Graphican (Malware Family)

Graphican

Actor(s): APT15
VTCollection
According to Symantec, Graphican is an evolution of the known APT15 backdoor Ketrican, which itself was based on a previous malware - BS2005 - also used by APT15. Graphican has the same basic functionality as Ketrican, with the difference between them being Graphican’s use of the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure.
References

2023-06-21 ⋅ Symantec ⋅ Threat Hunter Team
Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries
Graphican
Yara Rules

[TLP:WHITE] win_graphican_auto (20260504 | Detects win.graphican.)
rule win_graphican_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.graphican."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphican"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 57 8d7818 8b4710 2b470c 83f810 7d05 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d7818               | lea                 edi, [eax + 0x18]
            //   8b4710               | mov                 eax, dword ptr [edi + 0x10]
            //   2b470c               | sub                 eax, dword ptr [edi + 0xc]
            //   83f810               | cmp                 eax, 0x10
            //   7d05                 | jge                 7

        $sequence_1 = { ffd0 85c0 7846 8b85d0efffff 8b08 8d95c8efffff 52 }
            // n = 7, score = 200
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax
            //   7846                 | js                  0x48
            //   8b85d0efffff         | mov                 eax, dword ptr [ebp - 0x1030]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8d95c8efffff         | lea                 edx, [ebp - 0x1038]
            //   52                   | push                edx

        $sequence_2 = { 837e1800 7521 8bd7 e8???????? 837e1800 7514 8b07 }
            // n = 7, score = 200
            //   837e1800             | cmp                 dword ptr [esi + 0x18], 0
            //   7521                 | jne                 0x23
            //   8bd7                 | mov                 edx, edi
            //   e8????????           |                     
            //   837e1800             | cmp                 dword ptr [esi + 0x18], 0
            //   7514                 | jne                 0x16
            //   8b07                 | mov                 eax, dword ptr [edi]

        $sequence_3 = { 68???????? 68???????? e8???????? 83c40c c7431809000000 89731c 837b1800 }
            // n = 7, score = 200
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   c7431809000000       | mov                 dword ptr [ebx + 0x18], 9
            //   89731c               | mov                 dword ptr [ebx + 0x1c], esi
            //   837b1800             | cmp                 dword ptr [ebx + 0x18], 0

        $sequence_4 = { 7517 8b45fc ff07 40 8945fc 83f804 }
            // n = 6, score = 200
            //   7517                 | jne                 0x19
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   ff07                 | inc                 dword ptr [edi]
            //   40                   | inc                 eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   83f804               | cmp                 eax, 4

        $sequence_5 = { 83c408 85c0 7428 53 e8???????? 83c404 83bde8efffff10 }
            // n = 7, score = 200
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   7428                 | je                  0x2a
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   83bde8efffff10       | cmp                 dword ptr [ebp - 0x1018], 0x10

        $sequence_6 = { 3c30 7c24 3c39 7f1a 0fbec0 83e830 8945e0 }
            // n = 7, score = 200
            //   3c30                 | cmp                 al, 0x30
            //   7c24                 | jl                  0x26
            //   3c39                 | cmp                 al, 0x39
            //   7f1a                 | jg                  0x1c
            //   0fbec0               | movsx               eax, al
            //   83e830               | sub                 eax, 0x30
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax

        $sequence_7 = { 8bec 53 8b1d???????? 6a00 6a00 6a00 6a00 }
            // n = 7, score = 200
            //   8bec                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   8b1d????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_8 = { 5f b001 5e c3 8bd7 83fe04 }
            // n = 6, score = 200
            //   5f                   | pop                 edi
            //   b001                 | mov                 al, 1
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   8bd7                 | mov                 edx, edi
            //   83fe04               | cmp                 esi, 4

        $sequence_9 = { e8???????? 83c40c c7431809000000 89731c }
            // n = 4, score = 200
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   c7431809000000       | mov                 dword ptr [ebx + 0x18], 9
            //   89731c               | mov                 dword ptr [ebx + 0x1c], esi

    condition:
        7 of them and filesize < 362496
}
Download all Yara Rules
Graphican Propose Change

References

Yara Rules

Graphican
