NedDnLoader (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.neddnloader (Back to overview)

NedDnLoader

Actor(s): Lazarus Group

There is no description at this point.

References

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2020-09-15 ⋅ CrowdStrike ⋅ CrowdStrike Overwatch Team
Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN

Yara Rules

[TLP:WHITE] win_neddnloader_auto (20220411 | Detects win.neddnloader.)

rule win_neddnloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.neddnloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f843d010000 56 53 ff74241c e8???????? 8bd8 83c40c }
            // n = 7, score = 200
            //   0f843d010000         | je                  0x143
            //   56                   | push                esi
            //   53                   | push                ebx
            //   ff74241c             | push                dword ptr [esp + 0x1c]
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   83c40c               | add                 esp, 0xc

        $sequence_1 = { 3b4c2438 0f853a010000 8d4254 50 8d9c2490020000 89442420 }
            // n = 6, score = 200
            //   3b4c2438             | cmp                 ecx, dword ptr [esp + 0x38]
            //   0f853a010000         | jne                 0x140
            //   8d4254               | lea                 eax, dword ptr [edx + 0x54]
            //   50                   | push                eax
            // 
            //   89442420             | mov                 dword ptr [esp + 0x20], eax

        $sequence_2 = { 74a5 8d85fcefffff 50 ba???????? 8bcf e8???????? }
            // n = 6, score = 200
            //   74a5                 | je                  0xffffffa7
            //   8d85fcefffff         | lea                 eax, dword ptr [ebp - 0x1004]
            //   50                   | push                eax
            //   ba????????           |                     
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_3 = { 8975e4 8945e8 894dbc 894dc0 894dc4 }
            // n = 5, score = 200
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   894dbc               | mov                 dword ptr [ebp - 0x44], ecx
            //   894dc0               | mov                 dword ptr [ebp - 0x40], ecx
            //   894dc4               | mov                 dword ptr [ebp - 0x3c], ecx

        $sequence_4 = { 8b7510 8b7d0c 83451010 836dfc10 8345f810 4b }
            // n = 6, score = 200
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   83451010             | add                 dword ptr [ebp + 0x10], 0x10
            //   836dfc10             | sub                 dword ptr [ebp - 4], 0x10
            //   8345f810             | add                 dword ptr [ebp - 8], 0x10
            //   4b                   | dec                 ebx

        $sequence_5 = { 2975f0 ff4d08 75f8 8b45f0 eb05 8ac3 c0e004 }
            // n = 7, score = 200
            //   2975f0               | sub                 dword ptr [ebp - 0x10], esi
            //   ff4d08               | dec                 dword ptr [ebp + 8]
            //   75f8                 | jne                 0xfffffffa
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   eb05                 | jmp                 7
            //   8ac3                 | mov                 al, bl
            //   c0e004               | shl                 al, 4

        $sequence_6 = { 56 ff15???????? 8b95f4fbffff 8bc8 }
            // n = 4, score = 200
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b95f4fbffff         | mov                 edx, dword ptr [ebp - 0x40c]
            //   8bc8                 | mov                 ecx, eax

        $sequence_7 = { 83fe0d 0f8cef010000 8b03 8b5508 }
            // n = 4, score = 200
            //   83fe0d               | cmp                 esi, 0xd
            //   0f8cef010000         | jl                  0x1f5
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_8 = { 0f8737010000 8b4dac 8d041e 83c1f8 89459c 3bc1 0f8723010000 }
            // n = 7, score = 200
            //   0f8737010000         | ja                  0x13d
            //   8b4dac               | mov                 ecx, dword ptr [ebp - 0x54]
            //   8d041e               | lea                 eax, dword ptr [esi + ebx]
            //   83c1f8               | add                 ecx, -8
            //   89459c               | mov                 dword ptr [ebp - 0x64], eax
            //   3bc1                 | cmp                 eax, ecx
            //   0f8723010000         | ja                  0x129

        $sequence_9 = { 23d8 8bce 8945e0 895de4 e8???????? 8365f000 8945e8 }
            // n = 7, score = 200
            //   23d8                 | and                 ebx, eax
            //   8bce                 | mov                 ecx, esi
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   895de4               | mov                 dword ptr [ebp - 0x1c], ebx
            //   e8????????           |                     
            //   8365f000             | and                 dword ptr [ebp - 0x10], 0
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax

    condition:
        7 of them and filesize < 237568
}

Download all Yara Rules

NedDnLoader Propose Change

References

Yara Rules

NedDnLoader