SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sagerunex (Back to overview)

Sagerunex

Actor(s): LOTUS PANDA

VTCollection    

According to Symantec, Sagerunex is a backdoor that is fairly resilient and implements multiple forms of communication with its command-and-control (C&C) server. Its logs are encrypted and the encryption algorithm used is AES256-CBC with 8192 rounds of SHA256 for key derivation based on a hardcoded key. It supports multiple modes methods for communicating via HTTP (proxy-aware).

References
2022-11-15SymantecThreat Hunter Team
Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
Sagerunex
Yara Rules
[TLP:WHITE] win_sagerunex_auto (20230808 | Detects win.sagerunex.)
rule win_sagerunex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.sagerunex."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sagerunex"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8bb424d8010000 c744245001000000 4c896c2458 4c896c2460 4885c9 742c 4a8d04fd00000000 }
            // n = 7, score = 100
            //   4c8bb424d8010000     | jne                 0xc35
            //   c744245001000000     | dec                 eax
            //   4c896c2458           | mov                 ecx, dword ptr [esi + 0x270]
            //   4c896c2460           | inc                 esp
            //   4885c9               | lea                 ecx, [ebx - 0x1a]
            //   742c                 | test                eax, eax
            //   4a8d04fd00000000     | je                  0xd54

        $sequence_1 = { 72d1 498bd4 483bd7 488d4de7 480f42fa 488bd7 e8???????? }
            // n = 7, score = 100
            //   72d1                 | ror                 edx, 0xb
            //   498bd4               | inc                 esp
            //   483bd7               | mov                 dword ptr [esp + 0x10], esi
            //   488d4de7             | xor                 edx, eax
            //   480f42fa             | and                 ecx, esi
            //   488bd7               | mov                 ecx, ebx
            //   e8????????           |                     

        $sequence_2 = { c74324a44ffabe 488bcb 89b3e8000000 c70340000000 e8???????? 488d442420 c60000 }
            // n = 7, score = 100
            //   c74324a44ffabe       | and                 ecx, ebp
            //   488bcb               | rol                 eax, 7
            //   89b3e8000000         | mov                 edx, ebp
            //   c70340000000         | inc                 ecx
            //   e8????????           |                     
            //   488d442420           | xor                 ecx, ecx
            //   c60000               | add                 esi, eax

        $sequence_3 = { 498bcc e8???????? 85c0 7849 488d45b0 488d55f0 498bcf }
            // n = 7, score = 100
            //   498bcc               | cmp                 dword ptr [ecx], 0
            //   e8????????           |                     
            //   85c0                 | je                  0x594
            //   7849                 | dec                 eax
            //   488d45b0             | mov                 ecx, dword ptr [ebp + 0x10]
            //   488d55f0             | dec                 esp
            //   498bcf               | lea                 eax, [edx - 1]

        $sequence_4 = { e8???????? e8???????? ffc7 448bc0 b84fecc44e 41f7e8 c1fa03 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e8????????           |                     
            //   ffc7                 | mov                 eax, dword ptr [ebp + 0x10]
            //   448bc0               | dec                 ebp
            //   b84fecc44e           | mov                 ecx, dword ptr [edi + 0x10]
            //   41f7e8               | ja                  0x5b8
            //   c1fa03               | dec                 ecx

        $sequence_5 = { 4d894838 4c8b5340 458bca 4983d300 49c1ea20 418bc9 4d0fafcf }
            // n = 7, score = 100
            //   4d894838             | jb                  0xbc3
            //   4c8b5340             | outsb               dx, byte ptr [esi]
            //   458bca               | cmp                 al, 0x48
            //   4983d300             | mov                 dword ptr [ecx + 0x20], eax
            //   49c1ea20             | dec                 eax
            //   418bc9               | mov                 eax, 0x5f1d36f1
            //   4d0fafcf             | cmp                 dh, ch

        $sequence_6 = { 894260 33d2 e8???????? 488d442470 488d15d0230300 }
            // n = 5, score = 100
            //   894260               | test                esi, esi
            //   33d2                 | je                  0x17f6
            //   e8????????           |                     
            //   488d442470           | dec                 eax
            //   488d15d0230300       | cmp                 esi, ebp

        $sequence_7 = { 83f803 7cc5 eb04 897c2450 443bfe 752a 448b7c2444 }
            // n = 7, score = 100
            //   83f803               | ror                 eax, 6
            //   7cc5                 | xor                 eax, edx
            //   eb04                 | inc                 ecx
            //   897c2450             | lea                 edx, [edi + 0x4ed8aa4a]
            //   443bfe               | inc                 esp
            //   752a                 | mov                 edi, dword ptr [esp + 0xa8]
            //   448b7c2444           | inc                 ecx

        $sequence_8 = { 498bcf c745df02000000 c745fb01000000 c745e301000000 ff15???????? 85c0 7507 }
            // n = 7, score = 100
            //   498bcf               | mov                 dword ptr [eax], 0x16
            //   c745df02000000       | jmp                 0xcf0
            //   c745fb01000000       | dec                 esp
            //   c745e301000000       | lea                 esi, [0x1bca1]
            //   ff15????????         |                     
            //   85c0                 | je                  0xcef
            //   7507                 | dec                 esp

        $sequence_9 = { 4403c0 418bc6 4503c2 c1c007 c1ca0b 33d0 418bc6 }
            // n = 7, score = 100
            //   4403c0               | test                eax, eax
            //   418bc6               | jne                 0x772
            //   4503c2               | dec                 eax
            //   c1c007               | lea                 ebx, [edi + 0x130]
            //   c1ca0b               | dec                 eax
            //   33d0                 | mov                 edx, esi
            //   418bc6               | dec                 eax

    condition:
        7 of them and filesize < 619520
}
Download all Yara Rules