SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lambert (Back to overview)

Lambert

aka: Plexor

Actor(s): Longhorn

There is no description at this point.

References
2022-01-21Twitter (@_CPResearch_)Check Point Research
@online{research:20220121:whitelambert:e5581c9, author = {Check Point Research}, title = {{Tweet on WhiteLambert malware}}, date = {2022-01-21}, organization = {Twitter (@_CPResearch_)}, url = {https://twitter.com/_CPResearch_/status/1484502090068242433}, language = {English}, urldate = {2022-01-25} } Tweet on WhiteLambert malware
Lambert
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-09-30QianxinRed Raindrop Team
@online{team:20190930:analysis:e586631, author = {Red Raindrop Team}, title = {{Analysis and disclosure of the CIA's cyber arsenal}}, date = {2019-09-30}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/network-weapons-of-cia/}, language = {Chinese}, urldate = {2022-05-04} } Analysis and disclosure of the CIA's cyber arsenal
Lambert
2018-06-15Youtube (defconswitzerland)Costin Raiu
@online{raiu:20180615:area41:6009950, author = {Costin Raiu}, title = {{Area41 Keynote}}, date = {2018-06-15}, organization = {Youtube (defconswitzerland)}, url = {https://www.youtube.com/watch?v=jeLd-gw2bWo}, language = {English}, urldate = {2020-01-09} } Area41 Keynote
Lambert Regin
2017-04-10SymantecSymantec Security Response
@online{response:20170410:longhorn:e48f344, author = {Symantec Security Response}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7}, language = {English}, urldate = {2020-01-09} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2017-04-10SymantecA L Johnson
@online{johnson:20170410:longhorn:811e6dc, author = {A L Johnson}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
Yara Rules
[TLP:WHITE] win_lambert_auto (20221125 | Detects win.lambert.)
rule win_lambert_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.lambert."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 73f2 85f6 7614 8a02 8801 }
            // n = 5, score = 400
            //   73f2                 | jae                 0xfffffff4
            //   85f6                 | test                esi, esi
            //   7614                 | jbe                 0x16
            //   8a02                 | mov                 al, byte ptr [edx]
            //   8801                 | mov                 byte ptr [ecx], al

        $sequence_1 = { 8b5118 895018 8b491c 8955f8 894dfc }
            // n = 5, score = 400
            //   8b5118               | mov                 edx, dword ptr [ecx + 0x18]
            //   895018               | mov                 dword ptr [eax + 0x18], edx
            //   8b491c               | mov                 ecx, dword ptr [ecx + 0x1c]
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx

        $sequence_2 = { eb02 33f6 c1e208 0fb6c8 0bd1 c1e208 }
            // n = 6, score = 400
            //   eb02                 | jmp                 4
            //   33f6                 | xor                 esi, esi
            //   c1e208               | shl                 edx, 8
            //   0fb6c8               | movzx               ecx, al
            //   0bd1                 | or                  edx, ecx
            //   c1e208               | shl                 edx, 8

        $sequence_3 = { 8b45f8 8b8870020000 ffd1 8945f4 837df400 751f }
            // n = 6, score = 400
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b8870020000         | mov                 ecx, dword ptr [eax + 0x270]
            //   ffd1                 | call                ecx
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   751f                 | jne                 0x21

        $sequence_4 = { 42 3bf9 0f84a8000000 81ef00400000 3b7d10 }
            // n = 5, score = 400
            //   42                   | inc                 edx
            //   3bf9                 | cmp                 edi, ecx
            //   0f84a8000000         | je                  0xae
            //   81ef00400000         | sub                 edi, 0x4000
            //   3b7d10               | cmp                 edi, dword ptr [ebp + 0x10]

        $sequence_5 = { 8b5508 52 8b45f8 8b8870020000 }
            // n = 4, score = 400
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b8870020000         | mov                 ecx, dword ptr [eax + 0x270]

        $sequence_6 = { 751f 837d08ff 7519 837d0c22 7513 }
            // n = 5, score = 400
            //   751f                 | jne                 0x21
            //   837d08ff             | cmp                 dword ptr [ebp + 8], -1
            //   7519                 | jne                 0x1b
            //   837d0c22             | cmp                 dword ptr [ebp + 0xc], 0x22
            //   7513                 | jne                 0x15

        $sequence_7 = { 8b08 83c930 8b55fc 890a 8b45f4 8be5 }
            // n = 6, score = 400
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   83c930               | or                  ecx, 0x30
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   890a                 | mov                 dword ptr [edx], ecx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8be5                 | mov                 esp, ebp

        $sequence_8 = { e8???????? 58 8945f8 8b45f8 2500f0ffff }
            // n = 5, score = 400
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   2500f0ffff           | and                 eax, 0xfffff000

        $sequence_9 = { 8b45f8 2500f0ffff 8945f8 8b4d18 51 8b5514 }
            // n = 6, score = 400
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   2500f0ffff           | and                 eax, 0xfffff000
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   51                   | push                ecx
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]

        $sequence_10 = { 8801 8a4701 41 8801 }
            // n = 4, score = 400
            //   8801                 | mov                 byte ptr [ecx], al
            //   8a4701               | mov                 al, byte ptr [edi + 1]
            //   41                   | inc                 ecx
            //   8801                 | mov                 byte ptr [ecx], al

        $sequence_11 = { 55 8bec 837d0801 7c07 }
            // n = 4, score = 400
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   837d0801             | cmp                 dword ptr [ebp + 8], 1
            //   7c07                 | jl                  9

        $sequence_12 = { 8b4508 2bc2 83f801 0f82bb000000 803a00 74e6 }
            // n = 6, score = 400
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   2bc2                 | sub                 eax, edx
            //   83f801               | cmp                 eax, 1
            //   0f82bb000000         | jb                  0xc1
            //   803a00               | cmp                 byte ptr [edx], 0
            //   74e6                 | je                  0xffffffe8

        $sequence_13 = { 837d0c22 7513 8b5510 8955fc 8b45fc }
            // n = 5, score = 400
            //   837d0c22             | cmp                 dword ptr [ebp + 0xc], 0x22
            //   7513                 | jne                 0x15
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_14 = { 33c0 83c104 83f928 72da 84db 7418 0fb6c3 }
            // n = 7, score = 400
            //   33c0                 | xor                 eax, eax
            //   83c104               | add                 ecx, 4
            //   83f928               | cmp                 ecx, 0x28
            //   72da                 | jb                  0xffffffdc
            //   84db                 | test                bl, bl
            //   7418                 | je                  0x1a
            //   0fb6c3               | movzx               eax, bl

        $sequence_15 = { 8bcf 0f822fffffff 895d08 8bd9 c1eb10 }
            // n = 5, score = 400
            //   8bcf                 | mov                 ecx, edi
            //   0f822fffffff         | jb                  0xffffff35
            //   895d08               | mov                 dword ptr [ebp + 8], ebx
            //   8bd9                 | mov                 ebx, ecx
            //   c1eb10               | shr                 ebx, 0x10

    condition:
        7 of them and filesize < 1212416
}
Download all Yara Rules