{ "id": "5c12fbd1-5b72-470b-a9ac-5344b5139273", "created_at": "2026-04-06T00:12:01.653082Z", "updated_at": "2026-04-10T03:20:16.404715Z", "deleted_at": null, "sha1_hash": "689ee18755dbadfd509f99b4088485a3398ec45b", "title": "GitHub - Tomasuh/retefe-unpacker: Retefe static unpacker", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 740176, "plain_text": "GitHub - Tomasuh/retefe-unpacker: Retefe static unpacker\r\nBy Tomasuh\r\nArchived: 2026-04-05 16:26:56 UTC\r\nlayout post\r\ntitle Retefe unpacker\r\ndate 2018-12-28\r\ncomments true\r\ncategories\r\nThis is a writeup on how to implement an unpacker for current versions (at the time of publication) of the banking\r\nmalware Retefe.\r\nResources about the threat:\r\nRetefe banking Trojan leverages EternalBlue exploit in Swiss campaigns\r\nThe Retefe Saga\r\nReversing Retefe\r\nNew version of Retefe Banking Trojan Uses EternalBlue\r\nHistorically there seems to be some variance of ways the malware has stored it's Javascript payload. Some sources\r\nmentions self extracting ZIP files and other XORed data. The current version makes use of a 4 byte XOR key\r\nwhich is generated based on the scripts length and a few mathematical operations performed on it. The post\r\nReversing Retefe from about two months back (2018-11-08) shows use of a one byte XOR key which indicates\r\nthat the threat actor has changed its code base after the release of that post. This post is made with the intention to\r\nshed some light on the current way the threat Retefe stores its payload.\r\nLooking at the mapped binary image with IDA shows a large amount of unexplored data that is in the .data\r\nsegment.\r\nBrowsing the .data segment with Binary Ninja shows a large segment of data whose top is referenced in a copy\r\ninstruction:\r\nhttps://github.com/Tomasuh/retefe-unpacker\r\nPage 1 of 4\n\nThe copy instruction is part of a function that passes the address of this copied data as an argument to a decoding\r\nfunction together with the length of the buffer:\r\nThe decoder function passes the buffer length and another int to a function that takes buffer length to\r\nthe power of that int . Then a shift and subtraction is performed. The result is the XOR key that is used to\r\ndecode the buffer.\r\nLater on the decode operation is performed:\r\nhttps://github.com/Tomasuh/retefe-unpacker\r\nPage 2 of 4\n\nThat the data actually becomes decoded can be verified with a debugger, watching the memory of the buffer after\r\nthe decoder function has ran:\r\nWith the above research its possible to write an unpacker.\r\nThe actions performed by the unpacker:\r\nUse yara rules to find buffer location buffer length, number of shifts, subtraction value and power to value\r\nof it.\r\nhttps://github.com/Tomasuh/retefe-unpacker\r\nPage 3 of 4\n\nCalculate the buffer RVA as the extracted location is relative to the LEA instruction that references it\r\nCalculate XOR array based on values extracted with the help of the yara rules\r\nExtract and decode the script\r\nThe sourcecode to do this is available in this github repo.\r\nRecent hashes that it has been confirmed to work on:\r\n352b78b8ed38be7ada1d9f4d82352da5015a853bf3c3bdb8982e4977d98f981c\r\n5c548447203104e9a26c355beaf2367a8fa4793a1b0d3668701ee9ba120b9a7b\r\n1a3f25f4067e50aa113dfd9349fc4bdcf346d2e589ed6b4cebbc0a33e9eea50d\r\nExample run:\r\nScreenshots in this post are based on the sample\r\n1a3f25f4067e50aa113dfd9349fc4bdcf346d2e589ed6b4cebbc0a33e9eea50d .\r\nSource: https://github.com/Tomasuh/retefe-unpacker\r\nhttps://github.com/Tomasuh/retefe-unpacker\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://github.com/Tomasuh/retefe-unpacker" ], "report_names": [ "retefe-unpacker" ], "threat_actors": [], "ts_created_at": 1775434321, "ts_updated_at": 1775791216, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/689ee18755dbadfd509f99b4088485a3398ec45b.pdf", "text": "https://archive.orkl.eu/689ee18755dbadfd509f99b4088485a3398ec45b.txt", "img": "https://archive.orkl.eu/689ee18755dbadfd509f99b4088485a3398ec45b.jpg" } }