Actor(s): APT29
This loader abuses the benign service Notion for data exchange.
rule win_graphical_neutrino_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.graphical_neutrino." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphical_neutrino" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 31d2 f7f1 4189c1 85ed 0f8573ffffff 4c39f6 } // n = 6, score = 500 // 31d2 | test al, al // f7f1 | jne 0x1a37 // 4189c1 | dec eax // 85ed | lea ecx, [0x3ef8b] // 0f8573ffffff | mov word ptr [esp + 0x98], 0x6ddd // 4c39f6 | test al, al $sequence_1 = { ff15???????? 85c0 740b 4c89e9 } // n = 4, score = 500 // ff15???????? | // 85c0 | je 0x835 // 740b | dec esp // 4c89e9 | mov edx, esp $sequence_2 = { e8???????? 4c89e9 4889c2 e8???????? 41b808000000 } // n = 5, score = 500 // e8???????? | // 4c89e9 | lea edx, [0x10112] // 4889c2 | dec esp // e8???????? | // 41b808000000 | mov ecx, esi $sequence_3 = { e8???????? 4889f9 e8???????? 4889e9 e8???????? 90 4881c4b8010000 } // n = 7, score = 500 // e8???????? | // 4889f9 | dec esp // e8???????? | // 4889e9 | mov ecx, ebp // e8???????? | // 90 | dec eax // 4881c4b8010000 | mov dword ptr [esp + 0x60], esi $sequence_4 = { 488d5302 b030 89f1 4889d7 66c703302e } // n = 5, score = 500 // 488d5302 | lea ecx, [0xdda] // b030 | dec eax // 89f1 | add esp, 0x28 // 4889d7 | dec eax // 66c703302e | lea edx, [0xfffea8a1] $sequence_5 = { e8???????? c60303 b920000000 e8???????? 498b5500 4889c1 } // n = 6, score = 500 // e8???????? | // c60303 | rep stosd dword ptr es:[edi], eax // b920000000 | inc esp // e8???????? | // 498b5500 | movsx eax, dh // 4889c1 | mov edx, 0x200 $sequence_6 = { 8a02 ffc8 3c01 0f8701020000 4c8d6c2420 4c89e9 } // n = 6, score = 500 // 8a02 | dec eax // ffc8 | mov dword ptr [esp + 0x158], eax // 3c01 | dec eax // 0f8701020000 | lea eax, [esp + 0x470] // 4c8d6c2420 | dec eax // 4c89e9 | lea ecx, [0x3de0a] $sequence_7 = { 48ffc0 4883f811 75f3 c3 31c0 } // n = 5, score = 500 // 48ffc0 | lea ecx, [0x3fd04] // 4883f811 | dec eax // 75f3 | lea ecx, [0xffffe16e] // c3 | dec eax // 31c0 | cmp eax, 0x11 $sequence_8 = { e8???????? 4c89e1 4883c620 e8???????? } // n = 4, score = 500 // e8???????? | // 4c89e1 | mov eax, dword ptr [ecx + 8] // 4883c620 | dec eax // e8???????? | $sequence_9 = { e9???????? 83fe1f 7617 83fe7e } // n = 4, score = 500 // e9???????? | // 83fe1f | lea edx, [0xe285] // 7617 | dec eax // 83fe7e | lea ecx, [0xeb8f] condition: 7 of them and filesize < 674816 }
rule win_graphical_neutrino_w0 { meta: author = "Military Counterlintelligence Service and CERT.PL" date = "2023-04-13" description = "Detects win.graphical_neutrino." source = "https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphical_neutrino" malpedia_rule_date = "20230601" malpedia_hash = "" malpedia_version = "20230601" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: // Payload decryption loop // Custom algorithm based on XOR $op_decrypt_payload = {49 8B 45 08 48 ?? ?? ?? 48 39 ?? 76 2B 48 89 C8 31 D2 4C 8B 4C 24 ?? 48 F7 74 24 ?? 49 8B 45 00 41 8A 14 11 32 54 08 10 89 C8 41 0F AF C0 31 C2 88 14 0B 48 FF C1} // Decryption routine generated by Obfuscate library $op_decrypt_string = {48 39 D0 74 19 48 89 C1 4D 89 C2 83 E1 07 48 C1 E1 03 49 D3 EA 45 30 14 01 48 FF C0 EB E2} // Hardcoded inital value used as beaconing counter $op_initialize_emoji = {C6 [3] A5 66 [4] F0 9F} // src/json.hpp - string left in binary using nlohmann JSON $str_nlohmann = {73 72 63 2F 6A 73 6F 6E 2E 68 70 70 00} condition: uint16(0) == 0x5A4D and filesize < 500KB and $str_nlohmann and $op_decrypt_string and ($op_initialize_emoji or $op_decrypt_payload) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY