SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lambert (Back to overview)

Lambert

aka: Plexor

Actor(s): Longhorn

VTCollection    

There is no description at this point.

References
2022-01-21Twitter (@_CPResearch_)Check Point Research
Tweet on WhiteLambert malware
Lambert
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-09-30QianxinRed Raindrop Team
Analysis and disclosure of the CIA's cyber arsenal
Lambert
2018-06-15Youtube (defconswitzerland)Costin Raiu
Area41 Keynote
Lambert Regin
2017-04-10SymantecSymantec Security Response
Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2017-04-10SymantecA L Johnson
Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
Yara Rules
[TLP:WHITE] win_lambert_auto (20230808 | Detects win.lambert.)
rule win_lambert_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.lambert."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33f2 8b55e8 33ce 33d1 }
            // n = 4, score = 400
            //   33f2                 | xor                 esi, edx
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   33ce                 | xor                 ecx, esi
            //   33d1                 | xor                 edx, ecx

        $sequence_1 = { 4e 8b1f 8919 2bf0 }
            // n = 4, score = 400
            //   4e                   | dec                 esi
            //   8b1f                 | mov                 ebx, dword ptr [edi]
            //   8919                 | mov                 dword ptr [ecx], ebx
            //   2bf0                 | sub                 esi, eax

        $sequence_2 = { 3bd8 0f826f010000 8a07 8801 41 47 }
            // n = 6, score = 400
            //   3bd8                 | cmp                 ebx, eax
            //   0f826f010000         | jb                  0x175
            //   8a07                 | mov                 al, byte ptr [edi]
            //   8801                 | mov                 byte ptr [ecx], al
            //   41                   | inc                 ecx
            //   47                   | inc                 edi

        $sequence_3 = { 3bd8 0f82a4000000 83fe06 0f822cffffff }
            // n = 4, score = 400
            //   3bd8                 | cmp                 ebx, eax
            //   0f82a4000000         | jb                  0xaa
            //   83fe06               | cmp                 esi, 6
            //   0f822cffffff         | jb                  0xffffff32

        $sequence_4 = { 55 8bec 56 8b7510 c1fe04 }
            // n = 5, score = 400
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   c1fe04               | sar                 esi, 4

        $sequence_5 = { 2bc1 3bc7 0f82e5010000 8b4508 2bc2 8d7701 }
            // n = 6, score = 400
            //   2bc1                 | sub                 eax, ecx
            //   3bc7                 | cmp                 eax, edi
            //   0f82e5010000         | jb                  0x1eb
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   2bc2                 | sub                 eax, edx
            //   8d7701               | lea                 esi, [edi + 1]

        $sequence_6 = { 33f1 8b4de4 33ce 314de8 }
            // n = 4, score = 400
            //   33f1                 | xor                 esi, ecx
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   33ce                 | xor                 ecx, esi
            //   314de8               | xor                 dword ptr [ebp - 0x18], ecx

        $sequence_7 = { 3b7d10 724d 3bf9 7349 8bc3 2bc1 }
            // n = 6, score = 400
            //   3b7d10               | cmp                 edi, dword ptr [ebp + 0x10]
            //   724d                 | jb                  0x4f
            //   3bf9                 | cmp                 edi, ecx
            //   7349                 | jae                 0x4b
            //   8bc3                 | mov                 eax, ebx
            //   2bc1                 | sub                 eax, ecx

        $sequence_8 = { 6a00 e8???????? 8945fc 8b45fc 8945f4 8b4df4 8b55f4 }
            // n = 7, score = 300
            //   6a00                 | push                0
            //   e8????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]

        $sequence_9 = { 50 e8???????? 8945e8 8b4de8 3b4d10 750f }
            // n = 6, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   3b4d10               | cmp                 ecx, dword ptr [ebp + 0x10]
            //   750f                 | jne                 0x11

        $sequence_10 = { 83ec18 8b450c 8b4814 894df0 8b550c 8b4508 }
            // n = 6, score = 300
            //   83ec18               | sub                 esp, 0x18
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4814               | mov                 ecx, dword ptr [eax + 0x14]
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_11 = { 741f 8b4df8 c1e90d 8b55f8 }
            // n = 4, score = 300
            //   741f                 | je                  0x21
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   c1e90d               | shr                 ecx, 0xd
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]

        $sequence_12 = { ebce 8b45f8 8be5 5d c20400 55 8bec }
            // n = 7, score = 300
            //   ebce                 | jmp                 0xffffffd0
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_13 = { 8b510c 8b421c 8945f4 8b4df4 894df0 }
            // n = 5, score = 300
            //   8b510c               | mov                 edx, dword ptr [ecx + 0xc]
            //   8b421c               | mov                 eax, dword ptr [edx + 0x1c]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx

        $sequence_14 = { 3b5118 7334 8b45fc 8b4dec }
            // n = 4, score = 300
            //   3b5118               | cmp                 edx, dword ptr [ecx + 0x18]
            //   7334                 | jae                 0x36
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]

        $sequence_15 = { e8???????? 8945f8 8b4df8 3b4d08 7508 8b55f4 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   3b4d08               | cmp                 ecx, dword ptr [ebp + 8]
            //   7508                 | jne                 0xa
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]

    condition:
        7 of them and filesize < 1212416
}
Download all Yara Rules