SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lambert (Back to overview)

Lambert

aka: Plexor

Actor(s): Longhorn


There is no description at this point.

References
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2018-06-15Youtube (defconswitzerland)Costin Raiu
@online{raiu:20180615:area41:6009950, author = {Costin Raiu}, title = {{Area41 Keynote}}, date = {2018-06-15}, organization = {Youtube (defconswitzerland)}, url = {https://www.youtube.com/watch?v=jeLd-gw2bWo}, language = {English}, urldate = {2020-01-09} } Area41 Keynote
Lambert Regin
2017-04-10SymantecSymantec Security Response
@online{response:20170410:longhorn:e48f344, author = {Symantec Security Response}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7}, language = {English}, urldate = {2020-01-09} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2017-04-10SymantecA L Johnson
@online{johnson:20170410:longhorn:811e6dc, author = {A L Johnson}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2014-07-07QianxinRed Raindrop Team
@online{team:20140707:analysis:e586631, author = {Red Raindrop Team}, title = {{Analysis and disclosure of the CIA's cyber arsenal}}, date = {2014-07-07}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/network-weapons-of-cia/}, language = {Chinese}, urldate = {2019-12-19} } Analysis and disclosure of the CIA's cyber arsenal
Lambert
Yara Rules
[TLP:WHITE] win_lambert_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_lambert_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 837d0c22 7513 8b5510 8955fc }
            // n = 4, score = 300
            //   837d0c22             | cmp                 dword ptr [ebp + 0xc], 0x22
            //   7513                 | jne                 0x15
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx

        $sequence_1 = { 51 e8???????? 0fb7d0 0355f8 8955f8 ebc5 8b45f8 }
            // n = 7, score = 300
            //   51                   | push                ecx
            //   e8????????           |                     
            //   0fb7d0               | movzx               edx, ax
            //   0355f8               | add                 edx, dword ptr [ebp - 8]
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   ebc5                 | jmp                 0xffffffc7
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_2 = { 8b454c f645540f 740b 8b7574 }
            // n = 4, score = 300
            //   8b454c               | mov                 eax, dword ptr [ebp + 0x4c]
            //   f645540f             | test                byte ptr [ebp + 0x54], 0xf
            //   740b                 | je                  0xd
            //   8b7574               | mov                 esi, dword ptr [ebp + 0x74]

        $sequence_3 = { 58 8945f8 8b45f8 2500f0ffff }
            // n = 4, score = 300
            //   58                   | pop                 eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   2500f0ffff           | and                 eax, 0xfffff000

        $sequence_4 = { 8945e8 8b4de8 3b4d10 750f 8b55fc 8b45f8 0fb70c50 }
            // n = 7, score = 300
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   3b4d10               | cmp                 ecx, dword ptr [ebp + 0x10]
            //   750f                 | jne                 0x11
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   0fb70c50             | movzx               ecx, word ptr [eax + edx*2]

        $sequence_5 = { 5e c600e0 33c0 5b c9 c3 }
            // n = 6, score = 300
            //   5e                   | pop                 esi
            //   c600e0               | mov                 byte ptr [eax], 0xe0
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_6 = { 0302 8945e8 8b4d0c 51 8b55e8 52 }
            // n = 6, score = 300
            //   0302                 | add                 eax, dword ptr [edx]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   51                   | push                ecx
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   52                   | push                edx

        $sequence_7 = { ffd1 8945f4 837df400 751f }
            // n = 4, score = 300
            //   ffd1                 | call                ecx
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   751f                 | jne                 0x21

        $sequence_8 = { 47 8bc7 8bd0 80e280 0fb6d2 88840d00fdffff 88840dfffdffff }
            // n = 7, score = 300
            //   47                   | inc                 edi
            //   8bc7                 | mov                 eax, edi
            //   8bd0                 | mov                 edx, eax
            //   80e280               | and                 dl, 0x80
            //   0fb6d2               | movzx               edx, dl
            //   88840d00fdffff       | mov                 byte ptr [ebp + ecx - 0x300], al
            //   88840dfffdffff       | mov                 byte ptr [ebp + ecx - 0x201], al

        $sequence_9 = { 0fb74508 83f841 7c12 0fb74d08 83f95a }
            // n = 5, score = 300
            //   0fb74508             | movzx               eax, word ptr [ebp + 8]
            //   83f841               | cmp                 eax, 0x41
            //   7c12                 | jl                  0x14
            //   0fb74d08             | movzx               ecx, word ptr [ebp + 8]
            //   83f95a               | cmp                 ecx, 0x5a

        $sequence_10 = { eb60 8b45fc 83c078 8945f0 }
            // n = 4, score = 300
            //   eb60                 | jmp                 0x62
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83c078               | add                 eax, 0x78
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_11 = { 83c078 8945f0 8b4df0 83790400 }
            // n = 4, score = 300
            //   83c078               | add                 eax, 0x78
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   83790400             | cmp                 dword ptr [ecx + 4], 0

        $sequence_12 = { 3b7d10 0f82bd000000 3bf9 0f83b5000000 2bd9 8d4602 }
            // n = 6, score = 300
            //   3b7d10               | cmp                 edi, dword ptr [ebp + 0x10]
            //   0f82bd000000         | jb                  0xc3
            //   3bf9                 | cmp                 edi, ecx
            //   0f83b5000000         | jae                 0xbb
            //   2bd9                 | sub                 ebx, ecx
            //   8d4602               | lea                 eax, [esi + 2]

        $sequence_13 = { 53 8b18 331f 56 8b700c 33770c 894dec }
            // n = 7, score = 300
            //   53                   | push                ebx
            //   8b18                 | mov                 ebx, dword ptr [eax]
            //   331f                 | xor                 ebx, dword ptr [edi]
            //   56                   | push                esi
            //   8b700c               | mov                 esi, dword ptr [eax + 0xc]
            //   33770c               | xor                 esi, dword ptr [edi + 0xc]
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx

        $sequence_14 = { 8bec 83ec0c e8???????? 58 }
            // n = 4, score = 300
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc
            //   e8????????           |                     
            //   58                   | pop                 eax

        $sequence_15 = { 337b08 83c310 897908 8b78fc }
            // n = 4, score = 300
            //   337b08               | xor                 edi, dword ptr [ebx + 8]
            //   83c310               | add                 ebx, 0x10
            //   897908               | mov                 dword ptr [ecx + 8], edi
            //   8b78fc               | mov                 edi, dword ptr [eax - 4]

        $sequence_16 = { 33db 391d???????? 0f8548010000 56 57 33ff }
            // n = 6, score = 300
            //   33db                 | xor                 ebx, ebx
            //   391d????????         |                     
            //   0f8548010000         | jne                 0x14e
            //   56                   | push                esi
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi

        $sequence_17 = { 832000 33f2 8b55e8 33ce 33d1 }
            // n = 5, score = 300
            //   832000               | and                 dword ptr [eax], 0
            //   33f2                 | xor                 esi, edx
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   33ce                 | xor                 ecx, esi
            //   33d1                 | xor                 edx, ecx

        $sequence_18 = { 837df400 751f 837d08ff 7519 }
            // n = 4, score = 300
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   751f                 | jne                 0x21
            //   837d08ff             | cmp                 dword ptr [ebp + 8], -1
            //   7519                 | jne                 0x1b

        $sequence_19 = { 50 8b4d0c 51 8b5508 52 8b45f8 8b8870020000 }
            // n = 7, score = 300
            //   50                   | push                eax
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   51                   | push                ecx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b8870020000         | mov                 ecx, dword ptr [eax + 0x270]

        $sequence_20 = { 8b421c 8945f4 8b4df4 894df0 }
            // n = 4, score = 300
            //   8b421c               | mov                 eax, dword ptr [edx + 0x1c]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx

        $sequence_21 = { 8955fc 8b45fc 8b08 83c930 8b55fc 890a 8b45f4 }
            // n = 7, score = 300
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   83c930               | or                  ecx, 0x30
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   890a                 | mov                 dword ptr [edx], ecx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_22 = { 6a00 e8???????? 8945fc 8b45fc 8945f4 }
            // n = 5, score = 300
            //   6a00                 | push                0
            //   e8????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax

        $sequence_23 = { 837d08ff 7519 837d0c22 7513 }
            // n = 4, score = 300
            //   837d08ff             | cmp                 dword ptr [ebp + 8], -1
            //   7519                 | jne                 0x1b
            //   837d0c22             | cmp                 dword ptr [ebp + 0xc], 0x22
            //   7513                 | jne                 0x15

    condition:
        7 of them and filesize < 1212416
}
Download all Yara Rules