SYMBOLCOMMON_NAMEaka. SYNONYMS
win.neddnloader (Back to overview)

NedDnLoader

Actor(s): Lazarus Group


There is no description at this point.

References
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2020-09-15CrowdStrikeCrowdStrike Overwatch Team
@techreport{team:20200915:nowhere:284220e, author = {CrowdStrike Overwatch Team}, title = {{Nowhere to Hide - 2020 Threat Hunting Report}}, date = {2020-09-15}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf}, language = {English}, urldate = {2020-09-21} } Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN
Yara Rules
[TLP:WHITE] win_neddnloader_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_neddnloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8783000000 3bfa 731b 52 8bce }
            // n = 5, score = 200
            //   0f8783000000         | ja                  0x89
            //   3bfa                 | cmp                 edi, edx
            //   731b                 | jae                 0x1d
            //   52                   | push                edx
            //   8bce                 | mov                 ecx, esi

        $sequence_1 = { 8b45ec 8b4dfc ff45fc eb05 }
            // n = 4, score = 200
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   ff45fc               | inc                 dword ptr [ebp - 4]
            //   eb05                 | jmp                 7

        $sequence_2 = { ffd6 8b442420 eb02 33c0 8b8c24b4020000 5f 5e }
            // n = 7, score = 200
            //   ffd6                 | call                esi
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   8b8c24b4020000       | mov                 ecx, dword ptr [esp + 0x2b4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_3 = { 0fb70c07 6685c9 740a 668908 83c002 }
            // n = 5, score = 200
            //   0fb70c07             | movzx               ecx, word ptr [edi + eax]
            //   6685c9               | test                cx, cx
            //   740a                 | je                  0xc
            //   668908               | mov                 word ptr [eax], cx
            //   83c002               | add                 eax, 2

        $sequence_4 = { 33c0 befe010000 56 50 6689842418040000 8d84241a040000 50 }
            // n = 7, score = 200
            //   33c0                 | xor                 eax, eax
            //   befe010000           | mov                 esi, 0x1fe
            //   56                   | push                esi
            //   50                   | push                eax
            //   6689842418040000     | mov                 word ptr [esp + 0x418], ax
            //   8d84241a040000       | lea                 eax, [esp + 0x41a]
            //   50                   | push                eax

        $sequence_5 = { 85c0 7454 ff7730 8b46fc 0345fc 6a04 6800100000 }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   7454                 | je                  0x56
            //   ff7730               | push                dword ptr [edi + 0x30]
            //   8b46fc               | mov                 eax, dword ptr [esi - 4]
            //   0345fc               | add                 eax, dword ptr [ebp - 4]
            //   6a04                 | push                4
            //   6800100000           | push                0x1000

        $sequence_6 = { 8b02 8b4024 c3 55 8bec 51 57 }
            // n = 7, score = 200
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   8b4024               | mov                 eax, dword ptr [eax + 0x24]
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   57                   | push                edi

        $sequence_7 = { 81f9ff000000 74e8 8b4db4 8b55b8 03d1 3bd1 0f82df000000 }
            // n = 7, score = 200
            //   81f9ff000000         | cmp                 ecx, 0xff
            //   74e8                 | je                  0xffffffea
            //   8b4db4               | mov                 ecx, dword ptr [ebp - 0x4c]
            //   8b55b8               | mov                 edx, dword ptr [ebp - 0x48]
            //   03d1                 | add                 edx, ecx
            //   3bd1                 | cmp                 edx, ecx
            //   0f82df000000         | jb                  0xe5

        $sequence_8 = { 0f8e06010000 6a10 58 8bf3 83e60f }
            // n = 5, score = 200
            //   0f8e06010000         | jle                 0x10c
            //   6a10                 | push                0x10
            //   58                   | pop                 eax
            //   8bf3                 | mov                 esi, ebx
            //   83e60f               | and                 esi, 0xf

        $sequence_9 = { 3bc6 7217 8b07 3b06 7511 8b4514 ff4514 }
            // n = 7, score = 200
            //   3bc6                 | cmp                 eax, esi
            //   7217                 | jb                  0x19
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   3b06                 | cmp                 eax, dword ptr [esi]
            //   7511                 | jne                 0x13
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   ff4514               | inc                 dword ptr [ebp + 0x14]

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules