SYMBOLCOMMON_NAMEaka. SYNONYMS
win.quarterrig (Back to overview)

QUARTERRIG

aka: MUSKYBEAT, STATICNOISE

Actor(s): APT29

VTCollection    

A stager used by APT29 to download and run CobaltStrike.
Here, MUSKYBEAT refers to the in-memory dropper component, while STATICNOISE is the final payload / downloader.

References
2023-09-22MandiantDan Black, Josh Atkins, Luke Jenkins
Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations
Brute Ratel C4 Cobalt Strike EnvyScout GraphDrop QUARTERRIG sRDI Unidentified 107 (APT29)
2023-07-27Recorded FutureInsikt Group
BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware
GraphDrop GraphicalNeutrino QUARTERRIG
2023-04-13GOV.PLCERT.PL, Military Counterintelligence Service
QUARTERRIG - Malware Analysis Report
QUARTERRIG
Yara Rules
[TLP:WHITE] win_quarterrig_auto (20260504 | Detects win.quarterrig.)
rule win_quarterrig_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.quarterrig."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quarterrig"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b95d0020000 4883fa10 720f 48ffc2 488b8db8020000 e8???????? 4c89adc8020000 }
            // n = 7, score = 100
            //   488b95d0020000       | mov                 dword ptr [ecx + 0x10], esi
            //   4883fa10             | inc                 edx
            //   720f                 | xor                 byte ptr [edx + eax], al
            //   48ffc2               | dec                 eax
            //   488b8db8020000       | inc                 edx
            //   e8????????           |                     
            //   4c89adc8020000       | dec                 eax

        $sequence_1 = { 49b833bb51376f21b729 49d3e8 45300401 4d03ce 4983f919 72dd 44886819 }
            // n = 7, score = 100
            //   49b833bb51376f21b729     | mov    dword ptr [ebp + 0x70], edi
            //   49d3e8               | inc                 eax
            //   45300401             | mov                 byte ptr [ebp + 0x58], bh
            //   4d03ce               | dec                 eax
            //   4983f919             | mov                 edx, dword ptr [ebp + 0x90]
            //   72dd                 | dec                 ecx
            //   44886819             | cmp                 edx, esi

        $sequence_2 = { 0f29742450 488b05???????? 4833c4 4889442440 660f6f35???????? c7442430054c22c9 c7442434f04985c7 }
            // n = 7, score = 100
            //   0f29742450           | dec                 eax
            //   488b05????????       |                     
            //   4833c4               | lea                 edx, [ebp - 0x50]
            //   4889442440           | dec                 eax
            //   660f6f35????????     |                     
            //   c7442430054c22c9     | mov                 ecx, esi
            //   c7442434f04985c7     | dec                 eax

        $sequence_3 = { 4833c4 488985d8020000 4d8bf9 4c898dc0000000 4c8985c8000000 48899590010000 488bd9 }
            // n = 7, score = 100
            //   4833c4               | dec                 eax
            //   488985d8020000       | xor                 eax, esp
            //   4d8bf9               | dec                 eax
            //   4c898dc0000000       | mov                 dword ptr [ebp + 0x1300], eax
            //   4c8985c8000000       | inc                 ecx
            //   48899590010000       | mov                 edi, eax
            //   488bd9               | dec                 eax

        $sequence_4 = { 4c8d9c2410140000 498b5b30 498b7340 498be3 415f 415e 415c }
            // n = 7, score = 100
            //   4c8d9c2410140000     | dec                 eax
            //   498b5b30             | mov                 edx, dword ptr [esp + 0x70]
            //   498b7340             | dec                 ecx
            //   498be3               | cmp                 edx, edi
            //   415f                 | dec                 eax
            //   415e                 | mov                 ecx, dword ptr [esp + 0x78]
            //   415c                 | dec                 esp

        $sequence_5 = { 833d????????ff 75d2 c605????????01 0fb7442420 668905???????? 488d0d5f5b0300 e8???????? }
            // n = 7, score = 100
            //   833d????????ff       |                     
            //   75d2                 | or                  byte ptr [ecx + edi*8 + 0x3d], al
            //   c605????????01       |                     
            //   0fb7442420           | dec                 eax
            //   668905????????       |                     
            //   488d0d5f5b0300       | lea                 ecx, [0x294db]
            //   e8????????           |                     

        $sequence_6 = { b90e000000 4c8d055dc10100 488d155ec10100 e8???????? 4c8d0d6ac10100 b90f000000 4c8d0556c10100 }
            // n = 7, score = 100
            //   b90e000000           | mov                 edx, eax
            //   4c8d055dc10100       | dec                 ecx
            //   488d155ec10100       | mov                 ecx, dword ptr [esi]
            //   e8????????           |                     
            //   4c8d0d6ac10100       | dec                 eax
            //   b90f000000           | lea                 edx, [esp + 0xa0]
            //   4c8d0556c10100       | dec                 eax

        $sequence_7 = { 44396def 0f8492000000 488d4da7 e8???????? 4c8bc8 44386817 742f }
            // n = 7, score = 100
            //   44396def             | dec                 eax
            //   0f8492000000         | lea                 edx, [0xfffbfafb]
            //   488d4da7             | shr                 eax, 3
            //   e8????????           |                     
            //   4c8bc8               | mov                 dword ptr [esp + 0x50], eax
            //   44386817             | mov                 ecx, eax
            //   742f                 | mov                 dword ptr [esp + 0x48], eax

        $sequence_8 = { 41b3c3 0fb71424 498d0409 663b10 7506 443a5802 743e }
            // n = 7, score = 100
            //   41b3c3               | ret                 
            //   0fb71424             | dec                 eax
            //   498d0409             | lea                 ecx, [0x29c82]
            //   663b10               | test                eax, eax
            //   7506                 | jne                 0x161b
            //   443a5802             | inc                 ecx
            //   743e                 | sub                 dh, 0x2b

        $sequence_9 = { e8???????? eb0d 48ffc2 488d4c2420 e8???????? 03c3 488364244800 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb0d                 | inc                 eax
            //   48ffc2               | dec                 esp
            //   488d4c2420           | mov                 dword ptr [ebp - 0x20], ebp
            //   e8????????           |                     
            //   03c3                 | inc                 esp
            //   488364244800         | mov                 byte ptr [ebp - 0x38], bh

    condition:
        7 of them and filesize < 971776
}
Download all Yara Rules