SYMBOLCOMMON_NAMEaka. SYNONYMS
win.neddnloader (Back to overview)

NedDnLoader

Actor(s): Lazarus Group


There is no description at this point.

References
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-09-15CrowdStrikeCrowdStrike Overwatch Team
@techreport{team:20200915:nowhere:284220e, author = {CrowdStrike Overwatch Team}, title = {{Nowhere to Hide - 2020 Threat Hunting Report}}, date = {2020-09-15}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf}, language = {English}, urldate = {2020-09-21} } Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN
Yara Rules
[TLP:WHITE] win_neddnloader_auto (20220808 | Detects win.neddnloader.)
rule win_neddnloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.neddnloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33cb 3308 8b5df8 330b 017df8 8d5818 }
            // n = 6, score = 200
            //   33cb                 | xor                 ecx, ebx
            //   3308                 | xor                 ecx, dword ptr [eax]
            //   8b5df8               | mov                 ebx, dword ptr [ebp - 8]
            //   330b                 | xor                 ecx, dword ptr [ebx]
            //   017df8               | add                 dword ptr [ebp - 8], edi
            //   8d5818               | lea                 ebx, [eax + 0x18]

        $sequence_1 = { 890c82 8b06 8bc8 69c0b179379e 69c9b179379e c1e914 8b3c8a }
            // n = 7, score = 200
            //   890c82               | mov                 dword ptr [edx + eax*4], ecx
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8bc8                 | mov                 ecx, eax
            //   69c0b179379e         | imul                eax, eax, 0x9e3779b1
            //   69c9b179379e         | imul                ecx, ecx, 0x9e3779b1
            //   c1e914               | shr                 ecx, 0x14
            //   8b3c8a               | mov                 edi, dword ptr [edx + ecx*4]

        $sequence_2 = { 894df8 83fb0f 7243 8d43f1 }
            // n = 4, score = 200
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   83fb0f               | cmp                 ebx, 0xf
            //   7243                 | jb                  0x45
            //   8d43f1               | lea                 eax, [ebx - 0xf]

        $sequence_3 = { 8975e4 8945e8 894dbc 894dc0 894dc4 }
            // n = 5, score = 200
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   894dbc               | mov                 dword ptr [ebp - 0x44], ecx
            //   894dc0               | mov                 dword ptr [ebp - 0x40], ecx
            //   894dc4               | mov                 dword ptr [ebp - 0x3c], ecx

        $sequence_4 = { 47 49 75f4 8b4510 }
            // n = 4, score = 200
            //   47                   | inc                 edi
            //   49                   | dec                 ecx
            //   75f4                 | jne                 0xfffffff6
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_5 = { 8d7d9d f3ab 66ab aa 85d2 0f84a0000000 8b4210 }
            // n = 7, score = 200
            //   8d7d9d               | lea                 edi, [ebp - 0x63]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   85d2                 | test                edx, edx
            //   0f84a0000000         | je                  0xa6
            //   8b4210               | mov                 eax, dword ptr [edx + 0x10]

        $sequence_6 = { 51 03c7 50 ff760c 894df8 }
            // n = 5, score = 200
            //   51                   | push                ecx
            //   03c7                 | add                 eax, edi
            //   50                   | push                eax
            //   ff760c               | push                dword ptr [esi + 0xc]
            //   894df8               | mov                 dword ptr [ebp - 8], ecx

        $sequence_7 = { 57 ff15???????? 85c0 0f850b010000 }
            // n = 4, score = 200
            //   57                   | push                edi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f850b010000         | jne                 0x111

        $sequence_8 = { a5 59 59 a5 75bf }
            // n = 5, score = 200
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   75bf                 | jne                 0xffffffc1

        $sequence_9 = { 3bf1 7408 81feffffff7f 7605 b857000780 3bc1 7c26 }
            // n = 7, score = 200
            //   3bf1                 | cmp                 esi, ecx
            //   7408                 | je                  0xa
            //   81feffffff7f         | cmp                 esi, 0x7fffffff
            //   7605                 | jbe                 7
            //   b857000780           | mov                 eax, 0x80070057
            //   3bc1                 | cmp                 eax, ecx
            //   7c26                 | jl                  0x28

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules