NedDnLoader (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.neddnloader (Back to overview)

NedDnLoader

Actor(s): Lazarus Group

There is no description at this point.

References

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2020-09-15 ⋅ CrowdStrike ⋅ CrowdStrike Overwatch Team
Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN

Yara Rules

[TLP:WHITE] win_neddnloader_auto (20230125 | Detects win.neddnloader.)

rule win_neddnloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.neddnloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3c75 3c85 3c92 3c9c 3cb2 3cbe 3cd1 }
            // n = 7, score = 200
            //   3c75                 | cmp                 al, 0x75
            //   3c85                 | cmp                 al, 0x85
            //   3c92                 | cmp                 al, 0x92
            //   3c9c                 | cmp                 al, 0x9c
            //   3cb2                 | cmp                 al, 0xb2
            //   3cbe                 | cmp                 al, 0xbe
            //   3cd1                 | cmp                 al, 0xd1

        $sequence_1 = { 397dfc 7652 33c0 50 50 8945f0 }
            // n = 6, score = 200
            //   397dfc               | cmp                 dword ptr [ebp - 4], edi
            //   7652                 | jbe                 0x54
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax
            //   50                   | push                eax
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_2 = { 8b7510 8b7d0c 83451010 836dfc10 8345f810 4b a5 }
            // n = 7, score = 200
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   83451010             | add                 dword ptr [ebp + 0x10], 0x10
            //   836dfc10             | sub                 dword ptr [ebp - 4], 0x10
            //   8345f810             | add                 dword ptr [ebp - 8], 0x10
            //   4b                   | dec                 ebx
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]

        $sequence_3 = { 8975e4 8945e8 894dbc 894dc0 894dc4 }
            // n = 5, score = 200
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   894dbc               | mov                 dword ptr [ebp - 0x44], ecx
            //   894dc0               | mov                 dword ptr [ebp - 0x40], ecx
            //   894dc4               | mov                 dword ptr [ebp - 0x3c], ecx

        $sequence_4 = { 894508 e8???????? 83c40c 037d08 2975f0 ff4d08 }
            // n = 6, score = 200
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   037d08               | add                 edi, dword ptr [ebp + 8]
            //   2975f0               | sub                 dword ptr [ebp - 0x10], esi
            //   ff4d08               | dec                 dword ptr [ebp + 8]

        $sequence_5 = { 53 ff750c 03c7 8906 51 8bfe 895034 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   03c7                 | add                 eax, edi
            //   8906                 | mov                 dword ptr [esi], eax
            //   51                   | push                ecx
            //   8bfe                 | mov                 edi, esi
            //   895034               | mov                 dword ptr [eax + 0x34], edx

        $sequence_6 = { 8bf8 0345ec ff45f0 8955ec 8b55f8 83c2f4 8945e4 }
            // n = 7, score = 200
            //   8bf8                 | mov                 edi, eax
            //   0345ec               | add                 eax, dword ptr [ebp - 0x14]
            //   ff45f0               | inc                 dword ptr [ebp - 0x10]
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   83c2f4               | add                 edx, -0xc
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_7 = { 89442414 33c0 53 33db 56 }
            // n = 5, score = 200
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   33c0                 | xor                 eax, eax
            //   53                   | push                ebx
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi

        $sequence_8 = { 8b1d???????? 56 ffd3 3985f0fbffff }
            // n = 4, score = 200
            //   8b1d????????         |                     
            //   56                   | push                esi
            //   ffd3                 | call                ebx
            //   3985f0fbffff         | cmp                 dword ptr [ebp - 0x410], eax

        $sequence_9 = { 891c81 8d7301 8b06 69c0b179379e c1e814 }
            // n = 5, score = 200
            //   891c81               | mov                 dword ptr [ecx + eax*4], ebx
            //   8d7301               | lea                 esi, [ebx + 1]
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   69c0b179379e         | imul                eax, eax, 0x9e3779b1
            //   c1e814               | shr                 eax, 0x14

    condition:
        7 of them and filesize < 237568
}

Download all Yara Rules

NedDnLoader Propose Change

References

Yara Rules

NedDnLoader