SYMBOLCOMMON_NAMEaka. SYNONYMS
win.quarterrig (Back to overview)

QUARTERRIG

aka: MUSKYBEAT, STATICNOISE

Actor(s): APT29


A stager used by APT29 to download and run CobaltStrike.
Here, MUSKYBEAT refers to the in-memory dropper component, while STATICNOISE is the final payload / downloader.

References
2023-09-22MandiantLuke Jenkins, Josh Atkins, Dan Black
@online{jenkins:20230922:backchannel:6da10a8, author = {Luke Jenkins and Josh Atkins and Dan Black}, title = {{Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations}}, date = {2023-09-22}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing}, language = {English}, urldate = {2023-10-18} } Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations
Brute Ratel C4 Cobalt Strike EnvyScout GraphDrop QUARTERRIG sRDI Unidentified 107 (APT29)
2023-07-27Recorded FutureInsikt Group
@techreport{group:20230727:bluebravo:b456f7d, author = {Insikt Group}, title = {{BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware}}, date = {2023-07-27}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf}, language = {English}, urldate = {2023-07-28} } BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware
GraphDrop GraphicalNeutrino QUARTERRIG
2023-04-13GOV.PLMilitary Counterintelligence Service, CERT.PL
@online{service:20230413:quarterrig:0435e72, author = {Military Counterintelligence Service and CERT.PL}, title = {{QUARTERRIG - Malware Analysis Report}}, date = {2023-04-13}, organization = {GOV.PL}, url = {https://www.gov.pl/attachment/6f51bb1a-3ad2-461c-a16d-408915a56f77}, language = {English}, urldate = {2023-06-01} } QUARTERRIG - Malware Analysis Report
QUARTERRIG
Yara Rules
[TLP:WHITE] win_quarterrig_auto (20230715 | Detects win.quarterrig.)
rule win_quarterrig_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.quarterrig."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quarterrig"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b05???????? 4833c4 4889442428 c74424205e4275c7 66c7442424ded1 8b0d???????? 65488b042558000000 }
            // n = 7, score = 100
            //   488b05????????       |                     
            //   4833c4               | dec                 eax
            //   4889442428           | lea                 eax, [0x39a87]
            //   c74424205e4275c7     | ret                 
            //   66c7442424ded1       | dec                 eax
            //   8b0d????????         |                     
            //   65488b042558000000     | sub    esp, 0x28

        $sequence_1 = { 57 4883ec20 8bda 488bf9 488d05b5610300 488901 488d054b610300 }
            // n = 7, score = 100
            //   57                   | cmp                 ecx, 0x1000
            //   4883ec20             | jb                  0x95e
            //   8bda                 | jmp                 0x963
            //   488bf9               | dec                 eax
            //   488d05b5610300       | test                ecx, ecx
            //   488901               | je                  0x966
            //   488d054b610300       | dec                 eax

        $sequence_2 = { 40887002 498bc6 48ffc0 41383402 75f7 488d8df0010000 4883bd0802000010 }
            // n = 7, score = 100
            //   40887002             | dec                 eax
            //   498bc6               | inc                 edx
            //   48ffc0               | dec                 esp
            //   41383402             | mov                 dword ptr [ebp - 0x58], esi
            //   75f7                 | inc                 esp
            //   488d8df0010000       | mov                 byte ptr [ebp - 0x70], ch
            //   4883bd0802000010     | dec                 eax

        $sequence_3 = { e9???????? 488d0d138f0200 e9???????? 488d0d5b8e0200 e9???????? 488d0dd3910200 e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d0d138f0200       | mov                 byte ptr [esp + 0x38], bh
            //   e9????????           |                     
            //   488d0d5b8e0200       | dec                 eax
            //   e9????????           |                     
            //   488d0dd3910200       | mov                 edx, dword ptr [esp + 0x50]
            //   e9????????           |                     

        $sequence_4 = { 488d0d4f970200 e9???????? 488d0d138f0200 e9???????? 488d0d5b8e0200 e9???????? 488d0dd3910200 }
            // n = 7, score = 100
            //   488d0d4f970200       | mov                 ebx, eax
            //   e9????????           |                     
            //   488d0d138f0200       | inc                 esp
            //   e9????????           |                     
            //   488d0d5b8e0200       | cmp                 byte ptr [eax + 0x4a], ch
            //   e9????????           |                     
            //   488d0dd3910200       | je                  0x2053

        $sequence_5 = { 488b4d28 e8???????? 4883c420 5d c3 488b8a80000000 e9???????? }
            // n = 7, score = 100
            //   488b4d28             | test                edi, edi
            //   e8????????           |                     
            //   4883c420             | je                  0xc3e
            //   5d                   | dec                 ebp
            //   c3                   | mov                 ecx, ebp
            //   488b8a80000000       | dec                 esp
            //   e9????????           |                     

        $sequence_6 = { 4c896da8 4c896db0 4c896da8 48c745b00f000000 44886d98 488bd3 482bd7 }
            // n = 7, score = 100
            //   4c896da8             | lea                 ebp, [esp + 0xf]
            //   4c896db0             | mov                 dword ptr [esp + 0x30], ebx
            //   4c896da8             | dec                 esp
            //   48c745b00f000000     | lea                 eax, [esp + 0x30]
            //   44886d98             | dec                 eax
            //   488bd3               | lea                 edx, [ebp - 8]
            //   482bd7               | dec                 eax

        $sequence_7 = { 4c8d45c0 488d55f0 488bcf e8???????? 90 488b55d8 4883fa10 }
            // n = 7, score = 100
            //   4c8d45c0             | inc                 esp
            //   488d55f0             | mov                 ecx, dword ptr [esi + 0x18]
            //   488bcf               | inc                 ecx
            //   e8????????           |                     
            //   90                   | mov                 al, 0x4c
            //   488b55d8             | dec                 eax
            //   4883fa10             | lea                 edx, [ebp - 0x11]

        $sequence_8 = { 488b5028 4885d2 750d 488d5030 eb07 488d15d9480300 488d4c2428 }
            // n = 7, score = 100
            //   488b5028             | inc                 ecx
            //   4885d2               | mov                 cl, cl
            //   750d                 | and                 cl, 7
            //   488d5030             | inc                 esp
            //   eb07                 | cmp                 byte ptr [eax + 0xe], ch
            //   488d15d9480300       | je                  0x142
            //   488d4c2428           | dec                 ebp

        $sequence_9 = { 488d4d88 e8???????? 488d45d8 488945d0 488d151bb00600 488d4dd8 e8???????? }
            // n = 7, score = 100
            //   488d4d88             | inc                 ecx
            //   e8????????           |                     
            //   488d45d8             | mov                 edi, 3
            //   488945d0             | movups              xmmword ptr [ebx], xmm0
            //   488d151bb00600       | movups              xmm1, xmmword ptr [esp + 0x68]
            //   488d4dd8             | movups              xmmword ptr [ebx + 0x10], xmm1
            //   e8????????           |                     

    condition:
        7 of them and filesize < 971776
}
Download all Yara Rules