ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Remexi

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Remexi

NamesRemexi
CACHEMONEY
CategoryMalware
TypeBackdoor, Keylogger, Info stealer
Description(Kaspersky) Remexi boasts features that allow it to gather keystrokes, take screenshots of windows of interest (as defined in its configuration), steal credentials, logons and the browser history, and execute remote commands. Encryption consists of XOR with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim’s data.

Remexi includes different modules that it deploys in its working directory, including configuration decryption and parsing, launching victim activity logging in a separate module, and seven threads for various espionage and auxiliary functions. The Remexi developers seem to rely on legitimate Microsoft utilities.
Information<https://securelist.com/chafer-used-remexi-malware/89538/>
MITRE ATT&CK<https://attack.mitre.org/software/S0375/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi>

Last change to this tool card: 23 April 2020

Download this tool card in JSON format

Previous: RemcosRAT
Next: remote-access-c3

All groups using tool Remexi

ChangedNameCountryObserved

APT groups

XChafer, APT 39Iran2014-Sep 2020X

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key