numando | 6729be401eb23017b85c357194720ed8aac2c65d470ff74505d9bd9068eaad0d

General

Target

6729be401eb23017b85c357194720ed8aac2c65d470ff74505d9bd9068eaad0d.dll
Size

8.4MB
MD5

c243e95112cf3f78a08b10746279049e
SHA1

2bd84db1ceb13c6a47de90d95d07ffda75ecbaf5
SHA256

6729be401eb23017b85c357194720ed8aac2c65d470ff74505d9bd9068eaad0d
SHA512

1327b201c80859dc8e83cbf9db576c95a2ddcd2966253cd80d1b474c7b8166c91ab66ce08974d2233d594a632bdfc3febc93e12697aae0e49e3348d1e3e30830

Score

10^/10

Malware Config

Signatures

Detect Numando Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2020-87-0x0000000002140000-0x0000000003277000-memory.dmp	family_numando
behavioral1/memory/2020-89-0x0000000002140000-0x0000000003277000-memory.dmp	family_numando
behavioral1/memory/2020-90-0x0000000002140000-0x0000000003277000-memory.dmp	family_numando

Numando
Numando is a banking trojan/backdoor targeting Latin America which uses Youtube and Pastebin for C2 communications.
trojan backdoor numando

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2020-56-0x0000000002140000-0x0000000003277000-memory.dmp	vmprotect
behavioral1/memory/2020-87-0x0000000002140000-0x0000000003277000-memory.dmp	vmprotect
behavioral1/memory/2020-89-0x0000000002140000-0x0000000003277000-memory.dmp	vmprotect
behavioral1/memory/2020-90-0x0000000002140000-0x0000000003277000-memory.dmp	vmprotect

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1420	2020	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2020	rundll32.exe
2020	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 2020	1892	rundll32.exe	27
PID 1892 wrote to memory of 2020	1892	rundll32.exe	27
PID 1892 wrote to memory of 2020	1892	rundll32.exe	27
PID 1892 wrote to memory of 2020	1892	rundll32.exe	27
PID 1892 wrote to memory of 2020	1892	rundll32.exe	27
PID 1892 wrote to memory of 2020	1892	rundll32.exe	27
PID 1892 wrote to memory of 2020	1892	rundll32.exe	27
PID 2020 wrote to memory of 1420	2020	rundll32.exe	28
PID 2020 wrote to memory of 1420	2020	rundll32.exe	28
PID 2020 wrote to memory of 1420	2020	rundll32.exe	28
PID 2020 wrote to memory of 1420	2020	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6729be401eb23017b85c357194720ed8aac2c65d470ff74505d9bd9068eaad0d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6729be401eb23017b85c357194720ed8aac2c65d470ff74505d9bd9068eaad0d.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 308
    3⤵
    - Program crash
    PID:1420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2020-71-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2020-89-0x0000000002140000-0x0000000003277000-memory.dmp

Filesize
17.2MB

Download
memory/2020-57-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2020-59-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2020-61-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2020-62-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2020-64-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2020-74-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2020-55-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/2020-56-0x0000000002140000-0x0000000003277000-memory.dmp

Filesize
17.2MB

Download
memory/2020-66-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2020-76-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2020-79-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2020-81-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2020-84-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2020-86-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2020-87-0x0000000002140000-0x0000000003277000-memory.dmp

Filesize
17.2MB

Download
memory/2020-90-0x0000000002140000-0x0000000003277000-memory.dmp

Filesize
17.2MB

Download
memory/2020-69-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing