SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sagerunex (Back to overview)

Sagerunex

Actor(s): LOTUS PANDA


According to Symantec, Sagerunex is a backdoor that is fairly resilient and implements multiple forms of communication with its command-and-control (C&C) server. Its logs are encrypted and the encryption algorithm used is AES256-CBC with 8192 rounds of SHA256 for key derivation based on a hardcoded key. It supports multiple modes methods for communicating via HTTP (proxy-aware).

References
2022-11-15SymantecThreat Hunter Team
@online{team:20221115:billbug:f11d48d, author = {Threat Hunter Team}, title = {{Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries}}, date = {2022-11-15}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments-cert-authority}, language = {English}, urldate = {2022-11-15} } Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
Sagerunex
Yara Rules
[TLP:WHITE] win_sagerunex_auto (20221125 | Detects win.sagerunex.)
rule win_sagerunex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.sagerunex."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sagerunex"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d5597 488d4c2438 e8???????? 8bd8 85c0 7532 f7df }
            // n = 7, score = 100
            //   488d5597             | mov                 dword ptr [eax - 0x28], edi
            //   488d4c2438           | dec                 ecx
            //   e8????????           |                     
            //   8bd8                 | mov                 ebp, eax
            //   85c0                 | dec                 esp
            //   7532                 | mov                 dword ptr [esp + 0x28], ebp
            //   f7df                 | dec                 eax

        $sequence_1 = { 57 4883ec30 8364242000 4533c9 488bfa 488bd9 418d5101 }
            // n = 7, score = 100
            //   57                   | dec                 esp
            //   4883ec30             | lea                 eax, [ebx + 0xc984]
            //   8364242000           | mov                 dword ptr [esp + 0x20], ebp
            //   4533c9               | dec                 eax
            //   488bfa               | mov                 dword ptr [esi + 0x270], eax
            //   488bd9               | dec                 eax
            //   418d5101             | test                eax, eax

        $sequence_2 = { 4533f5 d1c5 0bc8 4433f6 8bb42498000000 03cf 418bc0 }
            // n = 7, score = 100
            //   4533f5               | cmp                 edx, 0x3f
            //   d1c5                 | jae                 0x9a1
            //   0bc8                 | dec                 eax
            //   4433f6               | mov                 edx, ecx
            //   8bb42498000000       | dec                 eax
            //   03cf                 | test                ecx, ecx
            //   418bc0               | jne                 0x923

        $sequence_3 = { 0f854a040000 488bcb e8???????? 488d0de2540300 41c78644c8000004000000 e8???????? }
            // n = 6, score = 100
            //   0f854a040000         | arpl                word ptr [ebx + 0x1d8], cx
            //   488bcb               | dec                 eax
            //   e8????????           |                     
            //   488d0de2540300       | mov                 ecx, ebx
            //   41c78644c8000004000000     | test    eax, eax
            //   e8????????           |                     

        $sequence_4 = { 488364245000 488364244800 488364244000 488d8580020000 bf01000000 4c8d4508 4889442438 }
            // n = 7, score = 100
            //   488364245000         | lea                 eax, [eax + 1]
            //   488364244800         | dec                 ecx
            //   488364244000         | dec                 edi
            //   488d8580020000       | jne                 0x1422
            //   bf01000000           | dec                 ecx
            //   4c8d4508             | mov                 ecx, ebp
            //   4889442438           | dec                 eax

        $sequence_5 = { 66660f1f840000000000 8bf7 418be9 418bcc 48c1e910 458bdf 418bdc }
            // n = 7, score = 100
            //   66660f1f840000000000     | inc    ecx
            //   8bf7                 | dec                 edx
            //   418be9               | mov                 eax, dword ptr [ecx + 0x1c]
            //   418bcc               | mov                 dword ptr [edi - 4], eax
            //   48c1e910             | inc                 ebp
            //   458bdf               | mov                 edx, dword ptr [esi]
            //   418bdc               | inc                 ecx

        $sequence_6 = { 488905???????? 4885c0 7507 b81a000000 eb23 488d0dc7d80100 48890c03 }
            // n = 7, score = 100
            //   488905????????       |                     
            //   4885c0               | dec                 eax
            //   7507                 | dec                 eax
            //   b81a000000           | jne                 0x58a
            //   eb23                 | dec                 eax
            //   488d0dc7d80100       | mov                 ecx, esi
            //   48890c03             | mov                 eax, edi

        $sequence_7 = { 4883ec20 488d1d275d0100 488d3d205d0100 eb0e 488b03 4885c0 7402 }
            // n = 7, score = 100
            //   4883ec20             | dec                 eax
            //   488d1d275d0100       | lea                 ecx, [ebp + 0x210]
            //   488d3d205d0100       | dec                 eax
            //   eb0e                 | lea                 eax, [esp + 0x20]
            //   488b03               | movups              xmm0, xmmword ptr [eax]
            //   4885c0               | dec                 eax
            //   7402                 | lea                 ecx, [esp + 0x20]

        $sequence_8 = { e8???????? 8d5314 488d4c2440 e8???????? 488d542440 488d8d80010000 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d5314               | movups              xmmword ptr [edx + 0x50], xmm1
            //   488d4c2440           | movups              xmm1, xmmword ptr [eax + 0x70]
            //   e8????????           |                     
            //   488d542440           | dec                 ecx
            //   488d8d80010000       | add                 eax, ecx
            //   e8????????           |                     

        $sequence_9 = { 488bbc2498040000 483bce 488bb424a0040000 730b 0fb60411 410ac1 410f94c0 }
            // n = 7, score = 100
            //   488bbc2498040000     | dec                 ecx
            //   483bce               | add                 edx, esi
            //   488bb424a0040000     | dec                 eax
            //   730b                 | mov                 dword ptr [esp + 0x20], esi
            //   0fb60411             | dec                 esp
            //   410ac1               | lea                 ecx, [esp + 0x104]
            //   410f94c0             | dec                 eax

    condition:
        7 of them and filesize < 619520
}
Download all Yara Rules