Joe Security's Blog

Lately, we came across a new Retefe version which uses some nice trick to bypass sandboxes (Retefe is a well know and sophisticated e-banking trojan). The initial analysis looks quite normal, there is no suspicious behavior, no dropped files, domains requests etc.





One interesting fact though is the WMI query:



If we extract the memory strings (strings taken from memory dumps) we detect a fully VBA script:




The interesting function performing the WMI query is called "CheckTest":



The function enumerates the MUI languages, which basically is a list of all installed languages for the Windows interface (MUI stands for Multiple User Interface). If only one language is installed, and this language is en-US then Retefe will not execute any payload.

Within 2 working days we added a new VM to Joe Sandbox Cloud which has several language packs installed:


Executing Retefe on that multi MUI language machine reveals all the IOCS & payloads:







Have a look at the full Retefe analysis report:




Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!