   c745e018344100       | mov                 dword ptr [ebp - 0x20], 0x413418
            //   e9????????           |                     
            //   c745e020344100       | mov                 dword ptr [ebp - 0x20], 0x413420
            //   e9????????           |                     
            //   c745e028344100       | mov                 dword ptr [ebp - 0x20], 0x413428
            //   e9????????           |                     

        $sequence_14 = { 750e 83e07f 50 68???????? }
            // n = 4, score = 100
            //   750e                 | jne                 0x10
            //   83e07f               | and                 eax, 0x7f
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_15 = { e8???????? 84c0 7408 3bfe 7f21 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7408                 | je                  0xa
            //   3bfe                 | cmp                 edi, esi
            //   7f21                 | jg                  0x23

        $sequence_16 = { ff5608 85c0 7905 83c8ff }
            // n = 4, score = 100
            //   ff5608               | call                dword ptr [esi + 8]
            //   85c0                 | test                eax, eax
            //   7905                 | jns                 7
            //   83c8ff               | or                  eax, 0xffffffff

        $sequence_17 = { 8b049508d44500 8b440818 83f8ff 7409 }
            // n = 4, score = 100
            //   8b049508d44500       | mov                 eax, dword ptr [edx*4 + 0x45d408]
            //   8b440818             | mov                 eax, dword ptr [eax + ecx + 0x18]
            //   83f8ff               | cmp                 eax, -1
            //   7409                 | je                  0xb

        $sequence_18 = { 83c408 85c0 750e 8b4d08 51 }
            // n = 5, score = 100
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx

        $sequence_19 = { 03c2 c1cd02 03442438 8bce 8b542424 }
            // n = 5, score = 100
            //   03c2                 | add                 eax, edx
            //   c1cd02               | ror                 ebp, 2
            //   03442438             | add                 eax, dword ptr [esp + 0x38]
            //   8bce                 | mov                 ecx, esi
            //   8b542424             | mov                 edx, dword ptr [esp + 0x24]

        $sequence_20 = { 57 8db8a4bd4200 57 ff15???????? ff0d???????? 83ef18 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   8db8a4bd4200         | lea                 edi, [eax + 0x42bda4]
            //   57                   | push                edi
            //   ff15????????         |                     
            //   ff0d????????         |                     
            //   83ef18               | sub                 edi, 0x18

        $sequence_21 = { ff15???????? 85c0 7909 0f57c0 660f13442418 6a00 68???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7909                 | jns                 0xb
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f13442418         | movlpd              qword ptr [esp + 0x18], xmm0
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_22 = { 85c0 7414 c70000000000 f6c102 7409 b82b800280 }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   7414                 | je                  0x16
            //   c70000000000         | mov                 dword ptr [eax], 0
            //   f6c102               | test                cl, 2
            //   7409                 | je                  0xb
            //   b82b800280           | mov                 eax, 0x8002802b

        $sequence_23 = { 5b 5d c21400 8b4518 8b0cf580b74200 5f 5e }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c21400               | ret                 0x14
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   8b0cf580b74200       | mov                 ecx, dword ptr [esi*8 + 0x42b780]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_24 = { 785f b901000000 2b48fc 8b40f8 2bc6 0bc8 7d0b }
            // n = 7, score = 100
            //   785f                 | js                  0x61
            //   b901000000           | mov                 ecx, 1
            //   2b48fc               | sub                 ecx, dword ptr [eax - 4]
            //   8b40f8               | mov                 eax, dword ptr [eax - 8]
            //   2bc6                 | sub                 eax, esi
            //   0bc8                 | or                  ecx, eax
            //   7d0b                 | jge                 0xd

        $sequence_25 = { 8d859ceeffff 50 e8???????? 6a66 }
            // n = 4, score = 100
            //   8d859ceeffff         | lea                 eax, [ebp - 0x1164]
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a66                 | push                0x66

        $sequence_26 = { 8d8d78ceffff e8???????? 8a0d???????? 807d1300 }
            // n = 4, score = 100
            //   8d8d78ceffff         | lea                 ecx, [ebp - 0x3188]
            //   e8????????           |                     
            //   8a0d????????         |                     
            //   807d1300             | cmp                 byte ptr [ebp + 0x13], 0

        $sequence_27 = { 0fb7c0 88440df0 41 894dfc }
            // n = 4, score = 100
            //   0fb7c0               | movzx               eax, ax
            //   88440df0             | mov                 byte ptr [ebp + ecx - 0x10], al
            //   41                   | inc                 ecx
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx

        $sequence_28 = { ff511c 33c0 5f 5e 5b 8be5 5d }
            // n = 7, score = 100
            //   ff511c               | call                dword ptr [ecx + 0x1c]
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

    condition:
        7 of them and filesize < 843776
}
Download all Yara Rules