Register to stream ATT&CKcon 2.0 October 29-30


Remexi is a Windows-based Trojan that was developed in the C programming language.[1]

ID: S0375
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1010 Application Window Discovery Remexi has a command to capture active windows on the machine and retrieve window titles. [1]
Enterprise T1115 Clipboard Data Remexi collects text from the clipboard. [1]
Enterprise T1059 Command-Line Interface Remexi silently executes received commands with cmd.exe. [1]
Enterprise T1022 Data Encrypted Remexi encrypts and adds all gathered browser data into files for upload to C2. [1]
Enterprise T1140 Deobfuscate/Decode Files or Information Remexi decrypts the configuration data using XOR with 25-character keys. [1]
Enterprise T1041 Exfiltration Over Command and Control Channel Remexi performs exfiltration over BITSAdmin, which is also used for the C2 channel. [1]
Enterprise T1083 File and Directory Discovery Remexi searches for files on the system. [1]
Enterprise T1056 Input Capture Remexi gathers and exfiltrates keystrokes from the machine. [1]
Enterprise T1027 Obfuscated Files or Information Remexi obfuscates its configuration data with XOR. [1]
Enterprise T1060 Registry Run Keys / Startup Folder Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism. [1]
Enterprise T1053 Scheduled Task Remexi utilizes scheduled tasks as a persistence mechanism. [1]
Enterprise T1113 Screen Capture Remexi takes screenshots of windows of interest. [1]
Enterprise T1064 Scripting Remexi uses AutoIt and VBS scripts throughout its execution process. [1]
Enterprise T1071 Standard Application Layer Protocol Remexi uses BITSAdmin to communicate with the C2 server over HTTP. [1]
Enterprise T1047 Windows Management Instrumentation Remexi executes received commands with wmic.exe (for WMI commands). [1]
Enterprise T1004 Winlogon Helper DLL Remexi achieves persistence using Userinit by adding the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit. [1]

Groups That Use This Software

ID Name References
G0087 APT39 [2] [1]