Monday, November 27, 2017

Retefe loaded with new MUILanguage Sandbox Evasion

Lately, we came across a new Retefe version which uses some nice trick to bypass sandboxes (Retefe is a well know and sophisticated e-banking trojan). The initial analysis looks quite normal, there is no suspicious behavior, no dropped files, domains requests etc.

One interesting fact though is the WMI query:

If we extract the memory strings (strings taken from memory dumps) we detect a fully VBA script:

The interesting function performing the WMI query is called "CheckTest":

The function enumerates the MUI languages, which basically is a list of all installed languages for the Windows interface (MUI stands for Multiple User Interface). If only one language is installed, and this language is en-US then Retefe will not execute any payload.

Within 2 working days we added a new VM to Joe Sandbox Cloud which has several language packs installed:

Executing Retefe on that multi MUI language machine reveals all the IOCS & payloads:

Have a look at the full Retefe analysis report:

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!