SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lightneuron (Back to overview)

LightNeuron

aka: NETTRANS, XTRANS

Actor(s): Turla

VTCollection    

There is no description at this point.

References
2020-03-12ESET ResearchMatthieu Faou
Tracking Turla: New backdoor delivered via Armenian watering holes
LightNeuron Mosquito NetFlash Skipper
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-01SecureworksSecureWorks
IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla
2019-12-19Youtube (FireEye Inc.)Adrien Bataille, Anders Vejlby
Do You Know What's On Your Exchange Server?
LightNeuron
2019-06-20SymantecSymantec DeepSight Adversary Intelligence Team, Symantec Network Protection Security Labs
Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments
LightNeuron
2019-05-07ESET ResearchMatthieu Faou
Turla LightNeuron: An email too far
LightNeuron
2019-05-01ESET ResearchMatthieu Faou
TURLA LIGHTNEURON: One email away from remote code execution
LightNeuron
2018-07-10Kaspersky LabsGReAT
APT Trends Report Q2 2018
LightNeuron PoorWeb
Yara Rules
[TLP:WHITE] win_lightneuron_auto (20260504 | Detects win.lightneuron.)
rule win_lightneuron_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.lightneuron."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightneuron"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { a801 7508 4c8bc1 4885c9 75eb 48c1e205 4a8d440207 }
            // n = 7, score = 100
            //   a801                 | dec                 eax
            //   7508                 | mov                 ebx, eax
            //   4c8bc1               | dec                 eax
            //   4885c9               | test                eax, eax
            //   75eb                 | je                  0xa3f
            //   48c1e205             | mov                 ecx, 0x30
            //   4a8d440207           | dec                 eax

        $sequence_1 = { 4585ff 0f8fd5fdffff 4c8b7c2450 448bdb 8bf9 418bc5 48c1e808 }
            // n = 7, score = 100
            //   4585ff               | dec                 eax
            //   0f8fd5fdffff         | mov                 esi, eax
            //   4c8b7c2450           | dec                 eax
            //   448bdb               | mov                 ebp, ebx
            //   8bf9                 | nop                 dword ptr [eax + eax]
            //   418bc5               | mov                 ecx, 0x19
            //   48c1e808             | dec                 eax

        $sequence_2 = { 488bd3 488bc8 e8???????? 4c8b5d00 4c2bdb 41c6043300 }
            // n = 6, score = 100
            //   488bd3               | lea                 edx, [esp + 0x20]
            //   488bc8               | mov                 byte ptr [edx + esi - 1], al
            //   e8????????           |                     
            //   4c8b5d00             | inc                 esp
            //   4c2bdb               | cmp                 ebx, dword ptr [ebx]
            //   41c6043300           | jl                  0x1b54

        $sequence_3 = { 4533c9 baa6010000 b900001000 448bc0 48c744242800000000 8bf0 c744242000000000 }
            // n = 7, score = 100
            //   4533c9               | mov                 dword ptr [ebx], eax
            //   baa6010000           | dec                 eax
            //   b900001000           | test                eax, eax
            //   448bc0               | dec                 eax
            //   48c744242800000000     | mov    dword ptr [ebx + 0x10], esi
            //   8bf0                 | xor                 eax, eax
            //   c744242000000000     | dec                 eax

        $sequence_4 = { 33d2 498bcc ff15???????? 498bcc ff15???????? 488b4c2438 ff15???????? }
            // n = 7, score = 100
            //   33d2                 | xor                 edx, edx
            //   498bcc               | inc                 ecx
            //   ff15????????         |                     
            //   498bcc               | mov                 eax, 0x130
            //   ff15????????         |                     
            //   488b4c2438           | dec                 eax
            //   ff15????????         |                     

        $sequence_5 = { 488903 e8???????? 85c0 0f8587000000 488b03 48894610 498b00 }
            // n = 7, score = 100
            //   488903               | mov                 esi, dword ptr [esp + 0x28]
            //   e8????????           |                     
            //   85c0                 | mov                 ecx, 0x10
            //   0f8587000000         | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   488b03               | dec                 eax
            //   48894610             | lea                 esi, [esp + 0x70]
            //   498b00               | dec                 eax

        $sequence_6 = { 85c0 0f8956010000 8b8424d8010000 8bf8 0faf4500 85c0 }
            // n = 6, score = 100
            //   85c0                 | movzx               eax, dl
            //   0f8956010000         | sbb                 cl, cl
            //   8b8424d8010000       | add                 al, al
            //   8bf8                 | and                 cl, 0x1b
            //   0faf4500             | movzx               edx, cl
            //   85c0                 | xor                 dl, al

        $sequence_7 = { 4c89642428 4489642420 e8???????? 488b5c2450 488b6c2460 488bc6 4883c430 }
            // n = 7, score = 100
            //   4c89642428           | dec                 esp
            //   4489642420           | lea                 eax, [esp + 0x48]
            //   e8????????           |                     
            //   488b5c2450           | dec                 eax
            //   488b6c2460           | mov                 dword ptr [esp + 0x40], ecx
            //   488bc6               | dec                 eax
            //   4883c430             | lea                 ecx, [esp + 0x40]

        $sequence_8 = { 498bce 488be8 e8???????? 4885ed 7504 33c0 eb3d }
            // n = 7, score = 100
            //   498bce               | mov                 esi, dword ptr [esp + 0x108]
            //   488be8               | dec                 esp
            //   e8????????           |                     
            //   4885ed               | mov                 ebp, dword ptr [esp + 0xf8]
            //   7504                 | dec                 eax
            //   33c0                 | add                 esp, 0x110
            //   eb3d                 | inc                 ecx

        $sequence_9 = { 4489742420 4c3935???????? 745c baa1010000 e8???????? 488b0d???????? 4885db }
            // n = 7, score = 100
            //   4489742420           | shl                 eax, 2
            //   4c3935????????       |                     
            //   745c                 | dec                 eax
            //   baa1010000           | test                ebx, ebx
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   4885db               | je                  0x1ba8

    condition:
        7 of them and filesize < 573440
}
Download all Yara Rules