Rustonotto (Malware Family)

Rustonotto

aka: CHILLYCHINO
Actor(s): APT37
VTCollection
Rustonotto, active since June 2025, is a Rust-compiled malware, representing the first known instance of APT37 leveraging Rust-based malware to target Windows systems.
References

2025-09-08 ⋅ Zscaler ⋅ Seongsu Park
APT37 Targets Windows with Rust Backdoor and Python Loader
Rustonotto
Yara Rules

[TLP:WHITE] win_rustonotto_auto (20260504 | Detects win.rustonotto.)
rule win_rustonotto_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.rustonotto."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustonotto"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 755f ba010000c0 f00fc111 81c2010000c0 81fa00000040 72a4 e8???????? }
            // n = 7, score = 100
            //   755f                 | dec                 ecx
            //   ba010000c0           | mov                 eax, esi
            //   f00fc111             | dec                 eax
            //   81c2010000c0         | mov                 ecx, dword ptr [edi + 8]
            //   81fa00000040         | jne                 0x201
            //   72a4                 | dec                 eax
            //   e8????????           |                     

        $sequence_1 = { c3 488d0523461b00 4889ce 4889c1 e8???????? 4889f1 89c2 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   488d0523461b00       | xor                 eax, eax
            //   4889ce               | dec                 eax
            //   4889c1               | add                 esp, 0x28
            //   e8????????           |                     
            //   4889f1               | ret                 
            //   89c2                 | dec                 eax

        $sequence_2 = { 83f902 0f83e1040000 488b0f c6850f04000001 e8???????? 84c0 0f84d2040000 }
            // n = 7, score = 100
            //   83f902               | cmp                 ecx, 2
            //   0f83e1040000         | je                  0x340
            //   488b0f               | dec                 eax
            //   c6850f04000001       | mov                 ecx, dword ptr [0x58]
            //   e8????????           |                     
            //   84c0                 | dec                 eax
            //   0f84d2040000         | mov                 eax, dword ptr [ecx + eax*8]

        $sequence_3 = { c6859309000001 0f28742440 0f287c2430 4883c458 5b 5f 5e }
            // n = 7, score = 100
            //   c6859309000001       | mov                 edx, esi
            //   0f28742440           | dec                 eax
            //   0f287c2430           | mov                 dword ptr [ebp + 0x980], eax
            //   4883c458             | dec                 eax
            //   5b                   | mov                 dword ptr [ebp + 0x968], edx
            //   5f                   | dec                 eax
            //   5e                   | mov                 eax, dword ptr [ebx + 0x128]

        $sequence_4 = { f00fb04e10 7566 b901000000 31c0 f0480fb10e 0f94c1 7534 }
            // n = 7, score = 100
            //   f00fb04e10           | mov                 eax, dword ptr [ebp + 0x1d8]
            //   7566                 | dec                 eax
            //   b901000000           | sub                 eax, 1
            //   31c0                 | jmp                 0x323
            //   f0480fb10e           | dec                 esp
            //   0f94c1               | mov                 ecx, esi
            //   7534                 | jmp                 0x2db

        $sequence_5 = { e8???????? e9???????? 4c8d05e5491b00 4889f1 4889fa e8???????? e9???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e9????????           |                     
            //   4c8d05e5491b00       | lea                 ecx, [0x1b4bbd]
            //   4889f1               | dec                 eax
            //   4889fa               | lea                 ecx, [0x10543e]
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_6 = { ba35000000 e8???????? eb68 48899da8010000 4c89adb0010000 4c897d68 4889b5b8010000 }
            // n = 7, score = 100
            //   ba35000000           | lea                 eax, [0xff7d5]
            //   e8????????           |                     
            //   eb68                 | mov                 edx, 0x22
            //   48899da8010000       | dec                 eax
            //   4c89adb0010000       | lea                 ecx, [0xff014]
            //   4c897d68             | mov                 edx, 0x22
            //   4889b5b8010000       | dec                 eax

        $sequence_7 = { 7408 488908 e9???????? 6641c746220100 6641895624 4c8b7c2430 488b542438 }
            // n = 7, score = 100
            //   7408                 | dec                 eax
            //   488908               | mov                 eax, dword ptr [ecx + 0x40]
            //   e9????????           |                     
            //   6641c746220100       | dec                 eax
            //   6641895624           | mov                 edx, eax
            //   4c8b7c2430           | dec                 esp
            //   488b542438           | sub                 edx, eax

        $sequence_8 = { 7714 4489c0 83e003 4983f804 7343 4531db e9???????? }
            // n = 7, score = 100
            //   7714                 | inc                 ecx
            //   4489c0               | cmp                 esi, 0x27
            //   83e003               | jbe                 0x205
            //   4983f804             | dec                 eax
            //   7343                 | mov                 dword ptr [esp + 0x20], 1
            //   4531db               | inc                 ecx
            //   e9????????           |                     

        $sequence_9 = { 85c0 0f8462fbffff 488b0d???????? e8???????? 89c2 84c0 0f859afeffff }
            // n = 7, score = 100
            //   85c0                 | jne                 0x608
            //   0f8462fbffff         | dec                 eax
            //   488b0d????????       |                     
            //   e8????????           |                     
            //   89c2                 | lea                 edx, [0x13b1af]
            //   84c0                 | test                al, al
            //   0f859afeffff         | jne                 0x816

    condition:
        7 of them and filesize < 5989376
}
Download all Yara Rules
Rustonotto Propose Change

References

Yara Rules

Rustonotto
