{
	"id": "7bc8b7c5-2496-459f-bf27-f362645f3299",
	"created_at": "2026-04-06T02:13:10.134188Z",
	"updated_at": "2026-04-10T03:21:02.84933Z",
	"deleted_at": null,
	"sha1_hash": "2ff7027abbadfc58944ec17001d7ecb57a005c12",
	"title": "Retefe (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 28559,
	"plain_text": "Retefe (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-06 02:05:49 UTC\r\nRetefe is a Windows Banking Trojan that can also download and install additional malware onto the system using\r\nWindows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online\r\nbanking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper\r\ncomponent for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including:\r\n7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker\r\ncontrolled host in order to effectively MITM TLS traffic.\r\n[TLP:WHITE] win_retefe_auto (20251219 | Detects win.retefe.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.retefe\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe"
	],
	"report_names": [
		"win.retefe"
	],
	"threat_actors": [],
	"ts_created_at": 1775441590,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ff7027abbadfc58944ec17001d7ecb57a005c12.pdf",
		"text": "https://archive.orkl.eu/2ff7027abbadfc58944ec17001d7ecb57a005c12.txt",
		"img": "https://archive.orkl.eu/2ff7027abbadfc58944ec17001d7ecb57a005c12.jpg"
	}
}