SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lambert (Back to overview)

Lambert

aka: Plexor

Actor(s): Longhorn


There is no description at this point.

References
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2018-06-15Youtube (defconswitzerland)Costin Raiu
@online{raiu:20180615:area41:6009950, author = {Costin Raiu}, title = {{Area41 Keynote}}, date = {2018-06-15}, organization = {Youtube (defconswitzerland)}, url = {https://www.youtube.com/watch?v=jeLd-gw2bWo}, language = {English}, urldate = {2020-01-09} } Area41 Keynote
Lambert Regin
2017-04-10SymantecSymantec Security Response
@online{response:20170410:longhorn:e48f344, author = {Symantec Security Response}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7}, language = {English}, urldate = {2020-01-09} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2017-04-10SymantecA L Johnson
@online{johnson:20170410:longhorn:811e6dc, author = {A L Johnson}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2014-07-07QianxinRed Raindrop Team
@online{team:20140707:analysis:e586631, author = {Red Raindrop Team}, title = {{Analysis and disclosure of the CIA's cyber arsenal}}, date = {2014-07-07}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/network-weapons-of-cia/}, language = {Chinese}, urldate = {2019-12-19} } Analysis and disclosure of the CIA's cyber arsenal
Lambert
Yara Rules
[TLP:WHITE] win_lambert_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_lambert_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b5510 8955fc 8b45fc 8b08 83c930 }
            // n = 5, score = 300
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   83c930               | or                  ecx, 0x30

        $sequence_1 = { 2500f0ffff 8945f8 8b4d18 51 8b5514 52 }
            // n = 6, score = 300
            //   2500f0ffff           | and                 eax, 0xfffff000
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   51                   | push                ecx
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
            //   52                   | push                edx

        $sequence_2 = { 750f 8b55fc 8b45f8 0fb70c50 894df0 eb02 ebb8 }
            // n = 7, score = 300
            //   750f                 | jne                 0x11
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   0fb70c50             | movzx               ecx, word ptr [eax + edx*2]
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   eb02                 | jmp                 4
            //   ebb8                 | jmp                 0xffffffba

        $sequence_3 = { 8b4d0c 51 8b5508 52 8b45f8 8b8870020000 }
            // n = 6, score = 300
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   51                   | push                ecx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b8870020000         | mov                 ecx, dword ptr [eax + 0x270]

        $sequence_4 = { 7516 8b487c 894c240c 85c9 }
            // n = 4, score = 300
            //   7516                 | jne                 0x18
            //   8b487c               | mov                 ecx, dword ptr [eax + 0x7c]
            //   894c240c             | mov                 dword ptr [esp + 0xc], ecx
            //   85c9                 | test                ecx, ecx

        $sequence_5 = { 8801 41 47 8a07 8801 41 47 }
            // n = 7, score = 300
            //   8801                 | mov                 byte ptr [ecx], al
            //   41                   | inc                 ecx
            //   47                   | inc                 edi
            //   8a07                 | mov                 al, byte ptr [edi]
            //   8801                 | mov                 byte ptr [ecx], al
            //   41                   | inc                 ecx
            //   47                   | inc                 edi

        $sequence_6 = { 8b4dec 8b5508 031481 8955f4 }
            // n = 4, score = 300
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   031481               | add                 edx, dword ptr [ecx + eax*4]
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx

        $sequence_7 = { 8a500b 32530b 88510b 8a500c }
            // n = 4, score = 300
            //   8a500b               | mov                 dl, byte ptr [eax + 0xb]
            //   32530b               | xor                 dl, byte ptr [ebx + 0xb]
            //   88510b               | mov                 byte ptr [ecx + 0xb], dl
            //   8a500c               | mov                 dl, byte ptr [eax + 0xc]

        $sequence_8 = { 894c240c 85c9 740b 8b4078 03c5 89442414 }
            // n = 6, score = 300
            //   894c240c             | mov                 dword ptr [esp + 0xc], ecx
            //   85c9                 | test                ecx, ecx
            //   740b                 | je                  0xd
            //   8b4078               | mov                 eax, dword ptr [eax + 0x78]
            //   03c5                 | add                 eax, ebp
            //   89442414             | mov                 dword ptr [esp + 0x14], eax

        $sequence_9 = { 7413 8b8c240c020000 51 ffd0 81c408020000 }
            // n = 5, score = 300
            //   7413                 | je                  0x15
            //   8b8c240c020000       | mov                 ecx, dword ptr [esp + 0x20c]
            //   51                   | push                ecx
            //   ffd0                 | call                eax
            //   81c408020000         | add                 esp, 0x208

        $sequence_10 = { eb60 8b45fc 83c078 8945f0 }
            // n = 4, score = 300
            //   eb60                 | jmp                 0x62
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83c078               | add                 eax, 0x78
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_11 = { 3b4df8 7502 eb0b 8b55fc 83c201 8955fc ebb9 }
            // n = 7, score = 300
            //   3b4df8               | cmp                 ecx, dword ptr [ebp - 8]
            //   7502                 | jne                 4
            //   eb0b                 | jmp                 0xd
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   83c201               | add                 edx, 1
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   ebb9                 | jmp                 0xffffffbb

        $sequence_12 = { 75ee 894d6c 837d7000 0f8546feffff 8b457c }
            // n = 5, score = 300
            //   75ee                 | jne                 0xfffffff0
            //   894d6c               | mov                 dword ptr [ebp + 0x6c], ecx
            //   837d7000             | cmp                 dword ptr [ebp + 0x70], 0
            //   0f8546feffff         | jne                 0xfffffe4c
            //   8b457c               | mov                 eax, dword ptr [ebp + 0x7c]

        $sequence_13 = { 7519 837d0c22 7513 8b5510 8955fc }
            // n = 5, score = 300
            //   7519                 | jne                 0x1b
            //   837d0c22             | cmp                 dword ptr [ebp + 0xc], 0x22
            //   7513                 | jne                 0x15
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx

        $sequence_14 = { 0fb74508 83f841 7c12 0fb74d08 }
            // n = 4, score = 300
            //   0fb74508             | movzx               eax, word ptr [ebp + 8]
            //   83f841               | cmp                 eax, 0x41
            //   7c12                 | jl                  0x14
            //   0fb74d08             | movzx               ecx, word ptr [ebp + 8]

        $sequence_15 = { 035124 8955f8 c745fc00000000 eb09 8b45fc 83c001 }
            // n = 6, score = 300
            //   035124               | add                 edx, dword ptr [ecx + 0x24]
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   eb09                 | jmp                 0xb
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83c001               | add                 eax, 1

        $sequence_16 = { e8???????? 58 8945f8 8b45f8 2500f0ffff 8945f8 8b4d18 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   2500f0ffff           | and                 eax, 0xfffff000
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]

        $sequence_17 = { c3 55 8d6c24a0 81ec94000000 8b457c 53 0fb698f2000000 }
            // n = 7, score = 300
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8d6c24a0             | lea                 ebp, [esp - 0x60]
            //   81ec94000000         | sub                 esp, 0x94
            //   8b457c               | mov                 eax, dword ptr [ebp + 0x7c]
            //   53                   | push                ebx
            //   0fb698f2000000       | movzx               ebx, byte ptr [eax + 0xf2]

        $sequence_18 = { 52 8b45f8 8b8870020000 ffd1 8945f4 837df400 751f }
            // n = 7, score = 300
            //   52                   | push                edx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b8870020000         | mov                 ecx, dword ptr [eax + 0x270]
            //   ffd1                 | call                ecx
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   751f                 | jne                 0x21

        $sequence_19 = { 8b45fc 8945f4 8b4df4 8b55f4 }
            // n = 4, score = 300
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]

        $sequence_20 = { f7d2 8b45f4 335004 8955f8 8b4df4 8b5108 }
            // n = 6, score = 300
            //   f7d2                 | not                 edx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   335004               | xor                 edx, dword ptr [eax + 4]
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]

        $sequence_21 = { 55 8bec 83ec0c e8???????? 58 }
            // n = 5, score = 300
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc
            //   e8????????           |                     
            //   58                   | pop                 eax

        $sequence_22 = { 8945f4 837df400 751f 837d08ff 7519 837d0c22 }
            // n = 6, score = 300
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   751f                 | jne                 0x21
            //   837d08ff             | cmp                 dword ptr [ebp + 8], -1
            //   7519                 | jne                 0x1b
            //   837d0c22             | cmp                 dword ptr [ebp + 0xc], 0x22

        $sequence_23 = { 663b4500 7523 8b453c 03c5 813850450000 }
            // n = 5, score = 300
            //   663b4500             | cmp                 ax, word ptr [ebp]
            //   7523                 | jne                 0x25
            //   8b453c               | mov                 eax, dword ptr [ebp + 0x3c]
            //   03c5                 | add                 eax, ebp
            //   813850450000         | cmp                 dword ptr [eax], 0x4550

    condition:
        7 of them and filesize < 1212416
}
Download all Yara Rules