Lately, we came across a new Retefe version which uses some nice trick to bypass sandboxes (Retefe is a well know and sophisticated e-banking trojan). The initial analysis looks quite normal, there is no suspicious behavior, no dropped files, domains requests etc.
One interesting fact though is the WMI query:
If we extract the memory strings (strings taken from memory dumps) we detect a fully VBA script:
The interesting function performing the WMI query is called "CheckTest":
The function enumerates the MUI languages, which basically is a list of all installed languages for the Windows interface (MUI stands for Multiple User Interface). If only
one language is installed, and this language is
en-US then Retefe will
not execute any payload.
Within 2 working days we added a new VM to
Joe Sandbox Cloud which has several language packs installed:
Executing Retefe on that multi MUI language machine reveals all the IOCS & payloads:
Have a look at the full Retefe analysis report:
Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!