SYMBOLCOMMON_NAMEaka. SYNONYMS
win.neddnloader (Back to overview)

NedDnLoader

Actor(s): Lazarus Group

VTCollection    

NedDnLoader is an HTTP(S) downloader that uses AES for C&C trafic encryption.

It sends detailed information about the victim's environment, like computer name, user name, type and free disk space of all drives, and a list of currently running processes. It uses three typical parameter names for HTTP POST requests: ned, gl, hl. The usual payload downloaded with NedDnLoader is Torisma.

The internal DLL name of NedDnLoader is usually Dn.dll, Dn64.dll or DnDll.dll. It is deployed either as a standalone payload or within a trojanized MFC application project. It contains specific RTTI symbols like ".?AVCWininet_Protocol@@" or ".?AVCMFC_DLLApp@@".

References
2023-04-12Kaspersky LabsSeongsu Park
Following the Lazarus group by tracking DeathNote campaign
Bankshot BLINDINGCAN ForestTiger LambLoad LPEClient MimiKatz NedDnLoader Racket Downloader Volgmer
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-11-05McAfeeChristiaan Beek, Ryan Sherstobitoff
Operation North Star: Behind The Scenes
NedDnLoader Torisma
2020-09-15CrowdStrikeCrowdStrike Overwatch Team
Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN
2020-08-13ClearSkyClearSky Research Team
Operation ‘Dream Job’ Widespread North Korean Espionage Campaign
DRATzarus LPEClient NedDnLoader
2020-07-29McAfeeMcAfee Labs
Operation (노스 스타) North Star A Job Offer That’s Too Good to be True?
NedDnLoader
2019-11-05TelsyTelsy Research Team
The Lazarus’ gaze to the world: What is behind the first stone?
NedDnLoader Torisma
Yara Rules
[TLP:WHITE] win_neddnloader_auto (20260504 | Detects win.neddnloader.)
rule win_neddnloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.neddnloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 2b5d10 83c40c 03df }
            // n = 4, score = 400
            //   e8????????           |                     
            //   2b5d10               | add                 edx, 2
            //   83c40c               | cmp                 ecx, ebx
            //   03df                 | jae                 0x20

        $sequence_1 = { 8bec 83e4f8 81ec10060000 a1???????? 33c4 }
            // n = 5, score = 400
            //   8bec                 | movzx               esi, word ptr [ecx]
            //   83e4f8               | inc                 ecx
            //   81ec10060000         | mov                 eax, ecx
            //   a1????????           |                     
            //   33c4                 | sub                 eax, dword ptr [ebp - 4]

        $sequence_2 = { 8b450c 8908 ff15???????? 8bc7 }
            // n = 4, score = 400
            //   8b450c               | cmp                 ax, si
            //   8908                 | jne                 0x24
            //   ff15????????         |                     
            //   8bc7                 | mov                 ecx, dword ptr [ebp - 8]

        $sequence_3 = { 0fb702 0fb731 663bc6 7506 83c102 83c202 3bcb }
            // n = 7, score = 400
            //   0fb702               | mov                 dword ptr [ebp + 0x7b0], eax
            //   0fb731               | dec                 eax
            //   663bc6               | mov                 esi, ecx
            //   7506                 | dec                 eax
            //   83c102               | mov                 ecx, esi
            //   83c202               | cmp                 eax, edi
            //   3bcb                 | jne                 0x56

        $sequence_4 = { 3bcf 72f0 8d43ff 3bc8 7311 0fb702 0fb731 }
            // n = 7, score = 400
            //   3bcf                 | dec                 eax
            //   72f0                 | mov                 ecx, eax
            //   8d43ff               | dec                 eax
            //   3bc8                 | lea                 edx, [0x4110]
            //   7311                 | dec                 eax
            //   0fb702               | mov                 ecx, esi
            //   0fb731               | mov                 edx, 0x100

        $sequence_5 = { ff15???????? 8b4df8 56 3bc8 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   8b4df8               | lea                 eax, [ebx - 1]
            //   56                   | cmp                 ecx, eax
            //   3bc8                 | jae                 0x13

        $sequence_6 = { 8b03 8b5508 69c0b179379e c1e813 }
            // n = 4, score = 400
            //   8b03                 | mov                 eax, 0x1ff
            //   8b5508               | inc                 esp
            //   69c0b179379e         | mov                 byte ptr [ebp - 0x20], ah
            //   c1e813               | movzx               eax, word ptr [edx]

        $sequence_7 = { 41 8bc1 2b45fc 5f 5e }
            // n = 5, score = 400
            //   41                   | dec                 eax
            //   8bc1                 | mov                 dword ptr [esp + 0x20], eax
            //   2b45fc               | dec                 esp
            //   5f                   | lea                 eax, [ebp - 0x10]
            //   5e                   | mov                 edx, 0x100

        $sequence_8 = { 498bf8 488bea 4c8be1 85c0 7e57 448d68ff 488bf2 }
            // n = 7, score = 100
            //   498bf8               | and                 dword ptr [esp + 0x20], 0
            //   488bea               | dec                 eax
            //   4c8be1               | lea                 eax, [0xee99]
            //   85c0                 | dec                 ecx
            //   7e57                 | mov                 edi, eax
            //   448d68ff             | dec                 eax
            //   488bf2               | mov                 ebp, edx

        $sequence_9 = { 488bce e8???????? 3bc7 7554 }
            // n = 4, score = 100
            //   488bce               | mov                 dword ptr [esp + ebx*4 + 0x1b090], eax
            //   e8????????           |                     
            //   3bc7                 | inc                 ecx
            //   7554                 | mov                 eax, dword ptr [esp + ecx*4 + 0x15580]

        $sequence_10 = { 4881ecc0080000 488b05???????? 4833c4 488985b0070000 488bf1 }
            // n = 5, score = 100
            //   4881ecc0080000       | add                 eax, dword ptr [edi]
            //   488b05????????       |                     
            //   4833c4               | inc                 ecx
            //   488985b0070000       | mov                 eax, dword ptr [esp + ecx*4 + 0x15180]
            //   488bf1               | inc                 ecx

        $sequence_11 = { 488905???????? ff15???????? 488bc8 ff15???????? 488d1510410000 488bce 488905???????? }
            // n = 7, score = 100
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488bc8               | inc                 ecx
            //   ff15????????         |                     
            //   488d1510410000       | mov                 dword ptr [esp + ebx*4 + 0x1ac90], eax
            //   488bce               | inc                 ecx
            //   488905????????       |                     

        $sequence_12 = { 0f8c05010000 837c244c00 4c8b642450 0f84c5000000 488364242000 488d0599ee0000 }
            // n = 6, score = 100
            //   0f8c05010000         | jl                  0x10b
            //   837c244c00           | cmp                 dword ptr [esp + 0x4c], 0
            //   4c8b642450           | dec                 esp
            //   0f84c5000000         | mov                 esp, dword ptr [esp + 0x50]
            //   488364242000         | je                  0xcb
            //   488d0599ee0000       | dec                 eax

        $sequence_13 = { 894ff8 e8???????? eb49 8b4704 0307 }
            // n = 5, score = 100
            //   894ff8               | dec                 esp
            //   e8????????           |                     
            //   eb49                 | mov                 esp, ecx
            //   8b4704               | test                eax, eax
            //   0307                 | jle                 0x5e

        $sequence_14 = { ba00010000 4889442420 e8???????? 4c8d45f0 ba00010000 488bcf }
            // n = 6, score = 100
            //   ba00010000           | mov                 eax, dword ptr [esp + ecx*4 + 0x15980]
            //   4889442420           | inc                 ecx
            //   e8????????           |                     
            //   4c8d45f0             | mov                 dword ptr [esp + ebx*4 + 0x1b890], eax
            //   ba00010000           | dec                 ecx
            //   488bcf               | add                 ebx, ebp

        $sequence_15 = { 418b848c80510100 4189849c90b00100 418b848c80550100 4189849c90ac0100 418b848c80590100 4189849c90b80100 4903dd }
            // n = 7, score = 100
            //   418b848c80510100     | inc                 esp
            //   4189849c90b00100     | lea                 ebp, [eax - 1]
            //   418b848c80550100     | dec                 eax
            //   4189849c90ac0100     | mov                 esi, edx
            //   418b848c80590100     | mov                 dword ptr [edi - 8], ecx
            //   4189849c90b80100     | jmp                 0x4e
            //   4903dd               | mov                 eax, dword ptr [edi + 4]

    condition:
        7 of them and filesize < 3438592
}
Download all Yara Rules