Essential information

Value / Name

e23fc2c5e2c1346f1db74300a9aacaf8c18b4289

Confidence

100/100

Revoked

Yes

Valid from

22/07/2022 14:00

Valid until

25/10/2023 14:00

Pattern type

yara

Published

20/12/2025 21:44

Modified

20/12/2025 21:44

Author / Source

AlienVault

Description

No description.

Pattern

rule MTI_HUNTING_Crypto_GRIMPLANT_GRAPHSTEEL    
   {    
    meta:    
     author = "Mandiant Threat Intelligence"    
     descr = "Find the crypto key for GRIMPLANT/GRAPHSTEEL C2 decryption"    
    disclaimer = "This rule is meant for hunting and is not tested to run in a production environment."    
    strings:     
     $ = {f1 d2 19 60 d8 eb 2f dd f2 53 8d 29 a5 fd 50 b5}    
     $ = {f6 4a 3f 9b f0 6f 2a 3c 4c 95 04 38 c9 a7 f7 8e}    
     $ = " ciphertext is not large enough. It is less that one block size. Blocksize:%v; Ciphertext:%v"    
         
    condition:    
     all of them    
   }

Labels / Tags

Labels: apt geopolitical conflict ghostwriter ukraine unc1151 unc2589

Marking (TLP)

TLP:CLEAR