SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sagerunex (Back to overview)

Sagerunex

Actor(s): LOTUS PANDA

VTCollection    

According to Symantec, Sagerunex is a backdoor that is fairly resilient and implements multiple forms of communication with its command-and-control (C&C) server. Its logs are encrypted and the encryption algorithm used is AES256-CBC with 8192 rounds of SHA256 for key derivation based on a hardcoded key. It supports multiple modes methods for communicating via HTTP (proxy-aware).

References
2026-01-02Securite360.netMuffin
The Intriguing Lotus: A Deep Dive into Sagerunex
Sagerunex
2022-11-15SymantecThreat Hunter Team
Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
Sagerunex
2022-11-15SymantecThreat Hunter Team
Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
Sagerunex LOTUS PANDA
Yara Rules
[TLP:WHITE] win_sagerunex_auto (20260504 | Detects win.sagerunex.)
rule win_sagerunex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.sagerunex."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sagerunex"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488bbc2468010000 488d4510 660f1f440000 c60000 488d4001 48ffcb 75f4 }
            // n = 7, score = 100
            //   488bbc2468010000     | mov                 edx, dword ptr [eax + eax]
            //   488d4510             | dec                 esp
            //   660f1f440000         | mov                 eax, ecx
            //   c60000               | dec                 eax
            //   488d4001             | lea                 edi, [ecx + 0xd840]
            //   48ffcb               | inc                 ebp
            //   75f4                 | xor                 edx, edx

        $sequence_1 = { e8???????? bb40000000 498d9698000000 448bc3 498bce 49c70600000000 41c7460801234567 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   bb40000000           | xor                 ecx, eax
            //   498d9698000000       | and                 edi, ebp
            //   448bc3               | mov                 eax, ebx
            //   498bce               | ror                 eax, 2
            //   49c70600000000       | xor                 ecx, eax
            //   41c7460801234567     | inc                 ecx

        $sequence_2 = { b85c000000 6689844d40030000 48ffc9 4885c9 7fe0 33d2 488d8dc2000000 }
            // n = 7, score = 100
            //   b85c000000           | add                 edx, ecx
            //   6689844d40030000     | rol                 eax, 0xa
            //   48ffc9               | inc                 esp
            //   4885c9               | and                 ecx, edi
            //   7fe0                 | add                 ebx, edx
            //   33d2                 | inc                 ecx
            //   488d8dc2000000       | mov                 ecx, eax

        $sequence_3 = { 0fbaef11 eb2b 488d1535e90000 41b807000000 488bcb e8???????? 85c0 }
            // n = 7, score = 100
            //   0fbaef11             | dec                 eax
            //   eb2b                 | test                eax, eax
            //   488d1535e90000       | jne                 0x194
            //   41b807000000         | mov                 eax, edx
            //   488bcb               | dec                 esp
            //   e8????????           |                     
            //   85c0                 | mov                 edi, dword ptr [esp + 0x20]

        $sequence_4 = { 771b 7216 4883e808 48ffca 75e9 eb17 483bc2 }
            // n = 7, score = 100
            //   771b                 | mov                 dword ptr [esp + 0x28], 0x32
            //   7216                 | dec                 eax
            //   4883e808             | mov                 dword ptr [esp + 0x20], ebx
            //   48ffca               | lea                 ebx, [ebp + 0x32]
            //   75e9                 | dec                 ebp
            //   eb17                 | lea                 eax, [ebp + 0x64]
            //   483bc2               | inc                 ecx

        $sequence_5 = { 33d0 8bc1 418bcf c1e80a 33d0 418bc7 c1c10e }
            // n = 7, score = 100
            //   33d0                 | dec                 ecx
            //   8bc1                 | mov                 edx, edi
            //   418bcf               | dec                 eax
            //   c1e80a               | mov                 dword ptr [esp + 0x30], ebx
            //   33d0                 | dec                 eax
            //   418bc7               | mov                 ebx, dword ptr [edx + 8]
            //   c1c10e               | dec                 eax

        $sequence_6 = { 4833c4 488985a0070000 458bf8 4c8bf2 488bd9 e8???????? 4533ed }
            // n = 7, score = 100
            //   4833c4               | mov                 eax, ebp
            //   488985a0070000       | dec                 eax
            //   458bf8               | mov                 edx, ebx
            //   4c8bf2               | dec                 eax
            //   488bd9               | mov                 ecx, ebx
            //   e8????????           |                     
            //   4533ed               | dec                 eax

        $sequence_7 = { 7509 4883e908 49ffc8 75f2 488b4310 bd40000000 4e8b0cc0 }
            // n = 7, score = 100
            //   7509                 | xor                 ecx, ecx
            //   4883e908             | ror                 eax, 6
            //   49ffc8               | ror                 edx, 0xb
            //   75f2                 | xor                 edx, eax
            //   488b4310             | and                 ecx, ebp
            //   bd40000000           | mov                 eax, ebp
            //   4e8b0cc0             | inc                 ecx

        $sequence_8 = { 0f1f4000 660f1f840000000000 488b06 493bee 498bfe }
            // n = 5, score = 100
            //   0f1f4000             | dec                 esp
            //   660f1f840000000000     | lea    edx, [ebp + 0x58]
            //   488b06               | dec                 eax
            //   493bee               | lea                 eax, [ecx - 8]
            //   498bfe               | dec                 esp

        $sequence_9 = { 8bcf e8???????? 8d4b01 418bc4 0fafcb f7e9 c1fa02 }
            // n = 7, score = 100
            //   8bcf                 | jmp                 0xe32
            //   e8????????           |                     
            //   8d4b01               | movzx               eax, word ptr [ebp + 0x578]
            //   418bc4               | dec                 eax
            //   0fafcb               | lea                 edx, [0xf612]
            //   f7e9                 | dec                 eax
            //   c1fa02               | lea                 ecx, [0xf5e3]

    condition:
        7 of them and filesize < 619520
}
Download all Yara Rules