SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lambert (Back to overview)

Lambert

aka: Plexor

Actor(s): Longhorn


There is no description at this point.

References
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2018-06-15Youtube (defconswitzerland)Costin Raiu
@online{raiu:20180615:area41:6009950, author = {Costin Raiu}, title = {{Area41 Keynote}}, date = {2018-06-15}, organization = {Youtube (defconswitzerland)}, url = {https://www.youtube.com/watch?v=jeLd-gw2bWo}, language = {English}, urldate = {2020-01-09} } Area41 Keynote
Lambert Regin
2017-04-10SymantecSymantec Security Response
@online{response:20170410:longhorn:e48f344, author = {Symantec Security Response}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7}, language = {English}, urldate = {2020-01-09} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2017-04-10SymantecA L Johnson
@online{johnson:20170410:longhorn:811e6dc, author = {A L Johnson}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2014-07-07QianxinRed Raindrop Team
@online{team:20140707:analysis:e586631, author = {Red Raindrop Team}, title = {{Analysis and disclosure of the CIA's cyber arsenal}}, date = {2014-07-07}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/network-weapons-of-cia/}, language = {Chinese}, urldate = {2019-12-19} } Analysis and disclosure of the CIA's cyber arsenal
Lambert
Yara Rules
[TLP:WHITE] win_lambert_auto (20210616 | Detects win.lambert.)
rule win_lambert_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.lambert."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8955fc 8b45fc 8b08 83c930 8b55fc }
            // n = 5, score = 300
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   83c930               | or                  ecx, 0x30
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_1 = { 7513 8b5510 8955fc 8b45fc }
            // n = 4, score = 300
            //   7513                 | jne                 0x15
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_2 = { 325309 885109 8a500a 32530a 88510a 8a500b 32530b }
            // n = 7, score = 300
            //   325309               | xor                 dl, byte ptr [ebx + 9]
            //   885109               | mov                 byte ptr [ecx + 9], dl
            //   8a500a               | mov                 dl, byte ptr [eax + 0xa]
            //   32530a               | xor                 dl, byte ptr [ebx + 0xa]
            //   88510a               | mov                 byte ptr [ecx + 0xa], dl
            //   8a500b               | mov                 dl, byte ptr [eax + 0xb]
            //   32530b               | xor                 dl, byte ptr [ebx + 0xb]

        $sequence_3 = { 837d08ff 7519 837d0c22 7513 8b5510 }
            // n = 5, score = 300
            //   837d08ff             | cmp                 dword ptr [ebp + 8], -1
            //   7519                 | jne                 0x1b
            //   837d0c22             | cmp                 dword ptr [ebp + 0xc], 0x22
            //   7513                 | jne                 0x15
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]

        $sequence_4 = { 83ec0c e8???????? 58 8945f8 8b45f8 }
            // n = 5, score = 300
            //   83ec0c               | sub                 esp, 0xc
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_5 = { 3bf1 0f87a2000000 53 57 8d7c2410 33db 33d2 }
            // n = 7, score = 300
            //   3bf1                 | cmp                 esi, ecx
            //   0f87a2000000         | ja                  0xa8
            //   53                   | push                ebx
            //   57                   | push                edi
            //   8d7c2410             | lea                 edi, dword ptr [esp + 0x10]
            //   33db                 | xor                 ebx, ebx
            //   33d2                 | xor                 edx, edx

        $sequence_6 = { 83c930 8b55fc 890a 8b45f4 8be5 }
            // n = 5, score = 300
            //   83c930               | or                  ecx, 0x30
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   890a                 | mov                 dword ptr [edx], ecx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8be5                 | mov                 esp, ebp

        $sequence_7 = { 325306 885106 8a5007 325307 885107 8a5008 }
            // n = 6, score = 300
            //   325306               | xor                 dl, byte ptr [ebx + 6]
            //   885106               | mov                 byte ptr [ecx + 6], dl
            //   8a5007               | mov                 dl, byte ptr [eax + 7]
            //   325307               | xor                 dl, byte ptr [ebx + 7]
            //   885107               | mov                 byte ptr [ecx + 7], dl
            //   8a5008               | mov                 dl, byte ptr [eax + 8]

        $sequence_8 = { 325307 885107 8a5008 325308 885108 8a5009 }
            // n = 6, score = 300
            //   325307               | xor                 dl, byte ptr [ebx + 7]
            //   885107               | mov                 byte ptr [ecx + 7], dl
            //   8a5008               | mov                 dl, byte ptr [eax + 8]
            //   325308               | xor                 dl, byte ptr [ebx + 8]
            //   885108               | mov                 byte ptr [ecx + 8], dl
            //   8a5009               | mov                 dl, byte ptr [eax + 9]

        $sequence_9 = { 55 8bec 837d0801 7c07 }
            // n = 4, score = 300
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   837d0801             | cmp                 dword ptr [ebp + 8], 1
            //   7c07                 | jl                  9

        $sequence_10 = { 52 8b45f8 8b8870020000 ffd1 8945f4 }
            // n = 5, score = 300
            //   52                   | push                edx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b8870020000         | mov                 ecx, dword ptr [eax + 0x270]
            //   ffd1                 | call                ecx
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax

        $sequence_11 = { 325308 885108 8a5009 325309 885109 8a500a }
            // n = 6, score = 300
            //   325308               | xor                 dl, byte ptr [ebx + 8]
            //   885108               | mov                 byte ptr [ecx + 8], dl
            //   8a5009               | mov                 dl, byte ptr [eax + 9]
            //   325309               | xor                 dl, byte ptr [ebx + 9]
            //   885109               | mov                 byte ptr [ecx + 9], dl
            //   8a500a               | mov                 dl, byte ptr [eax + 0xa]

        $sequence_12 = { 325305 885105 8a5006 325306 885106 8a5007 }
            // n = 6, score = 300
            //   325305               | xor                 dl, byte ptr [ebx + 5]
            //   885105               | mov                 byte ptr [ecx + 5], dl
            //   8a5006               | mov                 dl, byte ptr [eax + 6]
            //   325306               | xor                 dl, byte ptr [ebx + 6]
            //   885106               | mov                 byte ptr [ecx + 6], dl
            //   8a5007               | mov                 dl, byte ptr [eax + 7]

        $sequence_13 = { 8b45f8 2500f0ffff 8945f8 8b4d18 51 8b5514 52 }
            // n = 7, score = 300
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   2500f0ffff           | and                 eax, 0xfffff000
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   51                   | push                ecx
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
            //   52                   | push                edx

        $sequence_14 = { 0fb6d2 88840d00fdffff 88840dfffdffff 888c0500ffffff }
            // n = 4, score = 300
            //   0fb6d2               | movzx               edx, dl
            //   88840d00fdffff       | mov                 byte ptr [ebp + ecx - 0x300], al
            //   88840dfffdffff       | mov                 byte ptr [ebp + ecx - 0x201], al
            //   888c0500ffffff       | mov                 byte ptr [ebp + eax - 0x100], cl

        $sequence_15 = { 0f83b5000000 2bd9 8d4602 3bd8 0f82a4000000 83fe06 }
            // n = 6, score = 300
            //   0f83b5000000         | jae                 0xbb
            //   2bd9                 | sub                 ebx, ecx
            //   8d4602               | lea                 eax, dword ptr [esi + 2]
            //   3bd8                 | cmp                 ebx, eax
            //   0f82a4000000         | jb                  0xaa
            //   83fe06               | cmp                 esi, 6

    condition:
        7 of them and filesize < 1212416
}
Download all Yara Rules