SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sagerunex (Back to overview)

Sagerunex

Actor(s): LOTUS PANDA


According to Symantec, Sagerunex is a backdoor that is fairly resilient and implements multiple forms of communication with its command-and-control (C&C) server. Its logs are encrypted and the encryption algorithm used is AES256-CBC with 8192 rounds of SHA256 for key derivation based on a hardcoded key. It supports multiple modes methods for communicating via HTTP (proxy-aware).

References
2022-11-15SymantecThreat Hunter Team
@online{team:20221115:billbug:f11d48d, author = {Threat Hunter Team}, title = {{Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries}}, date = {2022-11-15}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments-cert-authority}, language = {English}, urldate = {2022-11-15} } Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
Sagerunex
Yara Rules
[TLP:WHITE] win_sagerunex_auto (20230407 | Detects win.sagerunex.)
rule win_sagerunex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.sagerunex."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sagerunex"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488dbd70010000 8bce 66f3ab 4c8d8d80030000 4c8d05572a0300 488d8d70010000 8bd6 }
            // n = 7, score = 100
            //   488dbd70010000       | movzx               ecx, word ptr [ebx]
            //   8bce                 | mov                 word ptr [ebx + 0xc], cx
            //   66f3ab               | inc                 ebp
            //   4c8d8d80030000       | movzx               eax, word ptr [esi + 0xc]
            //   4c8d05572a0300       | dec                 eax
            //   488d8d70010000       | add                 ecx, ebx
            //   8bd6                 | dec                 ebp

        $sequence_1 = { 488bd0 e8???????? 4c8b642438 488b5c2430 8bf8 85c0 0f85aa0a0000 }
            // n = 7, score = 100
            //   488bd0               | dec                 eax
            //   e8????????           |                     
            //   4c8b642438           | mov                 edi, dword ptr [esp + 0x38]
            //   488b5c2430           | dec                 eax
            //   8bf8                 | mov                 esi, dword ptr [esp + 0x30]
            //   85c0                 | dec                 eax
            //   0f85aa0a0000         | mov                 dword ptr [esp + 0x40], eax

        $sequence_2 = { 33d0 4123c9 418bc1 33ce c1c806 33c2 8d97c69dc10f }
            // n = 7, score = 100
            //   33d0                 | test                edx, edx
            //   4123c9               | je                  0x5a1
            //   418bc1               | dec                 esp
            //   33ce                 | mov                 eax, dword ptr [ebx + 0x10]
            //   c1c806               | dec                 ecx
            //   33c2                 | add                 eax, -8
            //   8d97c69dc10f         | dec                 ebp

        $sequence_3 = { 488d4de8 668945e8 ff15???????? 4c8d4de0 4c8d45e0 488d55e0 488bcb }
            // n = 7, score = 100
            //   488d4de8             | test                eax, eax
            //   668945e8             | je                  0x8c7
            //   ff15????????         |                     
            //   4c8d4de0             | dec                 ebp
            //   4c8d45e0             | test                ecx, ecx
            //   488d55e0             | je                  0x8c7
            //   488bcb               | mov                 ecx, edx

        $sequence_4 = { 498d7f01 41c60700 c60702 48ffc7 4883ee03 7454 4533e4 }
            // n = 7, score = 100
            //   498d7f01             | and                 ecx, 0x1f
            //   41c60700             | dec                 eax
            //   c60702               | sar                 eax, 5
            //   48ffc7               | jbe                 0xd4b
            //   4883ee03             | dec                 ecx
            //   7454                 | mov                 edx, edx
            //   4533e4               | dec                 ecx

        $sequence_5 = { 4c894018 4c894820 55 53 56 57 488da85880ffff }
            // n = 7, score = 100
            //   4c894018             | lea                 ebx, [edi + 0x1b]
            //   4c894820             | dec                 esp
            //   55                   | lea                 ecx, [esp + 0x70]
            //   53                   | dec                 esp
            //   56                   | lea                 eax, [esp + 0x58]
            //   57                   | dec                 eax
            //   488da85880ffff       | mov                 ecx, esi

        $sequence_6 = { 8945a8 488b45a0 48897c2420 8b7c2428 4889442448 8b4590 89442470 }
            // n = 7, score = 100
            //   8945a8               | dec                 eax
            //   488b45a0             | mov                 edi, dword ptr [esp + 0x538]
            //   48897c2420           | dec                 eax
            //   8b7c2428             | mov                 esi, dword ptr [esp + 0x540]
            //   4889442448           | dec                 eax
            //   8b4590               | lea                 eax, [esp + 0x30]
            //   89442470             | nop                 dword ptr [eax + eax]

        $sequence_7 = { 418bcf c1c00d 33d0 418bc3 c1c10e c1e80a 33d0 }
            // n = 7, score = 100
            //   418bcf               | dec                 eax
            //   c1c00d               | lea                 ecx, [ebx + 0xc]
            //   33d0                 | mov                 word ptr [ebx], ax
            //   418bc3               | mov                 word ptr [ebx + 0xa], ax
            //   c1c10e               | dec                 eax
            //   c1e80a               | mov                 ecx, ebx
            //   33d0                 | mov                 edi, 1

        $sequence_8 = { 4863d0 7818 0fb6841798010000 480fafc1 48c1e108 4803f0 48ffca }
            // n = 7, score = 100
            //   4863d0               | lea                 ecx, [ebp + 0x160]
            //   7818                 | inc                 esp
            //   0fb6841798010000     | mov                 eax, ebx
            //   480fafc1             | dec                 eax
            //   48c1e108             | lea                 edx, [ebp + 0x170]
            //   4803f0               | dec                 eax
            //   48ffca               | lea                 ecx, [esp + 0x50]

        $sequence_9 = { 740f 6690 49ffc8 488b4310 4a8934c0 75f3 4d85f6 }
            // n = 7, score = 100
            //   740f                 | jne                 0x431
            //   6690                 | inc                 esp
            //   49ffc8               | mov                 ecx, dword ptr [ebp - 0x19]
            //   488b4310             | mov                 edx, 1
            //   4a8934c0             | mov                 edi, eax
            //   75f3                 | test                eax, eax
            //   4d85f6               | jne                 0x902

    condition:
        7 of them and filesize < 619520
}
Download all Yara Rules