SYMBOLCOMMON_NAMEaka. SYNONYMS
win.retefe (Back to overview)

Retefe

aka: Tsukuba, Werdlod
URLhaus      

Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.

References
2019-05-23Vulnerability.ch BlogCorsin Camichel
@online{camichel:20190523:analysing:9a4f909, author = {Corsin Camichel}, title = {{Analysing "Retefe" with Sysmon and Splunk}}, date = {2019-05-23}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/}, language = {English}, urldate = {2019-07-09} } Analysing "Retefe" with Sysmon and Splunk
Retefe
2019-05-02ProofpointBryan Campbell, Proofpoint Threat Insight Team
@online{campbell:20190502:2019:1fe00f6, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{2019: The Return of Retefe}}, date = {2019-05-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe}, language = {English}, urldate = {2019-12-20} } 2019: The Return of Retefe
Dok Retefe SmokeLoader
2019-03-09Github (cocaman)Corsin Camichel
@online{camichel:20190309:retefe:3414337, author = {Corsin Camichel}, title = {{retefe: Artefacts from various retefe campaigns}}, date = {2019-03-09}, organization = {Github (cocaman)}, url = {https://github.com/cocaman/retefe}, language = {English}, urldate = {2020-01-13} } retefe: Artefacts from various retefe campaigns
Retefe
2018-12-30Github (Tomasuh)Tomasuh
@online{tomasuh:20181230:retefe:96e64b4, author = {Tomasuh}, title = {{Retefe unpacker}}, date = {2018-12-30}, organization = {Github (Tomasuh)}, url = {https://github.com/Tomasuh/retefe-unpacker}, language = {English}, urldate = {2020-01-07} } Retefe unpacker
Retefe
2018-11-08GovCERT.chGovCERT.ch
@online{govcertch:20181108:reversing:87c494c, author = {GovCERT.ch}, title = {{Reversing Retefe}}, date = {2018-11-08}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/35/reversing-retefe}, language = {English}, urldate = {2019-11-21} } Reversing Retefe
Retefe
2017-09-22ThreatpostTom Spring
@online{spring:20170922:eternalblue:a6be32b, author = {Tom Spring}, title = {{EternalBlue Exploit Used in Retefe Banking Trojan Campaign}}, date = {2017-09-22}, organization = {Threatpost}, url = {https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/}, language = {English}, urldate = {2020-01-08} } EternalBlue Exploit Used in Retefe Banking Trojan Campaign
Retefe
2017-08-03GovCERT.chGovCERT.ch
@online{govcertch:20170803:retefe:07f6df3, author = {GovCERT.ch}, title = {{The Retefe Saga}}, date = {2017-08-03}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/33/the-retefe-saga}, language = {English}, urldate = {2020-01-13} } The Retefe Saga
Retefe Dok Retefe
2015-08-20Palo Alto Networks Unit 42Brandon Levene, Robert Falcone, Josh Grunzweig, Bryan Lee, Ryan Olson
@online{levene:20150820:retefe:b3a0c4f, author = {Brandon Levene and Robert Falcone and Josh Grunzweig and Bryan Lee and Ryan Olson}, title = {{Retefe Banking Trojan Targets Sweden, Switzerland and Japan}}, date = {2015-08-20}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/}, language = {English}, urldate = {2019-12-20} } Retefe Banking Trojan Targets Sweden, Switzerland and Japan
Retefe
Yara Rules
[TLP:WHITE] win_retefe_auto (20211008 | Detects win.retefe.)
rule win_retefe_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.retefe."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7410 6a09 56 ff15???????? }
            // n = 4, score = 1200
            //   7410                 | je                  0x12
            //   6a09                 | push                9
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_1 = { 51 8bf8 ffd6 85c0 }
            // n = 4, score = 1200
            //   51                   | push                ecx
            //   8bf8                 | mov                 edi, eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax

        $sequence_2 = { 8bf0 85f6 7410 6a09 }
            // n = 4, score = 1200
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7410                 | je                  0x12
            //   6a09                 | push                9

        $sequence_3 = { 68f5000000 50 ff15???????? b801000000 }
            // n = 4, score = 1200
            //   68f5000000           | push                0xf5
            //   50                   | push                eax
            //   ff15????????         |                     
            //   b801000000           | mov                 eax, 1

        $sequence_4 = { 6a08 e8???????? 894604 83c404 8bc6 e8???????? }
            // n = 6, score = 800
            //   6a08                 | push                8
            //   e8????????           |                     
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   83c404               | add                 esp, 4
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     

        $sequence_5 = { 6a92 6a4f 6a82 6a74 6a87 6a50 6af4 }
            // n = 7, score = 800
            //   6a92                 | push                -0x6e
            //   6a4f                 | push                0x4f
            //   6a82                 | push                -0x7e
            //   6a74                 | push                0x74
            //   6a87                 | push                -0x79
            //   6a50                 | push                0x50
            //   6af4                 | push                -0xc

        $sequence_6 = { 6a90 6a19 6ad6 6a2c 6ad3 6a13 }
            // n = 6, score = 800
            //   6a90                 | push                -0x70
            //   6a19                 | push                0x19
            //   6ad6                 | push                -0x2a
            //   6a2c                 | push                0x2c
            //   6ad3                 | push                -0x2d
            //   6a13                 | push                0x13

        $sequence_7 = { 880c10 8b4e04 40 3b4104 }
            // n = 4, score = 800
            //   880c10               | mov                 byte ptr [eax + edx], cl
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   40                   | inc                 eax
            //   3b4104               | cmp                 eax, dword ptr [ecx + 4]

        $sequence_8 = { e8???????? 6a08 e8???????? 894604 }
            // n = 4, score = 800
            //   e8????????           |                     
            //   6a08                 | push                8
            //   e8????????           |                     
            //   894604               | mov                 dword ptr [esi + 4], eax

        $sequence_9 = { 6a52 6af1 6a72 6a8a 6a3f 6a8e }
            // n = 6, score = 800
            //   6a52                 | push                0x52
            //   6af1                 | push                -0xf
            //   6a72                 | push                0x72
            //   6a8a                 | push                -0x76
            //   6a3f                 | push                0x3f
            //   6a8e                 | push                -0x72

        $sequence_10 = { 6a18 6a8f 6aa3 6aa3 }
            // n = 4, score = 800
            //   6a18                 | push                0x18
            //   6a8f                 | push                -0x71
            //   6aa3                 | push                -0x5d
            //   6aa3                 | push                -0x5d

        $sequence_11 = { 52 e8???????? 8b4e04 8901 8b4e04 33c0 }
            // n = 6, score = 800
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   33c0                 | xor                 eax, eax

        $sequence_12 = { 51 ffd3 b810000000 6a20 }
            // n = 4, score = 800
            //   51                   | push                ecx
            //   ffd3                 | call                ebx
            //   b810000000           | mov                 eax, 0x10
            //   6a20                 | push                0x20

        $sequence_13 = { 59 89442410 663908 74d4 8b7c2414 }
            // n = 5, score = 100
            //   59                   | pop                 ecx
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   663908               | cmp                 word ptr [eax], cx
            //   74d4                 | je                  0xffffffd6
            //   8b7c2414             | mov                 edi, dword ptr [esp + 0x14]

        $sequence_14 = { e8???????? 50 68c9000000 e8???????? }
            // n = 4, score = 100
            //   e8????????           |                     
            //   50                   | push                eax
            //   68c9000000           | push                0xc9
            //   e8????????           |                     

        $sequence_15 = { 56 57 8d1c85f8c14200 8b03 8b15???????? 83cfff 8bca }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d1c85f8c14200       | lea                 ebx, dword ptr [eax*4 + 0x42c1f8]
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8b15????????         |                     
            //   83cfff               | or                  edi, 0xffffffff
            //   8bca                 | mov                 ecx, edx

        $sequence_16 = { 56 56 0fb7c0 50 e8???????? }
            // n = 5, score = 100
            //   56                   | push                esi
            //   56                   | push                esi
            //   0fb7c0               | movzx               eax, ax
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_17 = { b803000280 5f 5e 5b 8be5 5d }
            // n = 6, score = 100
            //   b803000280           | mov                 eax, 0x80020003
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_18 = { 7580 5f 85f6 7418 }
            // n = 4, score = 100
            //   7580                 | jne                 0xffffff82
            //   5f                   | pop                 edi
            //   85f6                 | test                esi, esi
            //   7418                 | je                  0x1a

        $sequence_19 = { 8d442410 c1e604 0337 50 ffd3 }
            // n = 5, score = 100
            //   8d442410             | lea                 eax, dword ptr [esp + 0x10]
            //   c1e604               | shl                 esi, 4
            //   0337                 | add                 esi, dword ptr [edi]
            //   50                   | push                eax
            //   ffd3                 | call                ebx

        $sequence_20 = { 660f1f840000000000 8b11 8a88503e4100 880c10 40 }
            // n = 5, score = 100
            //   660f1f840000000000     | nop    word ptr [eax + eax]
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8a88503e4100         | mov                 cl, byte ptr [eax + 0x413e50]
            //   880c10               | mov                 byte ptr [eax + edx], cl
            //   40                   | inc                 eax

        $sequence_21 = { 8bc7 99 2bc2 d1fb }
            // n = 4, score = 100
            //   8bc7                 | mov                 eax, edi
            //   99                   | cdq                 
            //   2bc2                 | sub                 eax, edx
            //   d1fb                 | sar                 ebx, 1

        $sequence_22 = { 0f9505???????? 830d????????ff 2bd3 8b3d???????? 1b3d???????? }
            // n = 5, score = 100
            //   0f9505????????       |                     
            //   830d????????ff       |                     
            //   2bd3                 | sub                 edx, ebx
            //   8b3d????????         |                     
            //   1b3d????????         |                     

        $sequence_23 = { 660f28aa70324100 660f54e5 660f58fe 660f58fc 660f59c8 f20f59d8 }
            // n = 6, score = 100
            //   660f28aa70324100     | movapd              xmm5, xmmword ptr [edx + 0x413270]
            //   660f54e5             | andpd               xmm4, xmm5
            //   660f58fe             | addpd               xmm7, xmm6
            //   660f58fc             | addpd               xmm7, xmm4
            //   660f59c8             | mulpd               xmm1, xmm0
            //   f20f59d8             | mulsd               xmm3, xmm0

        $sequence_24 = { 68???????? ff15???????? 85c0 7814 57 68???????? 6a17 }
            // n = 7, score = 100
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7814                 | js                  0x16
            //   57                   | push                edi
            //   68????????           |                     
            //   6a17                 | push                0x17

        $sequence_25 = { 6a03 50 8b08 ff5114 }
            // n = 4, score = 100
            //   6a03                 | push                3
            //   50                   | push                eax
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   ff5114               | call                dword ptr [ecx + 0x14]

        $sequence_26 = { 8b7d1c 85ff 7406 8b7708 4e eb03 83ceff }
            // n = 7, score = 100
            //   8b7d1c               | mov                 edi, dword ptr [ebp + 0x1c]
            //   85ff                 | test                edi, edi
            //   7406                 | je                  8
            //   8b7708               | mov                 esi, dword ptr [edi + 8]
            //   4e                   | dec                 esi
            //   eb03                 | jmp                 5
            //   83ceff               | or                  esi, 0xffffffff

        $sequence_27 = { 33db 8bc1 334548 0fb7c0 0bc3 }
            // n = 5, score = 100
            //   33db                 | xor                 ebx, ebx
            //   8bc1                 | mov                 eax, ecx
            //   334548               | xor                 eax, dword ptr [ebp + 0x48]
            //   0fb7c0               | movzx               eax, ax
            //   0bc3                 | or                  eax, ebx

        $sequence_28 = { 53 e8???????? 33f6 8ad8 }
            // n = 4, score = 100
            //   53                   | push                ebx
            //   e8????????           |                     
            //   33f6                 | xor                 esi, esi
            //   8ad8                 | mov                 bl, al

    condition:
        7 of them and filesize < 843776
}
Download all Yara Rules