SYMBOLCOMMON_NAMEaka. SYNONYMS
win.httpsuploader (Back to overview)

HTTP(S) uploader

Actor(s): Lazarus Group

VTCollection    

The HTTP(S) uploader is a Lazarus tool responsible for data exfiltration, by using the HTTP or HTTPS protocols.

It accepts up to 10 command line parameters: a 29-byte decryption key, a C&C for data exfiltration, the name of a local RAR split volume, the name of the multivolume archive on the server side, the size of a RAR split (max 200,000 kB), the starting index of a split, the ending index of a split, and the switch -p with a proxy IP address and port

References
2022-09-30ESET ResearchPeter Kálnai
Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
BLINDINGCAN FudModule HTTP(S) uploader LambLoad TOUCHMOVE
2021-02-25Kaspersky LabsSeongsu Park, Vyacheslav Kopeytsev
Lazarus targets defense industry with ThreatNeedle
HTTP(S) uploader LPEClient Volgmer
2020-12-15HvS-Consulting AGHvS-Consulting AG
Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN HTTP(S) uploader MimiKatz
Yara Rules
[TLP:WHITE] win_httpsuploader_auto (20260504 | Detects win.httpsuploader.)
rule win_httpsuploader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.httpsuploader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpsuploader"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d542440 bf00020000 33c9 897c2430 }
            // n = 4, score = 100
            //   488d542440           | int3                
            //   bf00020000           | dec                 esp
            //   33c9                 | lea                 eax, [0x65ec]
            //   897c2430             | dec                 eax

        $sequence_1 = { 85c0 744d 8b442440 488b0d???????? }
            // n = 4, score = 100
            //   85c0                 | mov                 ecx, dword ptr [ebx]
            //   744d                 | dec                 eax
            //   8b442440             | lea                 ebx, [0x102e6]
            //   488b0d????????       |                     

        $sequence_2 = { 488d4158 41b806000000 488d15a6800000 483950f0 740c 488b10 4885d2 }
            // n = 7, score = 100
            //   488d4158             | inc                 esp
            //   41b806000000         | lea                 edi, [esi + 1]
            //   488d15a6800000       | dec                 esp
            //   483950f0             | lea                 eax, [0xb8b9]
            //   740c                 | dec                 eax
            //   488b10               | lea                 ecx, [esp + 0x50]
            //   4885d2               | xor                 edx, edx

        $sequence_3 = { 4c8d0dfdb8ffff 458a20 4584e4 0f8547f9ffff }
            // n = 4, score = 100
            //   4c8d0dfdb8ffff       | sar                 ecx, 5
            //   458a20               | inc                 ecx
            //   4584e4               | and                 ebx, 0x1f
            //   0f8547f9ffff         | dec                 eax

        $sequence_4 = { 4c8d442450 418d510e c744245003000000 48897c2460 }
            // n = 4, score = 100
            //   4c8d442450           | dec                 eax
            //   418d510e             | lea                 eax, [esp + 0x30]
            //   c744245003000000     | dec                 esp
            //   48897c2460           | sub                 edx, eax

        $sequence_5 = { 4533c9 4c8bd3 418bc1 b908000000 660f1f440000 }
            // n = 5, score = 100
            //   4533c9               | mov                 ecx, ebp
            //   4c8bd3               | cmp                 edi, 0xfc
            //   418bc1               | je                  0xf2a
            //   b908000000           | dec                 eax
            //   660f1f440000         | lea                 ebp, [0xb381]

        $sequence_6 = { 664189844890120100 ffc2 ebe2 8bd7 89542420 81fa01010000 7d13 }
            // n = 7, score = 100
            //   664189844890120100     | inc    edx
            //   ffc2                 | movsx               edx, byte ptr [edx + ecx + 0xb3a0]
            //   ebe2                 | sar                 edx, 4
            //   8bd7                 | mov                 dword ptr [esp + 0x60], edx
            //   89542420             | mov                 ecx, edx
            //   81fa01010000         | test                edx, edx
            //   7d13                 | je                  0x880

        $sequence_7 = { 4883ec20 488bd9 488d0d04820000 483bd9 723e }
            // n = 5, score = 100
            //   4883ec20             | lea                 edx, [0x8e06]
            //   488bd9               | mov                 edx, eax
            //   488d0d04820000       | mov                 ebx, eax
            //   483bd9               | dec                 esp
            //   723e                 | lea                 ecx, [ebp + 0xd0]

        $sequence_8 = { 488b0d???????? 488d1536ba0000 41b9000000a0 4183c8ff }
            // n = 4, score = 100
            //   488b0d????????       |                     
            //   488d1536ba0000       | dec                 eax
            //   41b9000000a0         | lea                 ecx, [0xc7b0]
            //   4183c8ff             | test                byte ptr [ecx + 8], 0x20

        $sequence_9 = { 4889442430 488d442440 4889442428 488d0570d90000 4889442420 4c8b4c2450 }
            // n = 6, score = 100
            //   4889442430           | test                byte ptr [eax + 0x38], 0x7f
            //   488d442440           | jne                 0x1b61
            //   4889442428           | inc                 ecx
            //   488d0570d90000       | cmp                 eax, edi
            //   4889442420           | je                  0x1b5b
            //   4c8b4c2450           | dec                 esp

    condition:
        7 of them and filesize < 190464
}
Download all Yara Rules