NedDnLoader (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.neddnloader (Back to overview)

NedDnLoader

Actor(s): Lazarus Group

There is no description at this point.

References

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2020-09-15 ⋅ CrowdStrike ⋅ CrowdStrike Overwatch Team
Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN

Yara Rules

[TLP:WHITE] win_neddnloader_auto (20210616 | Detects win.neddnloader.)

rule win_neddnloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.neddnloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd7 ff7354 8bf8 ff7508 57 e8???????? 8b4d08 }
            // n = 7, score = 200
            //   ffd7                 | call                edi
            //   ff7354               | push                dword ptr [ebx + 0x54]
            //   8bf8                 | mov                 edi, eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   57                   | push                edi
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_1 = { ffb58cf7ffff 89b594f7ffff ff15???????? 85c0 0f85fcfeffff }
            // n = 5, score = 200
            //   ffb58cf7ffff         | push                dword ptr [ebp - 0x874]
            //   89b594f7ffff         | mov                 dword ptr [ebp - 0x86c], esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f85fcfeffff         | jne                 0xffffff02

        $sequence_2 = { 8b7510 8b7d0c 83451010 836dfc10 8345f810 4b a5 }
            // n = 7, score = 200
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   83451010             | add                 dword ptr [ebp + 0x10], 0x10
            //   836dfc10             | sub                 dword ptr [ebp - 4], 0x10
            //   8345f810             | add                 dword ptr [ebp - 8], 0x10
            //   4b                   | dec                 ebx
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]

        $sequence_3 = { 59 8bf2 8d7c2428 f3a5 8b4c2430 83e10f }
            // n = 6, score = 200
            //   59                   | pop                 ecx
            //   8bf2                 | mov                 esi, edx
            //   8d7c2428             | lea                 edi, dword ptr [esp + 0x28]
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   83e10f               | and                 ecx, 0xf

        $sequence_4 = { 8b4334 8b3d???????? 6a04 6800300000 56 50 }
            // n = 6, score = 200
            //   8b4334               | mov                 eax, dword ptr [ebx + 0x34]
            //   8b3d????????         |                     
            //   6a04                 | push                4
            //   6800300000           | push                0x3000
            //   56                   | push                esi
            //   50                   | push                eax

        $sequence_5 = { 3bdf 1bc0 f7d8 3975fc 1bc9 f7d9 85c1 }
            // n = 7, score = 200
            //   3bdf                 | cmp                 ebx, edi
            //   1bc0                 | sbb                 eax, eax
            //   f7d8                 | neg                 eax
            //   3975fc               | cmp                 dword ptr [ebp - 4], esi
            //   1bc9                 | sbb                 ecx, ecx
            //   f7d9                 | neg                 ecx
            //   85c1                 | test                ecx, eax

        $sequence_6 = { 66ab aa 0f846d010000 85f6 0f8465010000 }
            // n = 5, score = 200
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   0f846d010000         | je                  0x173
            //   85f6                 | test                esi, esi
            //   0f8465010000         | je                  0x16b

        $sequence_7 = { 8bd9 8975f8 8b75f0 c1ee18 }
            // n = 4, score = 200
            //   8bd9                 | mov                 ebx, ecx
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   8b75f0               | mov                 esi, dword ptr [ebp - 0x10]
            //   c1ee18               | shr                 esi, 0x18

        $sequence_8 = { ffb5e0fbffff e8???????? 85c0 7410 8b85f0fbffff 8985e8fbffff }
            // n = 6, score = 200
            //   ffb5e0fbffff         | push                dword ptr [ebp - 0x420]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7410                 | je                  0x12
            //   8b85f0fbffff         | mov                 eax, dword ptr [ebp - 0x410]
            //   8985e8fbffff         | mov                 dword ptr [ebp - 0x418], eax

        $sequence_9 = { 6a04 6800100000 53 50 ff571c 83c414 85c0 }
            // n = 7, score = 200
            //   6a04                 | push                4
            //   6800100000           | push                0x1000
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff571c               | call                dword ptr [edi + 0x1c]
            //   83c414               | add                 esp, 0x14
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 237568
}

Download all Yara Rules

NedDnLoader Propose Change

References

Yara Rules

NedDnLoader