Sakula RAT (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.sakula_rat (Back to overview)

Sakula RAT

aka: Sakurel

Actor(s): APT 26, Hurricane Panda

VTCollection

Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.

References

2022-05-24 ⋅ Malwarebytes ⋅ Threat Intelligence Team
Unknown APT group has targeted Russia repeatedly since Ukraine invasion
Sakula RAT

2018-11-16 ⋅ CyberThreatIntelligence Blog ⋅ Action09
(C)0ld Case : From Aerospace to China’s interests.
Sakula RAT

2016-07-14 ⋅ Github (nccgroup) ⋅ NCC Group PLC
Technical Notes on Sakula
Sakula RAT

2015-08-06 ⋅ Symantec ⋅ Jon DiMaggio
The Black Vine cyberespionage group
Sakula RAT APT19

2015-07-30 ⋅ Secureworks ⋅ Dell Secureworks CTU
Sakula Malware Family
Sakula RAT

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser MedusaHTTP Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

2014-02-23 ⋅ Symantec ⋅ Symantec
Trojan.Sakurel
Sakula RAT

2014-02-21 ⋅ SonicWall ⋅ Ed Miles
CVE 2014-0322 Malware - Sakurel (Feb 21, 2014)
Sakula RAT

Yara Rules

[TLP:WHITE] win_sakula_rat_auto (20260504 \| Detects win.sakula_rat.) rule win_sakula_rat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.sakula_rat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a00 6800010000 6a00 6a00 68???????? } // n = 5, score = 300 // 6a00 \| inc ecx // 6800010000 \| mov eax, 0x104 // 6a00 \| cmp eax, 1 // 6a00 \| test eax, eax // 68???????? \| $sequence_1 = { 6a00 56 e8???????? 8b3d???????? 83c410 6a00 } // n = 6, score = 200 // 6a00 \| push esi // 56 \| push 0 // e8???????? \| // 8b3d???????? \| // 83c410 \| push 1 // 6a00 \| push esi $sequence_2 = { 83f81e 7cf4 eb05 41 3bce 72dd } // n = 6, score = 200 // 83f81e \| lea edi, [esi + 0x10] // 7cf4 \| mov bl, al // eb05 \| push edi // 41 \| mov eax, edi // 3bce \| push ebx // 72dd \| push -1 $sequence_3 = { 56 6a01 8bd8 57 53 e8???????? 56 } // n = 7, score = 200 // 56 \| push 0 // 6a01 \| push 0x100 // 8bd8 \| push 0 // 57 \| push 0 // 53 \| cmp eax, 4 // e8???????? \| // 56 \| jge 0x10 $sequence_4 = { 83f804 7d07 b803000000 eb1b e8???????? 83f801 7507 } // n = 7, score = 200 // 83f804 \| xor eax, eax // 7d07 \| inc eax // b803000000 \| jmp 0xa // eb1b \| jmp 0xf // e8???????? \| // 83f801 \| jmp 0xf // 7507 \| push 0x3e8 $sequence_5 = { 7407 b801000000 eb2c e8???????? 83f804 7d07 } // n = 6, score = 200 // 7407 \| mov eax, 3 // b801000000 \| jmp 0x2b // eb2c \| cmp eax, 1 // e8???????? \| // 83f804 \| jne 0x1c // 7d07 \| push esi $sequence_6 = { 53 6aff 56 6a00 6a01 } // n = 5, score = 200 // 53 \| push eax // 6aff \| push 0x10 // 56 \| jmp 0x16 // 6a00 \| jmp 0x11 // 6a01 \| jmp 0xd $sequence_7 = { 56 e8???????? 8d7e10 8ad8 57 8bc7 e8???????? } // n = 7, score = 200 // 56 \| push dword ptr [ebp - 0xc] // e8???????? \| // 8d7e10 \| add eax, 4 // 8ad8 \| mov ebx, dword ptr [ebp - 8] // 57 \| mov dword ptr [eax], ebx // 8bc7 \| add eax, 4 // e8???????? \| $sequence_8 = { ff15???????? 85c0 0f84ae000000 488bcb } // n = 4, score = 100 // ff15???????? \| // 85c0 \| dec eax // 0f84ae000000 \| mov ecx, dword ptr [esp + 0x58] // 488bcb \| dec eax $sequence_9 = { 83c410 31c0 40 eb02 } // n = 4, score = 100 // 83c410 \| mov ecx, eax // 31c0 \| inc esp // 40 \| mov eax, edi // eb02 \| dec eax $sequence_10 = { 8903 83c304 e8???????? 8903 83c304 53 } // n = 6, score = 100 // 8903 \| je 0xb6 // 83c304 \| dec eax // e8???????? \| // 8903 \| mov ecx, ebx // 83c304 \| xor edx, edx // 53 \| dec eax $sequence_11 = { e8???????? eb88 ff75e4 ff75e4 e8???????? } // n = 5, score = 100 // e8???????? \| // eb88 \| push 0 // ff75e4 \| mov dword ptr [ebx], eax // ff75e4 \| add ebx, 4 // e8???????? \| $sequence_12 = { ff15???????? 488b4c2458 8d53f1 ff15???????? 488b4c2458 ff15???????? 488b9c24c0080000 } // n = 7, score = 100 // ff15???????? \| // 488b4c2458 \| inc esp // 8d53f1 \| mov ecx, eax // ff15???????? \| // 488b4c2458 \| xor ecx, ecx // ff15???????? \| // 488b9c24c0080000 \| mov dword ptr [esp + 0x28], edi $sequence_13 = { 31c0 8a040b 3c00 7409 38d0 7405 } // n = 6, score = 100 // 31c0 \| lea edx, [esp + 0x58] // 8a040b \| dec eax // 3c00 \| mov ecx, eax // 7409 \| dec eax // 38d0 \| mov esi, dword ptr [eax + 8] // 7405 \| dec eax $sequence_14 = { eb0d eb0b ff35???????? e8???????? 68e8030000 e8???????? ff75f4 } // n = 7, score = 100 // eb0d \| jmp 5 // eb0b \| xor eax, eax // ff35???????? \| // e8???????? \| // 68e8030000 \| mov al, byte ptr [ebx + ecx] // e8???????? \| // ff75f4 \| cmp al, 0 $sequence_15 = { 83c004 8b5df8 8918 83c004 50 6a10 68???????? } // n = 7, score = 100 // 83c004 \| je 0xd // 8b5df8 \| cmp al, dl // 8918 \| je 0xd // 83c004 \| cmp eax, 0 // 50 \| je 0x17f // 6a10 \| push 2 // 68???????? \| $sequence_16 = { 83f800 0f8476010000 6a02 6a00 } // n = 4, score = 100 // 83f800 \| mov ecx, esi // 0f8476010000 \| push 0 // 6a02 \| push 0x100 // 6a00 \| push 0 $sequence_17 = { 4c8bc6 448bc8 33d2 33c9 ff15???????? 8bf8 } // n = 6, score = 100 // 4c8bc6 \| dec esp // 448bc8 \| mov eax, esi // 33d2 \| inc esp // 33c9 \| mov ecx, eax // ff15???????? \| // 8bf8 \| xor edx, edx $sequence_18 = { 41b804010000 48890d???????? ff15???????? ff15???????? 83f801 } // n = 5, score = 100 // 41b804010000 \| mov ecx, dword ptr [esp + 0x58] // 48890d???????? \| // ff15???????? \| // ff15???????? \| // 83f801 \| lea edx, [ebx - 0xf] $sequence_19 = { 33d2 488bc8 448bc7 488905???????? } // n = 4, score = 100 // 33d2 \| mov ebx, dword ptr [esp + 0x8c0] // 488bc8 \| push ebp // 448bc7 \| dec eax // 488905???????? \| $sequence_20 = { 33d2 448bc8 33c9 897c2428 48895c2420 ff15???????? 33d2 } // n = 7, score = 100 // 33d2 \| call dword ptr [eax + 0xa8] // 448bc8 \| cmp eax, esi // 33c9 \| je 0xe // 897c2428 \| dec eax // 48895c2420 \| lea ecx, [ebp - 0x19] // ff15???????? \| // 33d2 \| xor edx, edx $sequence_21 = { 488b4dc7 488b01 ff90a8000000 3bc6 740a 488d4de7 } // n = 6, score = 100 // 488b4dc7 \| xor ecx, ecx // 488b01 \| mov edi, eax // ff90a8000000 \| dec eax // 3bc6 \| mov ecx, dword ptr [ebp - 0x39] // 740a \| dec eax // 488d4de7 \| mov eax, dword ptr [ecx] $sequence_22 = { 55 488dac2450f8ffff 4881ecb0080000 33d2 } // n = 4, score = 100 // 55 \| dec eax // 488dac2450f8ffff \| mov dword ptr [esp + 0x20], ebx // 4881ecb0080000 \| xor edx, edx // 33d2 \| dec eax condition: 7 of them and filesize < 229376 }
[TLP:WHITE] win_sakula_rat_w0 (20170517 \| Sakula v1.0) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. / rule win_sakula_rat_w0 { meta: description = "Sakula v1.0" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "=%s&type=%d" $m4 = "?photoid=" $m5 = "iexplorer" $m6 = "net start \"%s\"" $v1_1 = "MicroPlayerUpdate.exe" condition: all of ($m) and not $v1_1 }
[TLP:WHITE] win_sakula_rat_w1 (20170517 \| Sakula v1.1) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_sakula_rat_w1 { meta: description = "Sakula v1.1" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "=%s&type=%d" $m4 = "?photoid=" $m5 = "iexplorer" $m6 = "net start \"%s\"" $v1_1 = "MicroPlayerUpdate.exe" condition: all of them }
[TLP:WHITE] win_sakula_rat_w2 (20170517 \| Sakula v1.2) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_sakula_rat_w2 { meta: description = "Sakula v1.2" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "cmd.exe /c rundll32 \"%s\"" $v1_1 = "MicroPlayerUpdate.exe" $v1_2 = "CCPUpdate" condition: $m1 and $m2 and $m3 and $v1_2 and not $v1_1 }
[TLP:WHITE] win_sakula_rat_w3 (20170517 \| Sakula v1.3) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_sakula_rat_w3 { meta: description = "Sakula v1.3" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "cmd.exe /c rundll32 \"%s\"" $v1_3 = { 81 3E 78 03 00 00 75 57 8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF 15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31 41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15 24 F0 40 00 E8 0F 09 00 } condition: all of them }
[TLP:WHITE] win_sakula_rat_w4 (20170517 \| Sakula v1.4) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_sakula_rat_w4 { meta: description = "Sakula v1.4" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "cmd.exe /c rundll32 \"%s\"" $v1_4 = { 50 E8 CD FC FF FF 83 C4 04 68 E8 03 00 00 FF D7 56 E8 54 12 00 00 E9 AE FE FF FF E8 13 F5 FF FF } condition: all of them }

Download all Yara Rules

[TLP:WHITE] win_sakula_rat_auto (20260504 \| Detects win.sakula_rat.) rule win_sakula_rat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.sakula_rat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a00 6800010000 6a00 6a00 68???????? } // n = 5, score = 300 // 6a00 \| inc ecx // 6800010000 \| mov eax, 0x104 // 6a00 \| cmp eax, 1 // 6a00 \| test eax, eax // 68???????? \| $sequence_1 = { 6a00 56 e8???????? 8b3d???????? 83c410 6a00 } // n = 6, score = 200 // 6a00 \| push esi // 56 \| push 0 // e8???????? \| // 8b3d???????? \| // 83c410 \| push 1 // 6a00 \| push esi $sequence_2 = { 83f81e 7cf4 eb05 41 3bce 72dd } // n = 6, score = 200 // 83f81e \| lea edi, [esi + 0x10] // 7cf4 \| mov bl, al // eb05 \| push edi // 41 \| mov eax, edi // 3bce \| push ebx // 72dd \| push -1 $sequence_3 = { 56 6a01 8bd8 57 53 e8???????? 56 } // n = 7, score = 200 // 56 \| push 0 // 6a01 \| push 0x100 // 8bd8 \| push 0 // 57 \| push 0 // 53 \| cmp eax, 4 // e8???????? \| // 56 \| jge 0x10 $sequence_4 = { 83f804 7d07 b803000000 eb1b e8???????? 83f801 7507 } // n = 7, score = 200 // 83f804 \| xor eax, eax // 7d07 \| inc eax // b803000000 \| jmp 0xa // eb1b \| jmp 0xf // e8???????? \| // 83f801 \| jmp 0xf // 7507 \| push 0x3e8 $sequence_5 = { 7407 b801000000 eb2c e8???????? 83f804 7d07 } // n = 6, score = 200 // 7407 \| mov eax, 3 // b801000000 \| jmp 0x2b // eb2c \| cmp eax, 1 // e8???????? \| // 83f804 \| jne 0x1c // 7d07 \| push esi $sequence_6 = { 53 6aff 56 6a00 6a01 } // n = 5, score = 200 // 53 \| push eax // 6aff \| push 0x10 // 56 \| jmp 0x16 // 6a00 \| jmp 0x11 // 6a01 \| jmp 0xd $sequence_7 = { 56 e8???????? 8d7e10 8ad8 57 8bc7 e8???????? } // n = 7, score = 200 // 56 \| push dword ptr [ebp - 0xc] // e8???????? \| // 8d7e10 \| add eax, 4 // 8ad8 \| mov ebx, dword ptr [ebp - 8] // 57 \| mov dword ptr [eax], ebx // 8bc7 \| add eax, 4 // e8???????? \| $sequence_8 = { ff15???????? 85c0 0f84ae000000 488bcb } // n = 4, score = 100 // ff15???????? \| // 85c0 \| dec eax // 0f84ae000000 \| mov ecx, dword ptr [esp + 0x58] // 488bcb \| dec eax $sequence_9 = { 83c410 31c0 40 eb02 } // n = 4, score = 100 // 83c410 \| mov ecx, eax // 31c0 \| inc esp // 40 \| mov eax, edi // eb02 \| dec eax $sequence_10 = { 8903 83c304 e8???????? 8903 83c304 53 } // n = 6, score = 100 // 8903 \| je 0xb6 // 83c304 \| dec eax // e8???????? \| // 8903 \| mov ecx, ebx // 83c304 \| xor edx, edx // 53 \| dec eax $sequence_11 = { e8???????? eb88 ff75e4 ff75e4 e8???????? } // n = 5, score = 100 // e8???????? \| // eb88 \| push 0 // ff75e4 \| mov dword ptr [ebx], eax // ff75e4 \| add ebx, 4 // e8???????? \| $sequence_12 = { ff15???????? 488b4c2458 8d53f1 ff15???????? 488b4c2458 ff15???????? 488b9c24c0080000 } // n = 7, score = 100 // ff15???????? \| // 488b4c2458 \| inc esp // 8d53f1 \| mov ecx, eax // ff15???????? \| // 488b4c2458 \| xor ecx, ecx // ff15???????? \| // 488b9c24c0080000 \| mov dword ptr [esp + 0x28], edi $sequence_13 = { 31c0 8a040b 3c00 7409 38d0 7405 } // n = 6, score = 100 // 31c0 \| lea edx, [esp + 0x58] // 8a040b \| dec eax // 3c00 \| mov ecx, eax // 7409 \| dec eax // 38d0 \| mov esi, dword ptr [eax + 8] // 7405 \| dec eax $sequence_14 = { eb0d eb0b ff35???????? e8???????? 68e8030000 e8???????? ff75f4 } // n = 7, score = 100 // eb0d \| jmp 5 // eb0b \| xor eax, eax // ff35???????? \| // e8???????? \| // 68e8030000 \| mov al, byte ptr [ebx + ecx] // e8???????? \| // ff75f4 \| cmp al, 0 $sequence_15 = { 83c004 8b5df8 8918 83c004 50 6a10 68???????? } // n = 7, score = 100 // 83c004 \| je 0xd // 8b5df8 \| cmp al, dl // 8918 \| je 0xd // 83c004 \| cmp eax, 0 // 50 \| je 0x17f // 6a10 \| push 2 // 68???????? \| $sequence_16 = { 83f800 0f8476010000 6a02 6a00 } // n = 4, score = 100 // 83f800 \| mov ecx, esi // 0f8476010000 \| push 0 // 6a02 \| push 0x100 // 6a00 \| push 0 $sequence_17 = { 4c8bc6 448bc8 33d2 33c9 ff15???????? 8bf8 } // n = 6, score = 100 // 4c8bc6 \| dec esp // 448bc8 \| mov eax, esi // 33d2 \| inc esp // 33c9 \| mov ecx, eax // ff15???????? \| // 8bf8 \| xor edx, edx $sequence_18 = { 41b804010000 48890d???????? ff15???????? ff15???????? 83f801 } // n = 5, score = 100 // 41b804010000 \| mov ecx, dword ptr [esp + 0x58] // 48890d???????? \| // ff15???????? \| // ff15???????? \| // 83f801 \| lea edx, [ebx - 0xf] $sequence_19 = { 33d2 488bc8 448bc7 488905???????? } // n = 4, score = 100 // 33d2 \| mov ebx, dword ptr [esp + 0x8c0] // 488bc8 \| push ebp // 448bc7 \| dec eax // 488905???????? \| $sequence_20 = { 33d2 448bc8 33c9 897c2428 48895c2420 ff15???????? 33d2 } // n = 7, score = 100 // 33d2 \| call dword ptr [eax + 0xa8] // 448bc8 \| cmp eax, esi // 33c9 \| je 0xe // 897c2428 \| dec eax // 48895c2420 \| lea ecx, [ebp - 0x19] // ff15???????? \| // 33d2 \| xor edx, edx $sequence_21 = { 488b4dc7 488b01 ff90a8000000 3bc6 740a 488d4de7 } // n = 6, score = 100 // 488b4dc7 \| xor ecx, ecx // 488b01 \| mov edi, eax // ff90a8000000 \| dec eax // 3bc6 \| mov ecx, dword ptr [ebp - 0x39] // 740a \| dec eax // 488d4de7 \| mov eax, dword ptr [ecx] $sequence_22 = { 55 488dac2450f8ffff 4881ecb0080000 33d2 } // n = 4, score = 100 // 55 \| dec eax // 488dac2450f8ffff \| mov dword ptr [esp + 0x20], ebx // 4881ecb0080000 \| xor edx, edx // 33d2 \| dec eax condition: 7 of them and filesize < 229376 }
[TLP:WHITE] win_sakula_rat_w0 (20170517 \| Sakula v1.0) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. / rule win_sakula_rat_w0 { meta: description = "Sakula v1.0" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "=%s&type=%d" $m4 = "?photoid=" $m5 = "iexplorer" $m6 = "net start \"%s\"" $v1_1 = "MicroPlayerUpdate.exe" condition: all of ($m) and not $v1_1 }
[TLP:WHITE] win_sakula_rat_w1 (20170517 \| Sakula v1.1) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_sakula_rat_w1 { meta: description = "Sakula v1.1" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "=%s&type=%d" $m4 = "?photoid=" $m5 = "iexplorer" $m6 = "net start \"%s\"" $v1_1 = "MicroPlayerUpdate.exe" condition: all of them }
[TLP:WHITE] win_sakula_rat_w2 (20170517 \| Sakula v1.2) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_sakula_rat_w2 { meta: description = "Sakula v1.2" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "cmd.exe /c rundll32 \"%s\"" $v1_1 = "MicroPlayerUpdate.exe" $v1_2 = "CCPUpdate" condition: $m1 and $m2 and $m3 and $v1_2 and not $v1_1 }
[TLP:WHITE] win_sakula_rat_w3 (20170517 \| Sakula v1.3) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_sakula_rat_w3 { meta: description = "Sakula v1.3" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "cmd.exe /c rundll32 \"%s\"" $v1_3 = { 81 3E 78 03 00 00 75 57 8D 54 24 14 52 68 0C 05 41 00 68 01 00 00 80 FF 15 00 F0 40 00 85 C0 74 10 8B 44 24 14 68 2C 31 41 00 50 FF 15 10 F0 40 00 8B 4C 24 14 51 FF 15 24 F0 40 00 E8 0F 09 00 } condition: all of them }
[TLP:WHITE] win_sakula_rat_w4 (20170517 \| Sakula v1.4) /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule win_sakula_rat_w4 { meta: description = "Sakula v1.4" date = "2015-10-13" author = "Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Sakula.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $m1 = "%d_of_%d_for_%s_on_%s" $m2 = "/c ping 127.0.0.1 & del /q \"%s\"" $m3 = "cmd.exe /c rundll32 \"%s\"" $v1_4 = { 50 E8 CD FC FF FF 83 C4 04 68 E8 03 00 00 FF D7 56 E8 54 12 00 00 E9 AE FE FF FF E8 13 F5 FF FF } condition: all of them }

Sakula RAT Propose Change

References

Yara Rules

Sakula RAT