SYMBOLCOMMON_NAMEaka. SYNONYMS
win.grager (Back to overview)

Grager

VTCollection    

Grager is a backdoor deployed against three organizations in Taiwan, Hong Kong, and Vietnam in April 2024. Analysis of this backdoor revealed that it uses the Graph API to communicate with a command and control (C&C) server hosted on Microsoft OneDrive. The backdoor decrypts a client ID and refresh token for OneDrive from a blob contained within its file body. It supports the following commands:

- Retrieve machine information, including machine name, user, IP address, and machine architecture
- Download or upload a file
- Execute a file
- Gather file system information, including available drives, their sizes, and types of drives

References
2024-08-07SymantecThreat Hunter Team
Cloud Cover: How Malicious Actors Are Leveraging Cloud Services
GoGra Grager MOONTAG Ondritols TONERJAM
Yara Rules
[TLP:WHITE] win_grager_auto (20260504 | Detects win.grager.)
rule win_grager_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.grager."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grager"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83e10f 4a0fbe840188560200 428a8c0198560200 482bd0 8b42fc d3e8 49895108 }
            // n = 7, score = 100
            //   83e10f               | je                  0x45a
            //   4a0fbe840188560200     | dec    esp
            //   428a8c0198560200     | mov                 dword ptr [esp + 0x58], esi
            //   482bd0               | dec                 esp
            //   8b42fc               | lea                 esi, [0xffffe6a5]
            //   d3e8                 | movzx               ecx, byte ptr [edi]
            //   49895108             | dec                 eax

        $sequence_1 = { 7417 488d0538c50100 483bc8 740b 83791000 7505 }
            // n = 6, score = 100
            //   7417                 | sub                 eax, dword ptr [ebx + 8]
            //   488d0538c50100       | mov                 ecx, edi
            //   483bc8               | inc                 ecx
            //   740b                 | cmp                 eax, eax
            //   83791000             | mov                 edx, eax
            //   7505                 | setbe               cl

        $sequence_2 = { 4c8d050efeffff 488983b8050000 33d2 897c2420 33c9 ff15???????? }
            // n = 6, score = 100
            //   4c8d050efeffff       | dec                 eax
            //   488983b8050000       | add                 ecx, 0x30c
            //   33d2                 | inc                 ecx
            //   897c2420             | mov                 eax, 0x104
            //   33c9                 | dec                 eax
            //   ff15????????         |                     

        $sequence_3 = { 488b742448 4883c610 4c8b3e 48b85555555555555505 }
            // n = 4, score = 100
            //   488b742448           | dec                 ebp
            //   4883c610             | mov                 edi, eax
            //   4c8b3e               | dec                 eax
            //   48b85555555555555505     | xor    eax, esp

        $sequence_4 = { e8???????? 488d4590 0f1f4000 48ffc3 803c1800 75f7 488d4d90 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d4590             | sub                 edx, eax
            //   0f1f4000             | inc                 esp
            //   48ffc3               | mov                 edx, dword ptr [edx - 4]
            //   803c1800             | inc                 ecx
            //   75f7                 | shr                 edx, cl
            //   488d4d90             | inc                 ebp

        $sequence_5 = { 4883c0f8 4883f81f 7728 e8???????? 33c0 488b8d802f0000 4833cc }
            // n = 7, score = 100
            //   4883c0f8             | inc                 bp
            //   4883f81f             | test                eax, eax
            //   7728                 | je                  0x10a8
            //   e8????????           |                     
            //   33c0                 | dec                 esp
            //   488b8d802f0000       | sub                 ecx, edx
            //   4833cc               | dec                 eax

        $sequence_6 = { 418bd9 498bf8 8bf2 4c8d0de5e90000 488be9 4c8d05d3e90000 488d15d4e90000 }
            // n = 7, score = 100
            //   418bd9               | lea                 eax, [esp + 0x44]
            //   498bf8               | xor                 ecx, ecx
            //   8bf2                 | dec                 esp
            //   4c8d0de5e90000       | lea                 ecx, [esp + 0x58]
            //   488be9               | dec                 eax
            //   4c8d05d3e90000       | mov                 dword ptr [esp + 0x20], eax
            //   488d15d4e90000       | inc                 esp

        $sequence_7 = { 8d0c02 49894830 410fb609 83e10f 4a0fbe841988560200 428a8c1998560200 }
            // n = 6, score = 100
            //   8d0c02               | je                  0x144d
            //   49894830             | movzx               ecx, byte ptr [edi]
            //   410fb609             | dec                 eax
            //   83e10f               | arpl                cx, cx
            //   4a0fbe841988560200     | dec    eax
            //   428a8c1998560200     | lea                 edx, [0x16d28]

        $sequence_8 = { eb44 488d041b 488d8df8050000 482bc8 482bd1 660f1f440000 4d85f6 }
            // n = 7, score = 100
            //   eb44                 | lea                 edi, [0x19dce]
            //   488d041b             | jmp                 0x5f1
            //   488d8df8050000       | inc                 ebp
            //   482bc8               | xor                 eax, eax
            //   482bd1               | xor                 edx, edx
            //   660f1f440000         | xor                 ecx, ecx
            //   4d85f6               | int3                

        $sequence_9 = { ba04000000 8bc2 448bd0 448bc8 448bd8 ffc8 83e801 }
            // n = 7, score = 100
            //   ba04000000           | push                edi
            //   8bc2                 | dec                 eax
            //   448bd0               | sub                 esp, 0x290
            //   448bc8               | dec                 eax
            //   448bd8               | xor                 eax, esp
            //   ffc8                 | dec                 eax
            //   83e801               | mov                 dword ptr [esp + 0x280], eax

    condition:
        7 of them and filesize < 487424
}
Download all Yara Rules