SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lsassdumper (Back to overview)

lsassDumper


This in Go written malware is lsass process memory dumper, which was custom developed by threat actors according to Security Joes. It has the capability to automatically exfiltrate the results to the free file transfer service "transfer.sh".

References
2022-03-09Security JoesFelipe Duarte, Ido Naor
Sockbot in GoLand
lsassDumper Sockbot
2022-03-09Bleeping ComputerBill Toulas
Hackers fork open-source reverse tunneling tool for persistence
lsassDumper Sockbot
Yara Rules
[TLP:WHITE] win_lsassdumper_w0 (20220310 | Detects Go binary lsassDumper)
rule win_lsassdumper_w0 {
	meta:
		author = "Felipe Duarte, Security Joes"
		description = "Detects Go binary lsassDumper"
		hash = "8bb7ae5117eec1db2287ef7812629e88e7e3692d39cc37415dc166bb8d56be03"
        malpedia_rule_date = "20220310"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lsassdumper"
		malpedia_version = "20220310"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
	strings:
		$str1 = "lsassDumper/main.go"
		$str2 = "main.setSeDebugPrivilege"
		$str3 = "main.uploadLargeFile"
		$str4 = "main.findProcessByName"
		$str5 = "main.RandomString"
		$str6 = "[+] Start uploading %s to transfer.sh"
		$str7 = "[+] Process memory dump successful"
	condition:
		uint16(0) == 0x5A4D
		and all of them
}
Download all Yara Rules