SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sadbridge (Back to overview)

SADBRIDGE

VTCollection    

According to Elastic, SADBRIDGE is a malware loader packaged as an MSI executable for delivery and it uses DLL side-loading with various injection techniques to execute malicious payloads. SADBRIDGE abuses legitimate applications such as x64dbg.exe and MonitoringHost.exe to load malicious DLLs like x64bridge.dll and HealthServiceRuntime.dll, which leads to subsequent stages and shellcodes.

References
2024-12-12ElasticDaniel Stepanic, Elastic Security Labs, Jia Yu Chan, Salim Bitam, Seth Goodwin
Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite
Gosar Quasar RAT SADBRIDGE
Yara Rules
[TLP:WHITE] win_sadbridge_auto (20260504 | Detects win.sadbridge.)
rule win_sadbridge_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.sadbridge."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sadbridge"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 014348 4439c1 0f8dae000000 4c63e1 }
            // n = 4, score = 100
            //   014348               | mov                 ecx, esp
            //   4439c1               | inc                 ecx
            //   0f8dae000000         | mov                 byte ptr [esp + 0xff], 0
            //   4c63e1               | inc                 ecx

        $sequence_1 = { 0075cd baff000000 4d8b842418010000 4c89e1 }
            // n = 4, score = 100
            //   0075cd               | xor                 eax, eax
            //   baff000000           | add                 byte ptr [ecx + ecx*4 - 0x3e], al
            //   4d8b842418010000     | dec                 ecx
            //   4c89e1               | or                  esi, edx

        $sequence_2 = { 019c24a8000000 48898424b8000000 e9???????? 4c8da424b0000000 488d154cc6c000 }
            // n = 5, score = 100
            //   019c24a8000000       | dec                 ecx
            //   48898424b8000000     | or                  esi, edx
            //   e9????????           |                     
            //   4c8da424b0000000     | inc                 ecx
            //   488d154cc6c000       | cmp                 eax, -1

        $sequence_3 = { 014348 0fb60a 89c8 80f943 }
            // n = 4, score = 100
            //   014348               | mov                 edx, 0xff
            //   0fb60a               | dec                 ebp
            //   89c8                 | mov                 eax, dword ptr [esp + 0x118]
            //   80f943               | dec                 esp

        $sequence_4 = { 01c0 4189c2 4183ca01 f6c202 410f45c2 4883e902 }
            // n = 6, score = 100
            //   01c0                 | mov                 ebx, eax
            //   4189c2               | sete                byte ptr [esp + 0x70]
            //   4183ca01             | dec                 eax
            //   f6c202               | test                eax, eax
            //   410f45c2             | add                 dword ptr [ebx + 0x48], eax
            //   4883e902             | movzx               ecx, byte ptr [edx]

        $sequence_5 = { 0000 4c89e1 41c68424ff00000000 41ff942410010000 }
            // n = 4, score = 100
            //   0000                 | dec                 ecx
            //   4c89e1               | mov                 dword ptr [esp + 0x100], edx
            //   41c68424ff00000000     | add    byte ptr [eax], al
            //   41ff942410010000     | dec                 ecx

        $sequence_6 = { 0000 498b842400010000 483dff000000 0f841d0f0000 }
            // n = 4, score = 100
            //   0000                 | add                 byte ptr [eax], al
            //   498b842400010000     | dec                 ecx
            //   483dff000000         | mov                 eax, dword ptr [esp + 0x100]
            //   0f841d0f0000         | dec                 eax

        $sequence_7 = { 004489c2 4909d6 4183f8ff 4889c3 }
            // n = 4, score = 100
            //   004489c2             | dec                 esp
            //   4909d6               | mov                 ecx, esp
            //   4183f8ff             | inc                 ecx
            //   4889c3               | mov                 byte ptr [esp + 0xff], 0

    condition:
        7 of them and filesize < 25882624
}
Download all Yara Rules