{
	"id": "5be359ff-af4e-45b5-81b2-868f2be2969d",
	"created_at": "2026-04-06T00:21:34.991096Z",
	"updated_at": "2026-04-10T03:20:20.145419Z",
	"deleted_at": null,
	"sha1_hash": "61f06a2c2c8a6b27fef30b6895318e36a80c4f33",
	"title": "Analysing “Retefe” with Sysmon and Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52795,
	"plain_text": "Analysing “Retefe” with Sysmon and Splunk\r\nPublished: 2019-05-23 · Archived: 2026-04-05 20:36:20 UTC\r\nI recently took a closer look at Retefe because they seem to have abandon the short-lived “SmokeLoader”-phase\r\nand moved back to “socat.exe” and the TOR-network.\r\nThe original delivery method is by mail spam, sending an Office document (either a docx or xlsx attachment) with\r\nan embedded OLE object (the malicious .exe file). If the victim double clicks the embedded object (hidden behind\r\nan image), the Retefe infection chain is launched. In general Retefe consists of several PowerShell scripts, which\r\ndownload “7-Zip”, “tor.exe”, “socat.exe”, change the proxy settings on the system, install a new Root certificate\r\nand use scheduled tasks for persistence.\r\nFor details on the malware I recommend you read the following blog posts:\r\nhttps://www.govcert.admin.ch/blog/35/reversing-retefe\r\nhttps://www.govcert.admin.ch/blog/33/the-retefe-saga\r\nhttps://www.proofpoint.com/us/threat-insight/post/2019-return-retefe\r\nA very easy way to detect Retefe is to look for “tor.exe” and “socat.exe” processes in the folder “ProgramData”:\r\n`sysmon` (\"tor.exe\" OR \"socat.exe\") \"\\\\ProgramData\\\\\" EventCode=1\r\nAlternatively you can look for active network connections from files “tor.exe” or “socat.exe” in “ProgramData”:\r\n`sysmon` (\"tor.exe\" OR \"socat.exe\") \"\\\\ProgramData\\\\\" EventCode=3\r\nWith “EventCode=11” you can also look for the creation of the file (Rule: FileCreate).\r\nAnother way to detect unexpected behaviour could be to look for an “exe” file which creates “.ps1” files in the\r\n“Temp” folder:\r\n`sysmon` Image=\"*.exe\" EventCode=11 TargetFilename=\"*\\\\AppData\\\\Local\\\\Temp\\\\*.ps1\" NOT\r\n\"__PSScriptPolicyTest*.ps1\"\r\nNext is the “mshta” execution that Retefe uses for persistence. The call runs “socat.exe” with the configuration\r\nincluded in the call:\r\n`sysmon` \"socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1\r\nSOCKS4A:127.0.0.1:*.onion:5588,socksport=9050\"\r\nA pretty new way (not a long history of observation) would be to hunt for executions of PowerShell with an “-ep”\r\npolicy, running a “ps1” file, piping to “find” and storing the output in a log file:\r\n`sysmon` \"cmd.exe\" \"/c powershell -ep\" (\"bypass\" OR \"Unrestricted\") -f \"*\\\\Temp\\\\*.ps1\" \"| find /v\r\n\\\"\\\" \u003e\u003e \\\"*\\\\Temp\\\\*.log\"\r\nFor a general detection of Tor or “socat.exe” on a system, this query can be helpful:\r\n`sysmon` EventCode=3 \"ProgramData\" DestinationPort=9050 DestinationIp=127.0.0.1\r\nhttps://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/\r\nPage 1 of 2\n\nFinally, with this query you can find the shortcuts (“.lnk” files) that Retefe uses for persistence:\r\n`sysmon` EventCode=11 Image=\"*\\\\powershell.exe\" \"\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start\r\nMenu\\\\Programs\\\\Startup\\\\*.lnk\"\r\nSummary\r\nFrom the few Splunk queries I have shared, you can see that Retefe is not a highly complex malware, it is in fact\r\npretty noisy and offers several ways to identify potentially infected clients. Even without Sysmon and Splunk, you\r\ncan look for signs of an infection in these places:\r\nProxy settings of the browser (“http://127.0.0.1” string)\r\ntor.exe and socat.exe in a “ProgramData” sub-folder\r\nfake Root certificate\r\nvarious “.lnk” files in the startup folder\r\nAny other detections rule that are useful? Let me know and I will add them here.\r\nSource: https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/\r\nhttps://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/"
	],
	"report_names": [
		"analysing-retefe-with-sysmon-and-splunk"
	],
	"threat_actors": [],
	"ts_created_at": 1775434894,
	"ts_updated_at": 1775791220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/61f06a2c2c8a6b27fef30b6895318e36a80c4f33.pdf",
		"text": "https://archive.orkl.eu/61f06a2c2c8a6b27fef30b6895318e36a80c4f33.txt",
		"img": "https://archive.orkl.eu/61f06a2c2c8a6b27fef30b6895318e36a80c4f33.jpg"
	}
}