SYMBOLCOMMON_NAMEaka. SYNONYMS
win.retefe (Back to overview)

Retefe

aka: Tsukuba, Werdlod
URLhaus      

Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.

References
2019-05-23Vulnerability.ch BlogCorsin Camichel
@online{camichel:20190523:analysing:9a4f909, author = {Corsin Camichel}, title = {{Analysing "Retefe" with Sysmon and Splunk}}, date = {2019-05-23}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/}, language = {English}, urldate = {2019-07-09} } Analysing "Retefe" with Sysmon and Splunk
Retefe
2019-05-02ProofpointBryan Campbell, Proofpoint Threat Insight Team
@online{campbell:20190502:2019:1fe00f6, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{2019: The Return of Retefe}}, date = {2019-05-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe}, language = {English}, urldate = {2019-12-20} } 2019: The Return of Retefe
Dok Retefe SmokeLoader
2019-03-09Github (cocaman)Corsin Camichel
@online{camichel:20190309:retefe:3414337, author = {Corsin Camichel}, title = {{retefe: Artefacts from various retefe campaigns}}, date = {2019-03-09}, organization = {Github (cocaman)}, url = {https://github.com/cocaman/retefe}, language = {English}, urldate = {2020-01-13} } retefe: Artefacts from various retefe campaigns
Retefe
2018-12-30Github (Tomasuh)Tomasuh
@online{tomasuh:20181230:retefe:96e64b4, author = {Tomasuh}, title = {{Retefe unpacker}}, date = {2018-12-30}, organization = {Github (Tomasuh)}, url = {https://github.com/Tomasuh/retefe-unpacker}, language = {English}, urldate = {2020-01-07} } Retefe unpacker
Retefe
2018-11-08GovCERT.chGovCERT.ch
@online{govcertch:20181108:reversing:87c494c, author = {GovCERT.ch}, title = {{Reversing Retefe}}, date = {2018-11-08}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/35/reversing-retefe}, language = {English}, urldate = {2019-11-21} } Reversing Retefe
Retefe
2017-09-22ThreatpostTom Spring
@online{spring:20170922:eternalblue:a6be32b, author = {Tom Spring}, title = {{EternalBlue Exploit Used in Retefe Banking Trojan Campaign}}, date = {2017-09-22}, organization = {Threatpost}, url = {https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/}, language = {English}, urldate = {2020-01-08} } EternalBlue Exploit Used in Retefe Banking Trojan Campaign
Retefe
2017-08-03GovCERT.chGovCERT.ch
@online{govcertch:20170803:retefe:07f6df3, author = {GovCERT.ch}, title = {{The Retefe Saga}}, date = {2017-08-03}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/33/the-retefe-saga}, language = {English}, urldate = {2020-01-13} } The Retefe Saga
Retefe Dok Retefe
2015-08-20Palo Alto Networks Unit 42Brandon Levene, Robert Falcone, Josh Grunzweig, Bryan Lee, Ryan Olson
@online{levene:20150820:retefe:b3a0c4f, author = {Brandon Levene and Robert Falcone and Josh Grunzweig and Bryan Lee and Ryan Olson}, title = {{Retefe Banking Trojan Targets Sweden, Switzerland and Japan}}, date = {2015-08-20}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/}, language = {English}, urldate = {2019-12-20} } Retefe Banking Trojan Targets Sweden, Switzerland and Japan
Retefe
Yara Rules
[TLP:WHITE] win_retefe_auto (20220411 | Detects win.retefe.)
rule win_retefe_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.retefe."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 8bf8 ffd6 85c0 }
            // n = 4, score = 1200
            //   51                   | push                ecx
            //   8bf8                 | mov                 edi, eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax

        $sequence_1 = { 6a00 6a01 ff15???????? 8bf0 85f6 7410 6a09 }
            // n = 7, score = 1200
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7410                 | je                  0x12
            //   6a09                 | push                9

        $sequence_2 = { 68f5000000 50 ff15???????? b801000000 }
            // n = 4, score = 1200
            //   68f5000000           | push                0xf5
            //   50                   | push                eax
            //   ff15????????         |                     
            //   b801000000           | mov                 eax, 1

        $sequence_3 = { 52 e8???????? 8b4e04 8901 }
            // n = 4, score = 800
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   8901                 | mov                 dword ptr [ecx], eax

        $sequence_4 = { 6a3b 6ada 6a53 6ac7 6a36 6acb 6a18 }
            // n = 7, score = 800
            //   6a3b                 | push                0x3b
            //   6ada                 | push                -0x26
            //   6a53                 | push                0x53
            //   6ac7                 | push                -0x39
            //   6a36                 | push                0x36
            //   6acb                 | push                -0x35
            //   6a18                 | push                0x18

        $sequence_5 = { 894604 83c404 8bc6 e8???????? }
            // n = 4, score = 800
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   83c404               | add                 esp, 4
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     

        $sequence_6 = { e8???????? 6a08 e8???????? 894604 }
            // n = 4, score = 800
            //   e8????????           |                     
            //   6a08                 | push                8
            //   e8????????           |                     
            //   894604               | mov                 dword ptr [esi + 4], eax

        $sequence_7 = { 8b4e04 8901 8b4e04 33c0 83c404 }
            // n = 5, score = 800
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   33c0                 | xor                 eax, eax
            //   83c404               | add                 esp, 4

        $sequence_8 = { 6aaf 6a05 e8???????? 50 e8???????? 83c41c 8d8ddcfeffff }
            // n = 7, score = 800
            //   6aaf                 | push                -0x51
            //   6a05                 | push                5
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   8d8ddcfeffff         | lea                 ecx, dword ptr [ebp - 0x124]

        $sequence_9 = { 6a0e 6a3b 6a95 6ae7 6a07 6a22 6a80 }
            // n = 7, score = 800
            //   6a0e                 | push                0xe
            //   6a3b                 | push                0x3b
            //   6a95                 | push                -0x6b
            //   6ae7                 | push                -0x19
            //   6a07                 | push                7
            //   6a22                 | push                0x22
            //   6a80                 | push                -0x80

        $sequence_10 = { 6a7f 6afa 6aad 6a00 6a74 6a95 6ae1 }
            // n = 7, score = 800
            //   6a7f                 | push                0x7f
            //   6afa                 | push                -6
            //   6aad                 | push                -0x53
            //   6a00                 | push                0
            //   6a74                 | push                0x74
            //   6a95                 | push                -0x6b
            //   6ae1                 | push                -0x1f

        $sequence_11 = { 8b4e04 40 3b4104 72ec }
            // n = 4, score = 800
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   40                   | inc                 eax
            //   3b4104               | cmp                 eax, dword ptr [ecx + 4]
            //   72ec                 | jb                  0xffffffee

        $sequence_12 = { 6ac3 6a25 6ad0 6a0e 6ad8 6a31 6adc }
            // n = 7, score = 800
            //   6ac3                 | push                -0x3d
            //   6a25                 | push                0x25
            //   6ad0                 | push                -0x30
            //   6a0e                 | push                0xe
            //   6ad8                 | push                -0x28
            //   6a31                 | push                0x31
            //   6adc                 | push                -0x24

        $sequence_13 = { 0f8564ffffff eb1a 68???????? 68???????? }
            // n = 4, score = 100
            //   0f8564ffffff         | jne                 0xffffff6a
            //   eb1a                 | jmp                 0x1c
            //   68????????           |                     
            //   68????????           |                     

        $sequence_14 = { 6bd830 8b04bda0bf4200 f644032801 7444 837c0318ff 743d }
            // n = 6, score = 100
            //   6bd830               | imul                ebx, eax, 0x30
            //   8b04bda0bf4200       | mov                 eax, dword ptr [edi*4 + 0x42bfa0]
            //   f644032801           | test                byte ptr [ebx + eax + 0x28], 1
            //   7444                 | je                  0x46
            //   837c0318ff           | cmp                 dword ptr [ebx + eax + 0x18], -1
            //   743d                 | je                  0x3f

        $sequence_15 = { c701???????? 7418 80791000 7512 }
            // n = 4, score = 100
            //   c701????????         |                     
            //   7418                 | je                  0x1a
            //   80791000             | cmp                 byte ptr [ecx + 0x10], 0
            //   7512                 | jne                 0x14

        $sequence_16 = { ff15???????? 85c0 7514 8d459c }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7514                 | jne                 0x16
            //   8d459c               | lea                 eax, dword ptr [ebp - 0x64]

        $sequence_17 = { 8b4e10 85c9 7406 8b01 51 ff5008 8b4e0c }
            // n = 7, score = 100
            //   8b4e10               | mov                 ecx, dword ptr [esi + 0x10]
            //   85c9                 | test                ecx, ecx
            //   7406                 | je                  8
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   51                   | push                ecx
            //   ff5008               | call                dword ptr [eax + 8]
            //   8b4e0c               | mov                 ecx, dword ptr [esi + 0xc]

        $sequence_18 = { 51 e8???????? 33ed 89442424 45 }
            // n = 5, score = 100
            //   51                   | push                ecx
            //   e8????????           |                     
            //   33ed                 | xor                 ebp, ebp
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   45                   | inc                 ebp

        $sequence_19 = { 894d58 8d8d0cffffff 0345cc a3???????? }
            // n = 4, score = 100
            //   894d58               | mov                 dword ptr [ebp + 0x58], ecx
            //   8d8d0cffffff         | lea                 ecx, dword ptr [ebp - 0xf4]
            //   0345cc               | add                 eax, dword ptr [ebp - 0x34]
            //   a3????????           |                     

        $sequence_20 = { 8be5 5d c22400 e9???????? }
            // n = 4, score = 100
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c22400               | ret                 0x24
            //   e9????????           |                     

        $sequence_21 = { 51 8b4108 8906 8b01 ff5004 33c0 }
            // n = 6, score = 100
            //   51                   | push                ecx
            //   8b4108               | mov                 eax, dword ptr [ecx + 8]
            //   8906                 | mov                 dword ptr [esi], eax
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff5004               | call                dword ptr [eax + 4]
            //   33c0                 | xor                 eax, eax

        $sequence_22 = { ebe6 8b45e4 8b0c85a0bf4200 8b45e8 f644012880 7446 }
            // n = 6, score = 100
            //   ebe6                 | jmp                 0xffffffe8
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8b0c85a0bf4200       | mov                 ecx, dword ptr [eax*4 + 0x42bfa0]
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   f644012880           | test                byte ptr [ecx + eax + 0x28], 0x80
            //   7446                 | je                  0x48

        $sequence_23 = { c3 8bff 55 8bec 8b4d08 33c0 3b0cc548fc4000 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   33c0                 | xor                 eax, eax
            //   3b0cc548fc4000       | cmp                 ecx, dword ptr [eax*8 + 0x40fc48]

        $sequence_24 = { 83e004 50 be???????? 56 }
            // n = 4, score = 100
            //   83e004               | and                 eax, 4
            //   50                   | push                eax
            //   be????????           |                     
            //   56                   | push                esi

        $sequence_25 = { 53 6bd830 56 8b048da0bf4200 }
            // n = 4, score = 100
            //   53                   | push                ebx
            //   6bd830               | imul                ebx, eax, 0x30
            //   56                   | push                esi
            //   8b048da0bf4200       | mov                 eax, dword ptr [ecx*4 + 0x42bfa0]

        $sequence_26 = { ff5108 8b0f 6a02 68???????? 51 8b11 ff5220 }
            // n = 7, score = 100
            //   ff5108               | call                dword ptr [ecx + 8]
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   6a02                 | push                2
            //   68????????           |                     
            //   51                   | push                ecx
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   ff5220               | call                dword ptr [edx + 0x20]

        $sequence_27 = { 8d0490 8944243c 83ff04 7d1d }
            // n = 4, score = 100
            //   8d0490               | lea                 eax, dword ptr [eax + edx*4]
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax
            //   83ff04               | cmp                 edi, 4
            //   7d1d                 | jge                 0x1f

        $sequence_28 = { e9???????? 8d857c93ffff 50 e8???????? }
            // n = 4, score = 100
            //   e9????????           |                     
            //   8d857c93ffff         | lea                 eax, dword ptr [ebp - 0x6c84]
            //   50                   | push                eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 843776
}
Download all Yara Rules