SYMBOLCOMMON_NAMEaka. SYNONYMS
win.neddnloader (Back to overview)

NedDnLoader

Actor(s): Lazarus Group

There is no description at this point.

References
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-09-15CrowdStrikeCrowdStrike Overwatch Team
@techreport{team:20200915:nowhere:284220e, author = {CrowdStrike Overwatch Team}, title = {{Nowhere to Hide - 2020 Threat Hunting Report}}, date = {2020-09-15}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf}, language = {English}, urldate = {2020-09-21} } Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN
Yara Rules
[TLP:WHITE] win_neddnloader_auto (20211008 | Detects win.neddnloader.)
rule win_neddnloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.neddnloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85db 7e57 8b450c 2bc1 4b 56 c1eb04 }
            // n = 7, score = 200
            //   85db                 | test                ebx, ebx
            //   7e57                 | jle                 0x59
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   2bc1                 | sub                 eax, ecx
            //   4b                   | dec                 ebx
            //   56                   | push                esi
            //   c1eb04               | shr                 ebx, 4

        $sequence_1 = { 894dc4 894dcc 8945d0 8975d4 c745d803000000 394d0c 7518 }
            // n = 7, score = 200
            //   894dc4               | mov                 dword ptr [ebp - 0x3c], ecx
            //   894dcc               | mov                 dword ptr [ebp - 0x34], ecx
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   8975d4               | mov                 dword ptr [ebp - 0x2c], esi
            //   c745d803000000       | mov                 dword ptr [ebp - 0x28], 3
            //   394d0c               | cmp                 dword ptr [ebp + 0xc], ecx
            //   7518                 | jne                 0x1a

        $sequence_2 = { ff75f8 ff75fc e8???????? 2bdf 83c40c 035dfc e9???????? }
            // n = 7, score = 200
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   2bdf                 | sub                 ebx, edi
            //   83c40c               | add                 esp, 0xc
            //   035dfc               | add                 ebx, dword ptr [ebp - 4]
            //   e9????????           |                     

        $sequence_3 = { 51 c785dcf5ffff03000000 89bde4f5ffff ffd3 57 57 6a5f }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   c785dcf5ffff03000000     | mov    dword ptr [ebp - 0xa24], 3
            //   89bde4f5ffff         | mov                 dword ptr [ebp - 0xa1c], edi
            //   ffd3                 | call                ebx
            //   57                   | push                edi
            //   57                   | push                edi
            //   6a5f                 | push                0x5f

        $sequence_4 = { 51 57 8945e0 e8???????? 8b45e0 }
            // n = 5, score = 200
            //   51                   | push                ecx
            //   57                   | push                edi
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   e8????????           |                     
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]

        $sequence_5 = { 8b06 3b07 7511 8b4514 ff4514 8945f4 c60000 }
            // n = 7, score = 200
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   3b07                 | cmp                 eax, dword ptr [edi]
            //   7511                 | jne                 0x13
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   ff4514               | inc                 dword ptr [ebp + 0x14]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   c60000               | mov                 byte ptr [eax], 0

        $sequence_6 = { c1c009 03c2 8945fc 8bde f7d3 23da 23c6 }
            // n = 7, score = 200
            //   c1c009               | rol                 eax, 9
            //   03c2                 | add                 eax, edx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8bde                 | mov                 ebx, esi
            //   f7d3                 | not                 ebx
            //   23da                 | and                 ebx, edx
            //   23c6                 | and                 eax, esi

        $sequence_7 = { 837dfc54 7309 56 ff15???????? eb27 8b4d0c 8d45f8 }
            // n = 7, score = 200
            //   837dfc54             | cmp                 dword ptr [ebp - 4], 0x54
            //   7309                 | jae                 0xb
            //   56                   | push                esi
            //   ff15????????         |                     
            //   eb27                 | jmp                 0x29
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8d45f8               | lea                 eax, dword ptr [ebp - 8]

        $sequence_8 = { 33c0 e9???????? 83fe0d 0f8c0b020000 8b03 8b4d08 69c0b179379e }
            // n = 7, score = 200
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   83fe0d               | cmp                 esi, 0xd
            //   0f8c0b020000         | jl                  0x211
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   69c0b179379e         | imul                eax, eax, 0x9e3779b1

        $sequence_9 = { 56 57 889c249c020000 8dbc249d020000 ab }
            // n = 5, score = 200
            //   56                   | push                esi
            //   57                   | push                edi
            //   889c249c020000       | mov                 byte ptr [esp + 0x29c], bl
            //   8dbc249d020000       | lea                 edi, dword ptr [esp + 0x29d]
            //   ab                   | stosd               dword ptr es:[edi], eax

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules