SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lpeclient (Back to overview)

LPEClient

aka: LPEClientTea

Actor(s): Lazarus Group

VTCollection    

LPEClient is an HTTP(S) downloader that expects two command line parameters: an encrypted string containing two URLs (a primary and a secondary C&C server), and the path on the victim's file system to store the downloaded payload.

It sends detailed information about the victim's environment, like computer name, type and number of processors, computer manufacturer, product name, major and minor Windows versions, architecture, memory information, installed security software and the version of the ntoskrnl.exe from its version-information resource.

LPEClient uses specific 32-bit values to represent its execution state (0x59863F09 when connecting via the WinHTTP interface, 0xA9348B57 via WinINet), or the nature of HTTP requests to the C&C servers (0xF07D6B34 when sending system information, 0xEF8C0D51 when requesting a DLL payload, 0xCB790A25 when reporting the successful loading of the DLL, 0xD7B20A96 when reporting the state of the the DLL execution). As the final step, malware looks for the export CloseEnv and executes it.

References
2023-10-27KasperskySeongsu Park
A cascade of compromise: unveiling Lazarus’ new campaign
LPEClient PostNapTea
2023-04-12Kaspersky LabsSeongsu Park
Following the Lazarus group by tracking DeathNote campaign
Bankshot BLINDINGCAN ForestTiger LambLoad LPEClient MimiKatz NedDnLoader Racket Downloader Volgmer
2021-10-08Virus BulletinSeongsu Park
Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections
Dacls AppleJeus AppleJeus Bankshot BookCodes RAT Dacls DRATzarus LCPDot LPEClient
2021-10-07Virus BulletinByeongjae Kim, Dongwook Kim, Taewoo Lee
Operation Bookcodes – targeting South Korea
BookCodes RAT LPEClient
2021-02-25Kaspersky LabsSeongsu Park, Vyacheslav Kopeytsev
Lazarus targets defense industry with ThreatNeedle
HTTP(S) uploader LPEClient Volgmer
2020-08-13ClearSkyClearSky Research Team
Operation ‘Dream Job’ Widespread North Korean Espionage Campaign
DRATzarus LPEClient NedDnLoader
Yara Rules
[TLP:WHITE] win_lpeclient_auto (20260504 | Detects win.lpeclient.)
rule win_lpeclient_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.lpeclient."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lpeclient"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488dbd30100000 66f2af 488d442448 4c8d4d30 }
            // n = 4, score = 100
            //   488dbd30100000       | mov                 dword ptr [esp + 0x28], eax
            //   66f2af               | dec                 eax
            //   488d442448           | mov                 dword ptr [esp + 0x20], eax
            //   4c8d4d30             | dec                 esp

        $sequence_1 = { 48898550070000 b84f000000 488d542450 33c9 6689442420 }
            // n = 5, score = 100
            //   48898550070000       | dec                 eax
            //   b84f000000           | lea                 ecx, [ebp - 0x30]
            //   488d542450           | dec                 eax
            //   33c9                 | lea                 ebx, [esi + edi + 4]
            //   6689442420           | mov                 eax, 0xfffffffc

        $sequence_2 = { 48895c2420 55 4883ec50 498bd9 498be8 4c8bd1 }
            // n = 6, score = 100
            //   48895c2420           | jmp                 0x1c9a
            //   55                   | dec                 esp
            //   4883ec50             | mov                 eax, edx
            //   498bd9               | dec                 esp
            //   498be8               | lea                 ecx, [0xffff58d9]
            //   4c8bd1               | dec                 ebp

        $sequence_3 = { b801000000 eb64 488d4dd0 488d45d0 }
            // n = 4, score = 100
            //   b801000000           | add                 ecx, edi
            //   eb64                 | dec                 eax
            //   488d4dd0             | lea                 edi, [ebx + 0x58]
            //   488d45d0             | mov                 esi, 6

        $sequence_4 = { 4533ed e8???????? 448ba42490000000 418bf5 }
            // n = 4, score = 100
            //   4533ed               | inc                 ecx
            //   e8????????           |                     
            //   448ba42490000000     | mov                 edx, dword ptr [esp + ecx*4 + 0x1a4e0]
            //   418bf5               | and                 eax, 0xf

        $sequence_5 = { 48ffc2 3bc3 7cf3 eb02 }
            // n = 4, score = 100
            //   48ffc2               | dec                 eax
            //   3bc3                 | mov                 dword ptr [esp + 0x30], edi
            //   7cf3                 | mov                 dword ptr [esp + 0x28], eax
            //   eb02                 | dec                 ebp

        $sequence_6 = { 488d15f9d9ffff 448bee 8bfe 0f1f4000 }
            // n = 4, score = 100
            //   488d15f9d9ffff       | dec                 eax
            //   448bee               | arpl                cx, ax
            //   8bfe                 | inc                 edx
            //   0f1f4000             | movzx               eax, byte ptr [eax]

        $sequence_7 = { 488b85400b0000 33ff 48894dc0 488945b8 488b85480b0000 448944245c }
            // n = 6, score = 100
            //   488b85400b0000       | lea                 eax, [edi - 7]
            //   33ff                 | dec                 esp
            //   48894dc0             | lea                 eax, [0x1aa01]
            //   488945b8             | test                eax, eax
            //   488b85480b0000       | jne                 0x89
            //   448944245c           | dec                 eax

        $sequence_8 = { baa00f0000 ffc6 488d0c80 488d0582e00000 488d0cc8 48890f ff15???????? }
            // n = 7, score = 100
            //   baa00f0000           | jmp                 0x1289
            //   ffc6                 | dec                 ebp
            //   488d0c80             | test                eax, eax
            //   488d0582e00000       | mov                 esi, 1
            //   488d0cc8             | inc                 esp
            //   48890f               | mov                 ebx, eax
            //   ff15????????         |                     

        $sequence_9 = { 3b3d???????? 736e 488bdf 4c8bef 49c1fd05 4c8d35481d0100 83e31f }
            // n = 7, score = 100
            //   3b3d????????         |                     
            //   736e                 | dec                 eax
            //   488bdf               | mov                 ecx, esi
            //   4c8bef               | dec                 eax
            //   49c1fd05             | mov                 ecx, eax
            //   4c8d35481d0100       | dec                 eax
            //   83e31f               | test                eax, eax

    condition:
        7 of them and filesize < 289792
}
Download all Yara Rules