Remexi

Remexi is a Windows-based Trojan that was developed in the C programming language.[1]

ID: S0375
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1010Application Window DiscoveryRemexi has a command to capture active windows on the machine and retrieve window titles.[1]
EnterpriseT1115Clipboard DataRemexi collects text from the clipboard.[1]
EnterpriseT1059Command-Line InterfaceRemexi silently executes received commands with cmd.exe.[1]
EnterpriseT1022Data EncryptedRemexi encrypts and adds all gathered browser data into files for upload to C2.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationRemexi decrypts the configuration data using XOR with 25-character keys.[1]
EnterpriseT1041Exfiltration Over Command and Control ChannelRemexi performs exfiltration over BITSAdmin, which is also used for the C2 channel.[1]
EnterpriseT1083File and Directory DiscoveryRemexi searches for files on the system.[1]
EnterpriseT1056Input CaptureRemexi gathers and exfiltrates keystrokes from the machine.[1]
EnterpriseT1027Obfuscated Files or InformationRemexi obfuscates its configuration data with XOR.[1]
EnterpriseT1060Registry Run Keys / Startup FolderRemexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism.[1]
EnterpriseT1053Scheduled TaskRemexi utilizes scheduled tasks as a persistence mechanism.[1]
EnterpriseT1113Screen CaptureRemexi takes screenshots of windows of interest.[1]
EnterpriseT1064ScriptingRemexi uses AutoIt and VBS scripts throughout its execution process.[1]
EnterpriseT1071Standard Application Layer ProtocolRemexi uses BITSAdmin to communicate with the C2 server over HTTP.[1]
EnterpriseT1047Windows Management InstrumentationRemexi executes received commands with wmic.exe (for WMI commands).[1]
EnterpriseT1004Winlogon Helper DLLRemexi achieves persistence using Userinit by adding the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit.[1]

Groups

Groups that use this software:

APT39

References