SYMBOLCOMMON_NAMEaka. SYNONYMS
win.neddnloader (Back to overview)

NedDnLoader

Actor(s): Lazarus Group


There is no description at this point.

References
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-09-15CrowdStrikeCrowdStrike Overwatch Team
@techreport{team:20200915:nowhere:284220e, author = {CrowdStrike Overwatch Team}, title = {{Nowhere to Hide - 2020 Threat Hunting Report}}, date = {2020-09-15}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf}, language = {English}, urldate = {2020-09-21} } Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN
Yara Rules
[TLP:WHITE] win_neddnloader_auto (20230407 | Detects win.neddnloader.)
rule win_neddnloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.neddnloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0facc81e 50 8d856cffffff 50 }
            // n = 4, score = 200
            //   0facc81e             | shrd                eax, ecx, 0x1e
            //   50                   | push                eax
            //   8d856cffffff         | lea                 eax, [ebp - 0x94]
            //   50                   | push                eax

        $sequence_1 = { 68???????? e8???????? 83c41c 6800020000 8d85fcfbffff }
            // n = 5, score = 200
            //   68????????           |                     
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   6800020000           | push                0x200
            //   8d85fcfbffff         | lea                 eax, [ebp - 0x404]

        $sequence_2 = { 8b06 8907 8b4604 894704 83c608 }
            // n = 5, score = 200
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8907                 | mov                 dword ptr [edi], eax
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   894704               | mov                 dword ptr [edi + 4], eax
            //   83c608               | add                 esi, 8

        $sequence_3 = { b9ff000000 f7f1 03d8 8813 43 895dfc eb02 }
            // n = 7, score = 200
            //   b9ff000000           | mov                 ecx, 0xff
            //   f7f1                 | div                 ecx
            //   03d8                 | add                 ebx, eax
            //   8813                 | mov                 byte ptr [ebx], dl
            //   43                   | inc                 ebx
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   eb02                 | jmp                 4

        $sequence_4 = { 7217 8b06 3b07 7511 8b45fc ff45fc }
            // n = 6, score = 200
            //   7217                 | jb                  0x19
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   3b07                 | cmp                 eax, dword ptr [edi]
            //   7511                 | jne                 0x13
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   ff45fc               | inc                 dword ptr [ebp - 4]

        $sequence_5 = { 337008 c1e918 8975ec c1eb08 }
            // n = 4, score = 200
            //   337008               | xor                 esi, dword ptr [eax + 8]
            //   c1e918               | shr                 ecx, 0x18
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   c1eb08               | shr                 ebx, 8

        $sequence_6 = { e9???????? 57 8bb880000000 6a14 03fb 57 }
            // n = 6, score = 200
            //   e9????????           |                     
            //   57                   | push                edi
            //   8bb880000000         | mov                 edi, dword ptr [eax + 0x80]
            //   6a14                 | push                0x14
            //   03fb                 | add                 edi, ebx
            //   57                   | push                edi

        $sequence_7 = { 51 51 53 8bd8 85db 7e57 }
            // n = 6, score = 200
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   7e57                 | jle                 0x59

        $sequence_8 = { 8bf8 0345ec ff45f0 8955ec 8b55f8 83c2f4 8945e4 }
            // n = 7, score = 200
            //   8bf8                 | mov                 edi, eax
            //   0345ec               | add                 eax, dword ptr [ebp - 0x14]
            //   ff45f0               | inc                 dword ptr [ebp - 0x10]
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   83c2f4               | add                 edx, -0xc
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_9 = { 6800300000 56 50 ffd7 8945fc 85c0 }
            // n = 6, score = 200
            //   6800300000           | push                0x3000
            //   56                   | push                esi
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules