SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lambert (Back to overview)

Lambert

aka: Plexor

Actor(s): Longhorn

There is no description at this point.

References
2022-01-21Twitter (@_CPResearch_)Check Point Research
@online{research:20220121:whitelambert:e5581c9, author = {Check Point Research}, title = {{Tweet on WhiteLambert malware}}, date = {2022-01-21}, organization = {Twitter (@_CPResearch_)}, url = {https://twitter.com/_CPResearch_/status/1484502090068242433}, language = {English}, urldate = {2022-01-25} } Tweet on WhiteLambert malware
Lambert
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-09-30QianxinRed Raindrop Team
@online{team:20190930:analysis:e586631, author = {Red Raindrop Team}, title = {{Analysis and disclosure of the CIA's cyber arsenal}}, date = {2019-09-30}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/network-weapons-of-cia/}, language = {Chinese}, urldate = {2022-05-04} } Analysis and disclosure of the CIA's cyber arsenal
Lambert
2018-06-15Youtube (defconswitzerland)Costin Raiu
@online{raiu:20180615:area41:6009950, author = {Costin Raiu}, title = {{Area41 Keynote}}, date = {2018-06-15}, organization = {Youtube (defconswitzerland)}, url = {https://www.youtube.com/watch?v=jeLd-gw2bWo}, language = {English}, urldate = {2020-01-09} } Area41 Keynote
Lambert Regin
2017-04-10SymantecSymantec Security Response
@online{response:20170410:longhorn:e48f344, author = {Symantec Security Response}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7}, language = {English}, urldate = {2020-01-09} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2017-04-10SymantecA L Johnson
@online{johnson:20170410:longhorn:811e6dc, author = {A L Johnson}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
Yara Rules
[TLP:WHITE] win_lambert_auto (20230715 | Detects win.lambert.)
rule win_lambert_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.lambert."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33f2 8b55e8 33ce 33d1 }
            // n = 4, score = 400
            //   33f2                 | xor                 esi, edx
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   33ce                 | xor                 ecx, esi
            //   33d1                 | xor                 edx, ecx

        $sequence_1 = { 3b7d10 724d 3bf9 7349 8bc3 }
            // n = 5, score = 400
            //   3b7d10               | cmp                 edi, dword ptr [ebp + 0x10]
            //   724d                 | jb                  0x4f
            //   3bf9                 | cmp                 edi, ecx
            //   7349                 | jae                 0x4b
            //   8bc3                 | mov                 eax, ebx

        $sequence_2 = { 0bd1 c1e208 0bd1 c1e208 0bd6 }
            // n = 5, score = 400
            //   0bd1                 | or                  edx, ecx
            //   c1e208               | shl                 edx, 8
            //   0bd1                 | or                  edx, ecx
            //   c1e208               | shl                 edx, 8
            //   0bd6                 | or                  edx, esi

        $sequence_3 = { 3bd8 0f82a4000000 83fe06 0f822cffffff }
            // n = 4, score = 400
            //   3bd8                 | cmp                 ebx, eax
            //   0f82a4000000         | jb                  0xaa
            //   83fe06               | cmp                 esi, 6
            //   0f822cffffff         | jb                  0xffffff32

        $sequence_4 = { 33f1 8b4de4 33ce 314de8 }
            // n = 4, score = 400
            //   33f1                 | xor                 esi, ecx
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   33ce                 | xor                 ecx, esi
            //   314de8               | xor                 dword ptr [ebp - 0x18], ecx

        $sequence_5 = { 2bc1 3bc7 0f82e5010000 8b4508 2bc2 8d7701 3bc6 }
            // n = 7, score = 400
            //   2bc1                 | sub                 eax, ecx
            //   3bc7                 | cmp                 eax, edi
            //   0f82e5010000         | jb                  0x1eb
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   2bc2                 | sub                 eax, edx
            //   8d7701               | lea                 esi, [edi + 1]
            //   3bc6                 | cmp                 eax, esi

        $sequence_6 = { 3bd8 0f826f010000 8a07 8801 41 47 }
            // n = 6, score = 400
            //   3bd8                 | cmp                 ebx, eax
            //   0f826f010000         | jb                  0x175
            //   8a07                 | mov                 al, byte ptr [edi]
            //   8801                 | mov                 byte ptr [ecx], al
            //   41                   | inc                 ecx
            //   47                   | inc                 edi

        $sequence_7 = { 4e 8b1f 8919 2bf0 }
            // n = 4, score = 400
            //   4e                   | dec                 esi
            //   8b1f                 | mov                 ebx, dword ptr [edi]
            //   8919                 | mov                 dword ptr [ecx], ebx
            //   2bf0                 | sub                 esi, eax

        $sequence_8 = { 64a130000000 8945fc 8b4dfc 8b510c 8b421c 8945f4 8b4df4 }
            // n = 7, score = 300
            //   64a130000000         | mov                 eax, dword ptr fs:[0x30]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b510c               | mov                 edx, dword ptr [ecx + 0xc]
            //   8b421c               | mov                 eax, dword ptr [edx + 0x1c]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_9 = { 0fb711 81fa4d5a0000 7402 eb79 }
            // n = 4, score = 300
            //   0fb711               | movzx               edx, word ptr [ecx]
            //   81fa4d5a0000         | cmp                 edx, 0x5a4d
            //   7402                 | je                  4
            //   eb79                 | jmp                 0x7b

        $sequence_10 = { 8b55fc 3b5118 7334 8b45fc }
            // n = 4, score = 300
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   3b5118               | cmp                 edx, dword ptr [ecx + 0x18]
            //   7334                 | jae                 0x36
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_11 = { 8945f8 8b4df8 3b4d08 7508 8b55f4 }
            // n = 5, score = 300
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   3b4d08               | cmp                 ecx, dword ptr [ebp + 8]
            //   7508                 | jne                 0xa
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]

        $sequence_12 = { 731b 8b45e8 8b4d08 03481c }
            // n = 4, score = 300
            //   731b                 | jae                 0x1d
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   03481c               | add                 ecx, dword ptr [eax + 0x1c]

        $sequence_13 = { 83f95a 7f09 0fb74508 83c020 eb04 668b4508 }
            // n = 6, score = 300
            //   83f95a               | cmp                 ecx, 0x5a
            //   7f09                 | jg                  0xb
            //   0fb74508             | movzx               eax, word ptr [ebp + 8]
            //   83c020               | add                 eax, 0x20
            //   eb04                 | jmp                 6
            //   668b4508             | mov                 ax, word ptr [ebp + 8]

        $sequence_14 = { 51 e8???????? 0fb7d0 0355f8 8955f8 ebc5 }
            // n = 6, score = 300
            //   51                   | push                ecx
            //   e8????????           |                     
            //   0fb7d0               | movzx               edx, ax
            //   0355f8               | add                 edx, dword ptr [ebp - 8]
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   ebc5                 | jmp                 0xffffffc7

        $sequence_15 = { 0bca 894df8 8b45fc 0fb708 }
            // n = 4, score = 300
            //   0bca                 | or                  ecx, edx
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   0fb708               | movzx               ecx, word ptr [eax]

    condition:
        7 of them and filesize < 1212416
}
Download all Yara Rules