SYMBOLCOMMON_NAMEaka. SYNONYMS
win.polyglotduke (Back to overview)

PolyglotDuke

Actor(s): APT29

VTCollection    

There is no description at this point.

References
2020-03-26VMWare Carbon BlackScott Knight
The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-01SecureworksSecureWorks
IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT29
2019-10-17ESET ResearchESET Research
Operation Ghost: The Dukes aren’t back – they never left
PolyglotDuke
Yara Rules
[TLP:WHITE] win_polyglotduke_auto (20260504 | Detects win.polyglotduke.)
rule win_polyglotduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.polyglotduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglotduke"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 49ffc1 4d3bca 7cbd e9???????? 488b7c2430 498bcc e8???????? }
            // n = 7, score = 100
            //   49ffc1               | mov                 dword ptr [eax - 0x50], ebx
            //   4d3bca               | dec                 ecx
            //   7cbd                 | or                  ebp, 0xffffffff
            //   e9????????           |                     
            //   488b7c2430           | inc                 ecx
            //   498bcc               | mov                 esp, 0xfde9
            //   e8????????           |                     

        $sequence_1 = { 0f44cf 4863f1 488d4c3602 e8???????? 448d4601 488bd8 }
            // n = 6, score = 100
            //   0f44cf               | lea                 ecx, [esp + 0x20]
            //   4863f1               | dec                 eax
            //   488d4c3602           | mov                 edx, eax
            //   e8????????           |                     
            //   448d4601             | dec                 ecx
            //   488bd8               | neg                 ebp

        $sequence_2 = { 482bc8 48c1e903 8bc1 488b7cc420 488bcf ff15???????? 8d5801 }
            // n = 7, score = 100
            //   482bc8               | dec                 eax
            //   48c1e903             | lea                 edx, [0x1001f]
            //   8bc1                 | dec                 eax
            //   488b7cc420           | mov                 ecx, ebx
            //   488bcf               | dec                 eax
            //   ff15????????         |                     
            //   8d5801               | lea                 edx, [0xfffb]

        $sequence_3 = { 418bd4 488bce 4983c010 e8???????? 488bcb e8???????? 488bc6 }
            // n = 7, score = 100
            //   418bd4               | mov                 edi, eax
            //   488bce               | inc                 ecx
            //   4983c010             | mov                 ecx, 0x10000000
            //   e8????????           |                     
            //   488bcb               | dec                 eax
            //   e8????????           |                     
            //   488bc6               | mov                 edx, edi

        $sequence_4 = { 488d0d67d20000 488bd8 e8???????? 488b542430 488b8c24c0000000 488bf8 e8???????? }
            // n = 7, score = 100
            //   488d0d67d20000       | lea                 eax, [0x9486]
            //   488bd8               | mov                 edx, edi
            //   e8????????           |                     
            //   488b542430           | dec                 ecx
            //   488b8c24c0000000     | mov                 ecx, ebp
            //   488bf8               | test                eax, eax
            //   e8????????           |                     

        $sequence_5 = { 488bf2 488be9 4885c9 7507 33c0 e9???????? 488bca }
            // n = 7, score = 100
            //   488bf2               | mov                 cl, byte ptr [eax]
            //   488be9               | cmp                 cl, 0xe0
            //   4885c9               | jb                  0x16a5
            //   7507                 | cmp                 cl, 0xef
            //   33c0                 | jae                 0x161c
            //   e9????????           |                     
            //   488bca               | inc                 ecx

        $sequence_6 = { ff15???????? 4889742420 c744242803000000 4863c8 488d85b0010000 4889742438 6689b44db2010000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   4889742420           | sete                al
            //   c744242803000000     | inc                 eax
            //   4863c8               | mov                 dword ptr [ecx + 0x30], eax
            //   488d85b0010000       | dec                 esp
            //   4889742438           | cmp                 dword ptr [edx + 0x28], esp
            //   6689b44db2010000     | je                  0x12ec

        $sequence_7 = { 488bd8 e8???????? 41bc04010000 418bcc e8???????? }
            // n = 5, score = 100
            //   488bd8               | mov                 ecx, esi
            //   e8????????           |                     
            //   41bc04010000         | jmp                 0xfd6
            //   418bcc               | dec                 ecx
            //   e8????????           |                     

        $sequence_8 = { 4c8b6c2430 418bfc e9???????? 448b03 488b5308 488b4c2438 }
            // n = 6, score = 100
            //   4c8b6c2430           | dec                 eax
            //   418bfc               | lea                 edx, [esp + 0x20]
            //   e9????????           |                     
            //   448b03               | dec                 eax
            //   488b5308             | mov                 ecx, eax
            //   488b4c2438           | dec                 eax

        $sequence_9 = { 7455 8d5011 488d0d27570100 e8???????? 488bc8 488bf8 e8???????? }
            // n = 7, score = 100
            //   7455                 | dec                 eax
            //   8d5011               | mov                 ecx, ebx
            //   488d0d27570100       | inc                 ebp
            //   e8????????           |                     
            //   488bc8               | test                ah, ah
            //   488bf8               | je                  0x17f2
            //   e8????????           |                     

    condition:
        7 of them and filesize < 222784
}
Download all Yara Rules