NedDnLoader
Intelligence Profile
NedDnLoader is an HTTP(S) downloader that uses AES for C&C trafic encryption.
It sends detailed information about the victim's environment, like computer name, user name, type and free disk space of all drives, and a list of currently running processes. It uses three typical parameter names for HTTP POST requests: ned, gl, hl. The usual payload downloaded with NedDnLoader is Torisma.
The internal DLL name of NedDnLoader is usually Dn.dll, Dn64.dll or DnDll.dll. It is deployed either as a standalone payload or within a trojanized MFC application project. It contains specific RTTI symbols like ".?AVCWininet_Protocol@@" or ".?AVCMFC_DLLApp@@".
Threat Analysis
NedDnLoader is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.