SYMBOLCOMMON_NAMEaka. SYNONYMS
win.graphsteel (Back to overview)

GraphSteel

VTCollection    

This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).

References
2023-05-16SecureworksCounter Threat Unit ResearchTeam
The Growing Threat from Infostealers
Graphiron GraphSteel Raccoon RedLine Stealer Rhadamanthys Taurus Stealer Vidar
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-07-20U.S. Cyber CommandCyber National Mission Force Public Affairs
Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-20MandiantMandiant Threat Intelligence
Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-04-25BitdefenderMartin Zugec
Deep Dive into the Elephant Framework – A New Cyber Threat in Ukraine
GraphSteel GrimPlant
2022-04-07InQuestNick Chalard, Will MacArthur
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-04-07MalpediaMalpedia
Malpedia Page for GraphSteel
GraphSteel SaintBear
2022-04-04IntezerJoakim Kennedy, Nicole Fishbein
Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
GraphSteel GrimPlant SaintBear
2022-04-02GovInfo SecurityPrajeet Nair
Cyber Espionage Actor Deploying Malware Using Excel
GraphSteel GrimPlant
2022-03-28Cert-UACert-UA
UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)
GraphSteel GrimPlant SaintBear
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-15SentinelOneAmitai Ben Shushan Ehrlich
Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
Cobalt Strike GraphSteel GrimPlant SaintBear
Yara Rules
[TLP:WHITE] win_graphsteel_auto (20230808 | Detects win.graphsteel.)
rule win_graphsteel_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.graphsteel."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488d7830 488b4c2440 0f1f4000 e8???????? 4889c3 488d05415b3900 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d7830             | lea                 edi, [eax + 8]
            //   488b4c2440           | dec                 eax
            //   0f1f4000             | mov                 ecx, dword ptr [esp + 0x38]
            //   e8????????           |                     
            //   4889c3               | dec                 eax
            //   488d05415b3900       | mov                 ebx, eax

        $sequence_1 = { ffd0 488bb42428010000 488b942410020000 4885d2 0f8401010000 488b4c2450 488d1d88ae4400 }
            // n = 7, score = 100
            //   ffd0                 | lea                 eax, [0xfff9639b]
            //   488bb42428010000     | dec                 eax
            //   488b942410020000     | mov                 dword ptr [esp + 0x90], eax
            //   4885d2               | mov                 dword ptr [esp + 0xa8], 0
            //   0f8401010000         | dec                 ecx
            //   488b4c2450           | mov                 dword ptr [esi + 0x10], ebx
            //   488d1d88ae4400       | cmp                 word ptr [esp + 0xa4], 0

        $sequence_2 = { e9???????? a810 0f84f1000000 84d2 0f888c010000 8954245c 83fa0b }
            // n = 7, score = 100
            //   e9????????           |                     
            //   a810                 | dec                 eax
            //   0f84f1000000         | cmp                 dword ptr [ebx + 0xa0], ecx
            //   84d2                 | jge                 0x1ad9
            //   0f888c010000         | dec                 eax
            //   8954245c             | lea                 eax, [0x2a87b0]
            //   83fa0b               | dec                 eax

        $sequence_3 = { e8???????? e8???????? 90 31c9 488d150f198e00 870a 8b0d???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   31c9                 | mov                 ebx, dword ptr [ebx + 0x20]
            //   488d150f198e00       | call                ebx
            //   870a                 | dec                 eax
            //   8b0d????????         |                     

        $sequence_4 = { e9???????? 4c8b4c2468 4d85c9 0f84b1000000 4c8b9424d8030000 4d8b9a88000000 498b4b08 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   4c8b4c2468           | inc                 esp
            //   4d85c9               | mov                 ecx, dword ptr [esp + 0x6c]
            //   0f84b1000000         | dec                 eax
            //   4c8b9424d8030000     | mov                 dword ptr [esp + 0x20], 0
            //   4d8b9a88000000       | dec                 esp
            //   498b4b08             | mov                 eax, dword ptr [esp + 0x58]

        $sequence_5 = { e8???????? 4909c5 0fb603 83c05b a8fb 0f85a0000000 488b4340 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4909c5               | mov                 ecx, dword ptr [esp + 0x20]
            //   0fb603               | dec                 eax
            //   83c05b               | mov                 dword ptr [eax + 0x10], ecx
            //   a8fb                 | dec                 eax
            //   0f85a0000000         | mov                 dword ptr [esp + 0x18], ecx
            //   488b4340             | dec                 eax

        $sequence_6 = { e9???????? 8b8424a0010000 4189d9 ba35000000 4c89e9 448b842498010000 41bf06000000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b8424a0010000       | dec                 eax
            //   4189d9               | mov                 dword ptr [esp + 0x48], edi
            //   ba35000000           | dec                 eax
            //   4c89e9               | lea                 edx, [0x42c451]
            //   448b842498010000     | dec                 eax
            //   41bf06000000         | cmp                 eax, edx

        $sequence_7 = { e9???????? 4885f6 0f8520ffffff 4c8d742440 4889d9 4d8b4550 c744244001080000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   4885f6               | mov                 dword ptr [esp + 0x60], edx
            //   0f8520ffffff         | dec                 eax
            //   4c8d742440           | lea                 edx, [0x38a0a0]
            //   4889d9               | dec                 eax
            //   4d8b4550             | mov                 dword ptr [esp + 0x68], edx
            //   c744244001080000     | dec                 eax

        $sequence_8 = { eb11 488d7830 488b9424e0000000 e8???????? 488b542438 48895050 488b542440 }
            // n = 7, score = 100
            //   eb11                 | mov                 dword ptr [esp + 0x88], ecx
            //   488d7830             | dec                 eax
            //   488b9424e0000000     | mov                 dword ptr [esp + 0x40], eax
            //   e8????????           |                     
            //   488b542438           | dec                 eax
            //   48895050             | mov                 dword ptr [esp + 0x80], ebx
            //   488b542440           | dec                 eax

        $sequence_9 = { e8???????? c644243507 488d05e3cc3300 488b9c24c8000000 488d4c2435 e8???????? 48c7400806000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c644243507           | mov                 dword ptr [eax + 0x48], edx
            //   488d05e3cc3300       | jmp                 0x70c
            //   488b9c24c8000000     | dec                 eax
            //   488d4c2435           | lea                 edi, [eax + 0x48]
            //   e8????????           |                     
            //   48c7400806000000     | dec                 eax

    condition:
        7 of them and filesize < 19812352
}
Download all Yara Rules