SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lambert (Back to overview)

Lambert

aka: Plexor

Actor(s): Longhorn


There is no description at this point.

References
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2018-06-15Youtube (defconswitzerland)Costin Raiu
@online{raiu:20180615:area41:6009950, author = {Costin Raiu}, title = {{Area41 Keynote}}, date = {2018-06-15}, organization = {Youtube (defconswitzerland)}, url = {https://www.youtube.com/watch?v=jeLd-gw2bWo}, language = {English}, urldate = {2020-01-09} } Area41 Keynote
Lambert Regin
2017-04-10SymantecSymantec Security Response
@online{response:20170410:longhorn:e48f344, author = {Symantec Security Response}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7}, language = {English}, urldate = {2020-01-09} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2017-04-10SymantecA L Johnson
@online{johnson:20170410:longhorn:811e6dc, author = {A L Johnson}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2014-07-07QianxinRed Raindrop Team
@online{team:20140707:analysis:e586631, author = {Red Raindrop Team}, title = {{Analysis and disclosure of the CIA's cyber arsenal}}, date = {2014-07-07}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/network-weapons-of-cia/}, language = {Chinese}, urldate = {2019-12-19} } Analysis and disclosure of the CIA's cyber arsenal
Lambert
Yara Rules
[TLP:WHITE] win_lambert_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_lambert_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f85e0feffff eb09 8b45e0 8b4ddc 8b55d8 8b75e4 }
            // n = 6, score = 300
            //   0f85e0feffff         | jne                 0xfffffee6
            //   eb09                 | jmp                 0xb
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   8b55d8               | mov                 edx, dword ptr [ebp - 0x28]
            //   8b75e4               | mov                 esi, dword ptr [ebp - 0x1c]

        $sequence_1 = { c1e213 0bca 894df8 8b45fc }
            // n = 4, score = 300
            //   c1e213               | shl                 edx, 0x13
            //   0bca                 | or                  ecx, edx
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_2 = { 03f8 3bf0 73f2 85f6 0f866afeffff }
            // n = 5, score = 300
            //   03f8                 | add                 edi, eax
            //   3bf0                 | cmp                 esi, eax
            //   73f2                 | jae                 0xfffffff4
            //   85f6                 | test                esi, esi
            //   0f866afeffff         | jbe                 0xfffffe70

        $sequence_3 = { 8d6c24a0 81ec94000000 8b457c 53 0fb698f2000000 56 }
            // n = 6, score = 300
            //   8d6c24a0             | lea                 ebp, [esp - 0x60]
            //   81ec94000000         | sub                 esp, 0x94
            //   8b457c               | mov                 eax, dword ptr [ebp + 0x7c]
            //   53                   | push                ebx
            //   0fb698f2000000       | movzx               ebx, byte ptr [eax + 0xf2]
            //   56                   | push                esi

        $sequence_4 = { 0fb74508 83f841 7c12 0fb74d08 83f95a 7f09 0fb74508 }
            // n = 7, score = 300
            //   0fb74508             | movzx               eax, word ptr [ebp + 8]
            //   83f841               | cmp                 eax, 0x41
            //   7c12                 | jl                  0x14
            //   0fb74d08             | movzx               ecx, word ptr [ebp + 8]
            //   83f95a               | cmp                 ecx, 0x5a
            //   7f09                 | jg                  0xb
            //   0fb74508             | movzx               eax, word ptr [ebp + 8]

        $sequence_5 = { 837d08ff 7519 837d0c22 7513 8b5510 8955fc }
            // n = 6, score = 300
            //   837d08ff             | cmp                 dword ptr [ebp + 8], -1
            //   7519                 | jne                 0x1b
            //   837d0c22             | cmp                 dword ptr [ebp + 0xc], 0x22
            //   7513                 | jne                 0x15
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx

        $sequence_6 = { 8d8dfffdffff 2bc8 0fb609 eb02 33c9 8d0409 33c1 }
            // n = 7, score = 300
            //   8d8dfffdffff         | lea                 ecx, [ebp - 0x201]
            //   2bc8                 | sub                 ecx, eax
            //   0fb609               | movzx               ecx, byte ptr [ecx]
            //   eb02                 | jmp                 4
            //   33c9                 | xor                 ecx, ecx
            //   8d0409               | lea                 eax, [ecx + ecx]
            //   33c1                 | xor                 eax, ecx

        $sequence_7 = { 8b5510 8955fc 8b45fc 8b08 83c930 8b55fc 890a }
            // n = 7, score = 300
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   83c930               | or                  ecx, 0x30
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   890a                 | mov                 dword ptr [edx], ecx

        $sequence_8 = { 8b421c 8945f4 8b4df4 894df0 8b55f4 8b4220 50 }
            // n = 7, score = 300
            //   8b421c               | mov                 eax, dword ptr [edx + 0x1c]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   8b4220               | mov                 eax, dword ptr [edx + 0x20]
            //   50                   | push                eax

        $sequence_9 = { 4f 42 3b7d10 724d 3bf9 7349 8bc3 }
            // n = 7, score = 300
            //   4f                   | dec                 edi
            //   42                   | inc                 edx
            //   3b7d10               | cmp                 edi, dword ptr [ebp + 0x10]
            //   724d                 | jb                  0x4f
            //   3bf9                 | cmp                 edi, ecx
            //   7349                 | jae                 0x4b
            //   8bc3                 | mov                 eax, ebx

        $sequence_10 = { 8b4508 50 e8???????? 8945f4 8b4de8 8b55f4 3b5114 }
            // n = 7, score = 300
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   3b5114               | cmp                 edx, dword ptr [ecx + 0x14]

        $sequence_11 = { 8b55fc 890a 8b45f4 8be5 }
            // n = 4, score = 300
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   890a                 | mov                 dword ptr [edx], ecx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8be5                 | mov                 esp, ebp

        $sequence_12 = { 64a130000000 8945fc 8b4dfc 8b510c 8b421c }
            // n = 5, score = 300
            //   64a130000000         | mov                 eax, dword ptr fs:[0x30]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b510c               | mov                 edx, dword ptr [ecx + 0xc]
            //   8b421c               | mov                 eax, dword ptr [edx + 0x1c]

        $sequence_13 = { 7502 eb0b 8b55fc 83c201 8955fc }
            // n = 5, score = 300
            //   7502                 | jne                 4
            //   eb0b                 | jmp                 0xd
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   83c201               | add                 edx, 1
            //   8955fc               | mov                 dword ptr [ebp - 4], edx

        $sequence_14 = { 8bec 83ec0c e8???????? 58 }
            // n = 4, score = 300
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc
            //   e8????????           |                     
            //   58                   | pop                 eax

        $sequence_15 = { 48 895de8 894df0 8975f4 0f8427010000 8945f8 eb06 }
            // n = 7, score = 300
            //   48                   | dec                 eax
            //   895de8               | mov                 dword ptr [ebp - 0x18], ebx
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8975f4               | mov                 dword ptr [ebp - 0xc], esi
            //   0f8427010000         | je                  0x12d
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   eb06                 | jmp                 8

        $sequence_16 = { e8???????? 58 8945f8 8b45f8 2500f0ffff 8945f8 8b4d18 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   2500f0ffff           | and                 eax, 0xfffff000
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]

        $sequence_17 = { 2500f0ffff 8945f8 8b4d18 51 8b5514 52 8b4510 }
            // n = 7, score = 300
            //   2500f0ffff           | and                 eax, 0xfffff000
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   51                   | push                ecx
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
            //   52                   | push                edx
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_18 = { e8???????? 0fb7d0 0355f8 8955f8 ebc5 8b45f8 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   0fb7d0               | movzx               edx, ax
            //   0355f8               | add                 edx, dword ptr [ebp - 8]
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   ebc5                 | jmp                 0xffffffc7
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_19 = { 89580c 8b5110 895010 8955f0 8b5114 895014 }
            // n = 6, score = 300
            //   89580c               | mov                 dword ptr [eax + 0xc], ebx
            //   8b5110               | mov                 edx, dword ptr [ecx + 0x10]
            //   895010               | mov                 dword ptr [eax + 0x10], edx
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   8b5114               | mov                 edx, dword ptr [ecx + 0x14]
            //   895014               | mov                 dword ptr [eax + 0x14], edx

        $sequence_20 = { 8b8c2410020000 52 51 ffd0 }
            // n = 4, score = 300
            //   8b8c2410020000       | mov                 ecx, dword ptr [esp + 0x210]
            //   52                   | push                edx
            //   51                   | push                ecx
            //   ffd0                 | call                eax

        $sequence_21 = { 7428 8b4df8 c1e90d 8b55f8 c1e213 }
            // n = 5, score = 300
            //   7428                 | je                  0x2a
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   c1e90d               | shr                 ecx, 0xd
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   c1e213               | shl                 edx, 0x13

        $sequence_22 = { 50 8b4d0c 51 8b5508 52 8b45f8 8b8870020000 }
            // n = 7, score = 300
            //   50                   | push                eax
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   51                   | push                ecx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b8870020000         | mov                 ecx, dword ptr [eax + 0x270]

        $sequence_23 = { ffd1 8945f4 837df400 751f 837d08ff }
            // n = 5, score = 300
            //   ffd1                 | call                ecx
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   751f                 | jne                 0x21
            //   837d08ff             | cmp                 dword ptr [ebp + 8], -1

    condition:
        7 of them and filesize < 1212416
}
Download all Yara Rules