SYMBOLCOMMON_NAMEaka. SYNONYMS
win.retefe (Back to overview)

Retefe

aka: Tsukuba, Werdlod
VTCollection     URLhaus      

Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.

References
2019-05-23Vulnerability.ch BlogCorsin Camichel
Analysing "Retefe" with Sysmon and Splunk
Retefe
2019-05-02ProofpointBryan Campbell, Proofpoint Threat Insight Team
2019: The Return of Retefe
Dok Retefe SmokeLoader
2019-03-09Github (cocaman)Corsin Camichel
retefe: Artefacts from various retefe campaigns
Retefe
2018-12-30Github (Tomasuh)Tomasuh
Retefe unpacker
Retefe
2018-11-08GovCERT.chGovCERT.ch
Reversing Retefe
Retefe
2017-09-22ThreatpostTom Spring
EternalBlue Exploit Used in Retefe Banking Trojan Campaign
Retefe
2017-08-03GovCERT.chGovCERT.ch
The Retefe Saga
Retefe Dok Retefe
2015-08-20Palo Alto Networks Unit 42Brandon Levene, Bryan Lee, Josh Grunzweig, Robert Falcone, Ryan Olson
Retefe Banking Trojan Targets Sweden, Switzerland and Japan
Retefe
Yara Rules
[TLP:WHITE] win_retefe_auto (20230808 | Detects win.retefe.)
rule win_retefe_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.retefe."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6a01 ff15???????? 8bf0 85f6 7410 6a09 }
            // n = 7, score = 1200
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7410                 | je                  0x12
            //   6a09                 | push                9

        $sequence_1 = { 51 8bf8 ffd6 85c0 }
            // n = 4, score = 1200
            //   51                   | push                ecx
            //   8bf8                 | mov                 edi, eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax

        $sequence_2 = { 68f5000000 50 ff15???????? b801000000 }
            // n = 4, score = 1200
            //   68f5000000           | push                0xf5
            //   50                   | push                eax
            //   ff15????????         |                     
            //   b801000000           | mov                 eax, 1

        $sequence_3 = { e8???????? 6a08 e8???????? 894604 }
            // n = 4, score = 800
            //   e8????????           |                     
            //   6a08                 | push                8
            //   e8????????           |                     
            //   894604               | mov                 dword ptr [esi + 4], eax

        $sequence_4 = { 6a24 6a5a 6a24 e8???????? 81c494000000 }
            // n = 5, score = 800
            //   6a24                 | push                0x24
            //   6a5a                 | push                0x5a
            //   6a24                 | push                0x24
            //   e8????????           |                     
            //   81c494000000         | add                 esp, 0x94

        $sequence_5 = { 8b4e04 8901 8b4e04 33c0 83c404 394104 }
            // n = 6, score = 800
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   33c0                 | xor                 eax, eax
            //   83c404               | add                 esp, 4
            //   394104               | cmp                 dword ptr [ecx + 4], eax

        $sequence_6 = { 6a0e 6aeb 6a1a 6a96 6a0d }
            // n = 5, score = 800
            //   6a0e                 | push                0xe
            //   6aeb                 | push                -0x15
            //   6a1a                 | push                0x1a
            //   6a96                 | push                -0x6a
            //   6a0d                 | push                0xd

        $sequence_7 = { 894604 83c404 8bc6 e8???????? }
            // n = 4, score = 800
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   83c404               | add                 esp, 4
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     

        $sequence_8 = { 51 ff15???????? 8b95d8efffff 50 52 ff15???????? 50 }
            // n = 7, score = 800
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b95d8efffff         | mov                 edx, dword ptr [ebp - 0x1028]
            //   50                   | push                eax
            //   52                   | push                edx
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_9 = { 52 e8???????? 8b4e04 8901 }
            // n = 4, score = 800
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   8901                 | mov                 dword ptr [ecx], eax

        $sequence_10 = { 6ad1 6a1a 6a55 6ad7 6ad1 }
            // n = 5, score = 800
            //   6ad1                 | push                -0x2f
            //   6a1a                 | push                0x1a
            //   6a55                 | push                0x55
            //   6ad7                 | push                -0x29
            //   6ad1                 | push                -0x2f

        $sequence_11 = { 880c10 8b4e04 40 3b4104 }
            // n = 4, score = 800
            //   880c10               | mov                 byte ptr [eax + edx], cl
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   40                   | inc                 eax
            //   3b4104               | cmp                 eax, dword ptr [ecx + 4]

        $sequence_12 = { 50 e8???????? 83c408 e8???????? 99 b960f59000 }
            // n = 6, score = 800
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   e8????????           |                     
            //   99                   | cdq                 
            //   b960f59000           | mov                 ecx, 0x90f560

        $sequence_13 = { 8bec 837d0c00 7409 b80b000280 }
            // n = 4, score = 100
            //   8bec                 | mov                 ebp, esp
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0
            //   7409                 | je                  0xb
            //   b80b000280           | mov                 eax, 0x8002000b

        $sequence_14 = { 56 33f6 8b86a0bf4200 85c0 740e }
            // n = 5, score = 100
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi
            //   8b86a0bf4200         | mov                 eax, dword ptr [esi + 0x42bfa0]
            //   85c0                 | test                eax, eax
            //   740e                 | je                  0x10

        $sequence_15 = { 43 85ff 0f851fffffff 5f }
            // n = 4, score = 100
            //   43                   | inc                 ebx
            //   85ff                 | test                edi, edi
            //   0f851fffffff         | jne                 0xffffff25
            //   5f                   | pop                 edi

        $sequence_16 = { 6a00 ffb42424200000 e8???????? 8b8c2418200000 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   ffb42424200000       | push                dword ptr [esp + 0x2024]
            //   e8????????           |                     
            //   8b8c2418200000       | mov                 ecx, dword ptr [esp + 0x2018]

        $sequence_17 = { 8b0495a0bf4200 f644082801 7421 57 e8???????? }
            // n = 5, score = 100
            //   8b0495a0bf4200       | mov                 eax, dword ptr [edx*4 + 0x42bfa0]
            //   f644082801           | test                byte ptr [eax + ecx + 0x28], 1
            //   7421                 | je                  0x23
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_18 = { 46 85f6 7410 83fe01 75a0 }
            // n = 5, score = 100
            //   46                   | inc                 esi
            //   85f6                 | test                esi, esi
            //   7410                 | je                  0x12
            //   83fe01               | cmp                 esi, 1
            //   75a0                 | jne                 0xffffffa2

        $sequence_19 = { 0fb611 0fb6c0 eb17 81fa00010000 7313 8a87ccb14200 }
            // n = 6, score = 100
            //   0fb611               | movzx               edx, byte ptr [ecx]
            //   0fb6c0               | movzx               eax, al
            //   eb17                 | jmp                 0x19
            //   81fa00010000         | cmp                 edx, 0x100
            //   7313                 | jae                 0x15
            //   8a87ccb14200         | mov                 al, byte ptr [edi + 0x42b1cc]

        $sequence_20 = { 8b742414 85f6 7553 32c0 }
            // n = 4, score = 100
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   85f6                 | test                esi, esi
            //   7553                 | jne                 0x55
            //   32c0                 | xor                 al, al

        $sequence_21 = { 57 81fb00020000 0f8daa000000 6800080000 }
            // n = 4, score = 100
            //   57                   | push                edi
            //   81fb00020000         | cmp                 ebx, 0x200
            //   0f8daa000000         | jge                 0xb0
            //   6800080000           | push                0x800

        $sequence_22 = { 8b4218 a3???????? 8b4a08 890d???????? 8b420c }
            // n = 5, score = 100
            //   8b4218               | mov                 eax, dword ptr [edx + 0x18]
            //   a3????????           |                     
            //   8b4a08               | mov                 ecx, dword ptr [edx + 8]
            //   890d????????         |                     
            //   8b420c               | mov                 eax, dword ptr [edx + 0xc]

        $sequence_23 = { 33c0 668906 8b7c2414 8d5f20 }
            // n = 4, score = 100
            //   33c0                 | xor                 eax, eax
            //   668906               | mov                 word ptr [esi], ax
            //   8b7c2414             | mov                 edi, dword ptr [esp + 0x14]
            //   8d5f20               | lea                 ebx, [edi + 0x20]

        $sequence_24 = { e8???????? 8b404c 83b8a800000000 7512 8b04bda0bf4200 807c302900 7504 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b404c               | mov                 eax, dword ptr [eax + 0x4c]
            //   83b8a800000000       | cmp                 dword ptr [eax + 0xa8], 0
            //   7512                 | jne                 0x14
            //   8b04bda0bf4200       | mov                 eax, dword ptr [edi*4 + 0x42bfa0]
            //   807c302900           | cmp                 byte ptr [eax + esi + 0x29], 0
            //   7504                 | jne                 6

        $sequence_25 = { 88048d93404300 88048d923c4300 84d2 7412 }
            // n = 4, score = 100
            //   88048d93404300       | mov                 byte ptr [ecx*4 + 0x434093], al
            //   88048d923c4300       | mov                 byte ptr [ecx*4 + 0x433c92], al
            //   84d2                 | test                dl, dl
            //   7412                 | je                  0x14

        $sequence_26 = { 8b7004 8b38 4e 8bce e8???????? }
            // n = 5, score = 100
            //   8b7004               | mov                 esi, dword ptr [eax + 4]
            //   8b38                 | mov                 edi, dword ptr [eax]
            //   4e                   | dec                 esi
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_27 = { 8b4d08 85c9 7512 e8???????? 5e }
            // n = 5, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   85c9                 | test                ecx, ecx
            //   7512                 | jne                 0x14
            //   e8????????           |                     
            //   5e                   | pop                 esi

        $sequence_28 = { 5f 894df0 8b34cd58224100 8b4d08 6a5a 2bce }
            // n = 6, score = 100
            //   5f                   | pop                 edi
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8b34cd58224100       | mov                 esi, dword ptr [ecx*8 + 0x412258]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   6a5a                 | push                0x5a
            //   2bce                 | sub                 ecx, esi

    condition:
        7 of them and filesize < 843776
}
Download all Yara Rules