Analysing “Retefe” with Sysmon and Splunk
Tags
| attack-pattern: | Malware - T1587.001 Malware - T1588.001 Mshta - T1218.005 Powershell - T1059.001 Connection Proxy - T1090 Mshta - T1170 Powershell - T1086 |
Common Information
| Type | Value |
|---|---|
| UUID | ba1eca0d-a64d-496b-98cb-a8a37fcaf228 |
| Fingerprint | fbe5abff7de74bc8 |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | May 23, 2019, 8:42 a.m. |
| Added to db | Sept. 26, 2022, 9:31 a.m. |
| Last updated | Nov. 18, 2024, 9:32 a.m. |
| Headline | Analysing “Retefe” with Sysmon and Splunk |
| Title | Analysing “Retefe” with Sysmon and Splunk |
| Detected Hints/Tags/Attributes | 22/1/11 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 6 | www.govcert.admin.ch |
|
| Details | Domain | 370 | www.proofpoint.com |
|
| Details | File | 2 | socat.exe |
|
| Details | File | 33 | tor.exe |
|
| Details | File | 2128 | cmd.exe |
|
| Details | File | 1210 | powershell.exe |
|
| Details | IPv4 | 1442 | 127.0.0.1 |
|
| Details | Url | 1 | https://www.govcert.admin.ch/blog/35/reversing-retefe |
|
| Details | Url | 1 | https://www.govcert.admin.ch/blog/33/the-retefe-saga |
|
| Details | Url | 1 | https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe |
|
| Details | Url | 38 | http://127.0.0.1 |