Edam (Malware Family)

Edam

aka: SECONDBEST

VTCollection

According to Orange Cyberdefense, Edam is written in C++ and its PDB path indicates it is called "droper_dll". It is capable of establishing persistence by setting up a Run key as Setting App which points towards its own file and then of downloading from another C2 a final stage using HTTP GET.

References

2024-12-05 ⋅ Orange Cyberdefense ⋅ Alexandre Matousek, Marine PICHON
Edam Dropper
Edam Emmenhtal

2024-11-28 ⋅ StrikeReady ⋅ StrikeReady Labs
RU APT targeting Energy Infrastructure (Unknown unknowns, part 3)
Edam Emmenhtal

Yara Rules

[TLP:WHITE] win_edam_auto (20260504 | Detects win.edam.)

rule win_edam_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.edam."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.edam"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 740d 8a8098684400 8807 47 41 894d8c 8bcb }
            // n = 7, score = 100
            //   740d                 | je                  0xf
            //   8a8098684400         | mov                 al, byte ptr [eax + 0x446898]
            //   8807                 | mov                 byte ptr [edi], al
            //   47                   | inc                 edi
            //   41                   | inc                 ecx
            //   894d8c               | mov                 dword ptr [ebp - 0x74], ecx
            //   8bcb                 | mov                 ecx, ebx

        $sequence_1 = { 6bf630 8b0c8d60b74500 80643128fd 5f 5e 8be5 }
            // n = 6, score = 100
            //   6bf630               | imul                esi, esi, 0x30
            //   8b0c8d60b74500       | mov                 ecx, dword ptr [ecx*4 + 0x45b760]
            //   80643128fd           | and                 byte ptr [ecx + esi + 0x28], 0xfd
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp

        $sequence_2 = { 8b048560b74500 89540818 33c0 5f 5e 5b }
            // n = 6, score = 100
            //   8b048560b74500       | mov                 eax, dword ptr [eax*4 + 0x45b760]
            //   89540818             | mov                 dword ptr [eax + ecx + 0x18], edx
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_3 = { 83f904 0f8261040000 83f923 0f8758040000 8bc8 51 e8???????? }
            // n = 7, score = 100
            //   83f904               | cmp                 ecx, 4
            //   0f8261040000         | jb                  0x467
            //   83f923               | cmp                 ecx, 0x23
            //   0f8758040000         | ja                  0x45e
            //   8bc8                 | mov                 ecx, eax
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_4 = { 7511 8b45fc 8b0c8560b74500 8a06 46 8844392c }
            // n = 6, score = 100
            //   7511                 | jne                 0x13
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b0c8560b74500       | mov                 ecx, dword ptr [eax*4 + 0x45b760]
            //   8a06                 | mov                 al, byte ptr [esi]
            //   46                   | inc                 esi
            //   8844392c             | mov                 byte ptr [ecx + edi + 0x2c], al

        $sequence_5 = { e8???????? 83c40c 8d8d08fdffff e8???????? 8d8588fdffff }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d8d08fdffff         | lea                 ecx, [ebp - 0x2f8]
            //   e8????????           |                     
            //   8d8588fdffff         | lea                 eax, [ebp - 0x278]

        $sequence_6 = { 8b5508 83e03f c1fa06 57 6bf830 8955fc 8b049560b74500 }
            // n = 7, score = 100
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   83e03f               | and                 eax, 0x3f
            //   c1fa06               | sar                 edx, 6
            //   57                   | push                edi
            //   6bf830               | imul                edi, eax, 0x30
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b049560b74500       | mov                 eax, dword ptr [edx*4 + 0x45b760]

        $sequence_7 = { 8bc8 83e03f c1f906 6bc030 03048d60b74500 50 ff15???????? }
            // n = 7, score = 100
            //   8bc8                 | mov                 ecx, eax
            //   83e03f               | and                 eax, 0x3f
            //   c1f906               | sar                 ecx, 6
            //   6bc030               | imul                eax, eax, 0x30
            //   03048d60b74500       | add                 eax, dword ptr [ecx*4 + 0x45b760]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_8 = { a1???????? 83663800 894644 5e 5d c20800 8d4104 }
            // n = 7, score = 100
            //   a1????????           |                     
            //   83663800             | and                 dword ptr [esi + 0x38], 0
            //   894644               | mov                 dword ptr [esi + 0x44], eax
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c20800               | ret                 8
            //   8d4104               | lea                 eax, [ecx + 4]

        $sequence_9 = { 8b0c8d60b74500 8844392b 83fa03 7511 8b45fc }
            // n = 5, score = 100
            //   8b0c8d60b74500       | mov                 ecx, dword ptr [ecx*4 + 0x45b760]
            //   8844392b             | mov                 byte ptr [ecx + edi + 0x2b], al
            //   83fa03               | cmp                 edx, 3
            //   7511                 | jne                 0x13
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

    condition:
        7 of them and filesize < 807936
}

[TLP:WHITE] win_edam_w0 (20241206 | DLL that creates runkey, contacts bestone.php, download & exec payload)

rule win_edam_w0 {
    meta:
        description = "DLL that creates runkey, contacts bestone.php, download & exec payload"
        researcher = "Alexandre MATOUSEK"
        source = "OCD"
        creation_date = "02/12/2024"
        os = "Windows"
        category = "Trojan"
        threat_name = "Windows.Trojan.EdamDropperDLL"
        samples = "244e004ac7149e2631d68cba947cfd3d5d5352536ecb352c410b6e80e09d874a, d4daf30ceee80c4f639f3aff6abeb95e7fbf11e125fb90f8972b7a92e22d22e5"
        source = "https://raw.githubusercontent.com/cert-orangecyberdefense/edam/refs/heads/main/yara%20Edam"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.edam"
        malpedia_rule_date = "20241206"
        malpedia_hash = ""
        malpedia_version = "20241206"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $persist1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide fullword
        $persist2 = "Successfully added to startup:" wide fullword
        $persist3 = "SettingsApp" wide
        $persist4 = "SettingsAdd" wide
        $exec = "Failed to call the DLL function." fullword
        $net = "bestone.php"
        $export = "DoUpdateInstanceEx"
        $pdb = "C:\\Users\\user\\documents\\visual studio 2015" nocase
    condition:
        uint16(0) == 0x5A4D and 2 of ($persist*) and ($exec or $net or $export or $pdb)
}

Download all Yara Rules

Edam Propose Change

References

Yara Rules

Edam