SYMBOLCOMMON_NAMEaka. SYNONYMS
win.grimplant (Back to overview)

GrimPlant

VTCollection    

This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).

References
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-07-20U.S. Cyber CommandCyber National Mission Force Public Affairs
Cyber National Mission Force discloses IOCs from Ukrainian networks
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-07-20MandiantMandiant Threat Intelligence
Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
Cobalt Strike GraphSteel GrimPlant MicroBackdoor
2022-04-25BitdefenderMartin Zugec
Deep Dive into the Elephant Framework – A New Cyber Threat in Ukraine
GraphSteel GrimPlant
2022-04-07InQuestNick Chalard, Will MacArthur
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-04-04IntezerJoakim Kennedy, Nicole Fishbein
Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
GraphSteel GrimPlant SaintBear
2022-04-02GovInfo SecurityPrajeet Nair
Cyber Espionage Actor Deploying Malware Using Excel
GraphSteel GrimPlant
2022-04-01MalwarebytesAnkur Saini, Hossein Jazi, Roberto Santos
New UAC-0056 activity: There’s a Go Elephant in the room
GrimPlant SaintBear
2022-03-28Cert-UACert-UA
UAC-0056 cyberattack on Ukrainian state authorities using GraphSteel and GrimPlant malware (CERT-UA#4293)
GraphSteel GrimPlant SaintBear
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-15SentinelOneAmitai Ben Shushan Ehrlich
Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
Cobalt Strike GraphSteel GrimPlant SaintBear
Yara Rules
[TLP:WHITE] win_grimplant_auto (20260504 | Detects win.grimplant.)
rule win_grimplant_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.grimplant."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c60002 c644242f0a 488d058c792b00 488b5c2440 488d4c242f 6690 e8???????? }
            // n = 7, score = 100
            //   c60002               | call                ecx
            //   c644242f0a           | dec                 eax
            //   488d058c792b00       | mov                 ecx, dword ptr [esp + 0x490]
            //   488b5c2440           | dec                 eax
            //   488d4c242f           | mov                 edi, ebx
            //   6690                 | dec                 eax
            //   e8????????           |                     

        $sequence_1 = { e8???????? 48c740081b000000 488d0d9a972500 488908 488d0d312b2f00 48894c2450 4889442458 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48c740081b000000     | dec                 esp
            //   488d0d9a972500       | mov                 eax, eax
            //   488908               | dec                 eax
            //   488d0d312b2f00       | mov                 ebp, dword ptr [esp + 0x28]
            //   48894c2450           | dec                 eax
            //   4889442458           | add                 esp, 0x30

        $sequence_2 = { 7404 488b4008 48898424c0000000 48899c24c8000000 488d05b7651300 bb12000000 488d8c24c0000000 }
            // n = 7, score = 100
            //   7404                 | test                byte ptr [edx], al
            //   488b4008             | dec                 eax
            //   48898424c0000000     | mov                 ecx, dword ptr [ecx + 0x58]
            //   48899c24c8000000     | dec                 eax
            //   488d05b7651300       | mov                 dword ptr [esp + 0x228], ecx
            //   bb12000000           | dec                 eax
            //   488d8c24c0000000     | lea                 eax, [0x1629f4]

        $sequence_3 = { e8???????? 488d0d1a4e1800 488b542438 48894a10 833d????????00 7506 48894218 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d0d1a4e1800       | dec                 esp
            //   488b542438           | mov                 eax, dword ptr [esp + 0x60]
            //   48894a10             | dec                 esp
            //   833d????????00       |                     
            //   7506                 | mov                 ecx, dword ptr [esp + 0x58]
            //   48894218             | inc                 esp

        $sequence_4 = { eb1c 488d7810 488d1558094400 e8???????? 488d3da6958200 e8???????? 488b1d???????? }
            // n = 7, score = 100
            //   eb1c                 | dec                 eax
            //   488d7810             | mov                 edi, dword ptr [edx + 0x88]
            //   488d1558094400       | dec                 esp
            //   e8????????           |                     
            //   488d3da6958200       | mov                 ecx, dword ptr [edx + 0xc0]
            //   e8????????           |                     
            //   488b1d????????       |                     

        $sequence_5 = { eb04 31c0 31db 48899c24b0000000 4889842488000000 488b8c2498000000 488b91c8000000 }
            // n = 7, score = 100
            //   eb04                 | mov                 edi, dword ptr [esp + 0x30]
            //   31c0                 | dec                 eax
            //   31db                 | mov                 ebx, ecx
            //   48899c24b0000000     | dec                 esp
            //   4889842488000000     | mov                 ecx, esp
            //   488b8c2498000000     | nop                 dword ptr [eax]
            //   488b91c8000000       | dec                 eax

        $sequence_6 = { eb36 488b4c2450 488b4940 488b442478 ffd1 488b7c2468 488b0f }
            // n = 7, score = 100
            //   eb36                 | jmp                 0x15b2
            //   488b4c2450           | dec                 eax
            //   488b4940             | mov                 ecx, dword ptr [esp + 0x150]
            //   488b442478           | dec                 eax
            //   ffd1                 | mov                 dword ptr [eax + 8], ecx
            //   488b7c2468           | jne                 0x15b9
            //   488b0f               | dec                 eax

        $sequence_7 = { e8???????? 84c0 7577 488d05c7b12f00 e8???????? 488b0d???????? 488b15???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   84c0                 | dec                 eax
            //   7577                 | lea                 eax, [0x2110d4]
            //   488d05c7b12f00       | dec                 eax
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   488b15????????       |                     

        $sequence_8 = { 750d 488b542440 488910 e9???????? 4889c7 488b542440 e8???????? }
            // n = 7, score = 100
            //   750d                 | dec                 eax
            //   488b542440           | mov                 ecx, eax
            //   488910               | xor                 eax, eax
            //   e9????????           |                     
            //   4889c7               | mov                 edx, 1
            //   488b542440           | lock cmpxchg        dword ptr [ecx + 0x18], edx
            //   e8????????           |                     

        $sequence_9 = { e8???????? 488dbc2400020000 4889e6 660f1f840000000000 0f1f4000 48896c24f0 488d6c24f0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488dbc2400020000     | dec                 eax
            //   4889e6               | lea                 ecx, [0xfa7b0]
            //   660f1f840000000000     | dec    eax
            //   0f1f4000             | test                eax, eax
            //   48896c24f0           | jge                 0x10b6
            //   488d6c24f0           | dec                 eax

    condition:
        7 of them and filesize < 19940352
}
Download all Yara Rules