SYMBOLCOMMON_NAMEaka. SYNONYMS
win.graphsteel (Back to overview)

GraphSteel

VTCollection    

This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).

References
2023-05-16SecureworksCounter Threat Unit ResearchTeam
The Growing Threat from Infostealers
Graphiron GraphSteel Raccoon RedLine Stealer Rhadamanthys Taurus Stealer Vidar
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-07-20U.S. Cyber CommandCyber National Mission Force Public Affairs
Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-20MandiantMandiant Threat Intelligence
Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-04-25BitdefenderMartin Zugec
Deep Dive into the Elephant Framework – A New Cyber Threat in Ukraine
GraphSteel GrimPlant
2022-04-07InQuestNick Chalard, Will MacArthur
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-04-07MalpediaMalpedia
Malpedia Page for GraphSteel
GraphSteel SaintBear
2022-04-04IntezerJoakim Kennedy, Nicole Fishbein
Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
GraphSteel GrimPlant SaintBear
2022-04-02GovInfo SecurityPrajeet Nair
Cyber Espionage Actor Deploying Malware Using Excel
GraphSteel GrimPlant
2022-03-28Cert-UACert-UA
UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)
GraphSteel GrimPlant SaintBear
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-15SentinelOneAmitai Ben Shushan Ehrlich
Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
Cobalt Strike GraphSteel GrimPlant SaintBear
Yara Rules
[TLP:WHITE] win_graphsteel_auto (20260504 | Detects win.graphsteel.)
rule win_graphsteel_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.graphsteel."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c7400c00000000 48c7401000000000 c7007e000000 4489542420 448b442450 4589f9 4889f9 }
            // n = 7, score = 100
            //   c7400c00000000       | lea                 eax, [0x1898]
            //   48c7401000000000     | dec                 eax
            //   c7007e000000         | mov                 dword ptr [esp + 0x38], 0
            //   4489542420           | dec                 eax
            //   448b442450           | mov                 dword ptr [esp + 0x40], 0
            //   4589f9               | dec                 eax
            //   4889f9               | mov                 dword ptr [esp + 0x48], 0

        $sequence_1 = { 4c898c24b8010000 4889bc24c0010000 4c8b9424b8010000 4d85d2 7422 450fb65a17 4589dc }
            // n = 7, score = 100
            //   4c898c24b8010000     | dec                 eax
            //   4889bc24c0010000     | lea                 ebp, [esp + 0xb0]
            //   4c8b9424b8010000     | dec                 ecx
            //   4d85d2               | mov                 ebp, 0
            //   7422                 | dec                 esp
            //   450fb65a17           | mov                 dword ptr [esp + 0xa8], ebp
            //   4589dc               | dec                 eax

        $sequence_2 = { e8???????? b801000000 89e9 d3e0 410985cc000000 83fd01 741a }
            // n = 7, score = 100
            //   e8????????           |                     
            //   b801000000           | mov                 dword ptr [esp + 0x40], esi
            //   89e9                 | dec                 eax
            //   d3e0                 | mov                 dword ptr [esp + 0x38], ecx
            //   410985cc000000       | dec                 eax
            //   83fd01               | lea                 eax, [0x289d70]
            //   741a                 | dec                 esp

        $sequence_3 = { f7466000ffff00 753b 8b96d4000000 c6466101 85d2 7e0a c7866001000001000000 }
            // n = 7, score = 100
            //   f7466000ffff00       | mov                 dword ptr [esp + 0x3a0], esi
            //   753b                 | dec                 eax
            //   8b96d4000000         | mov                 dword ptr [esp + 0x398], edi
            //   c6466101             | dec                 eax
            //   85d2                 | mov                 dword ptr [esp + 0x188], 0
            //   7e0a                 | dec                 eax
            //   c7866001000001000000     | mov    dword ptr [esp + 0x180], 0

        $sequence_4 = { bb16000000 e8???????? 4889842498020000 48899c2498010000 4889d9 4889c3 488d056e743e00 }
            // n = 7, score = 100
            //   bb16000000           | jmp                 0xd0f
            //   e8????????           |                     
            //   4889842498020000     | dec                 eax
            //   48899c2498010000     | lea                 edi, [0x863dfe]
            //   4889d9               | dec                 eax
            //   4889c3               | mov                 dword ptr [esp + 0x380], ecx
            //   488d056e743e00       | dec                 eax

        $sequence_5 = { ff5030 85c0 752a 48638bbc000000 488b442428 4801c8 4883e801 }
            // n = 7, score = 100
            //   ff5030               | lea                 eax, [0x2a5810]
            //   85c0                 | dec                 eax
            //   752a                 | mov                 ebx, dword ptr [esp + 0xb8]
            //   48638bbc000000       | dec                 esp
            //   488b442428           | mov                 ecx, esp
            //   4801c8               | dec                 esp
            //   4883e801             | mov                 edi, ecx

        $sequence_6 = { ffd0 488b6c2448 4883c450 c3 31c0 488d1df2193a00 b926000000 }
            // n = 7, score = 100
            //   ffd0                 | mov                 ecx, ebx
            //   488b6c2448           | dec                 eax
            //   4883c450             | mov                 ebx, eax
            //   c3                   | dec                 eax
            //   31c0                 | lea                 eax, [0x3e8ffa]
            //   488d1df2193a00       | dec                 eax
            //   b926000000           | test                eax, eax

        $sequence_7 = { 8b54244c 4c8b742430 4189c4 498916 4889d0 4180fc04 0f84dc000000 }
            // n = 7, score = 100
            //   8b54244c             | inc                 ebp
            //   4c8b742430           | mov                 ebx, eax
            //   4189c4               | dec                 eax
            //   498916               | test                ecx, ecx
            //   4889d0               | je                  0x1796
            //   4180fc04             | dec                 eax
            //   0f84dc000000         | sub                 esp, 0x30

        $sequence_8 = { c3 488d05c9d85e00 bb0a000000 0f1f440000 e8???????? 488b4c2428 890d???????? }
            // n = 7, score = 100
            //   c3                   | nop                 
            //   488d05c9d85e00       | mov                 word ptr [esp + 0x1e], 0xff
            //   bb0a000000           | dec                 eax
            //   0f1f440000           | mov                 dword ptr [eax], edx
            //   e8????????           |                     
            //   488b4c2428           | jmp                 0x12fd
            //   890d????????         |                     

        $sequence_9 = { eb0c 488d3df63c8600 e8???????? 488b0d???????? 48898c2498030000 488d05f3085500 e8???????? }
            // n = 7, score = 100
            //   eb0c                 | dec                 ebp
            //   488d3df63c8600       | test                edx, edx
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   48898c2498030000     | dec                 eax
            //   488d05f3085500       | mov                 dword ptr [esp + 0xf8], eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 19812352
}
Download all Yara Rules