numando | 6729be401eb23017b85c357194720ed8aac2c65d470ff74505d9bd9068eaad0d

Analysis

Target

6729be401eb23017b85c357194720ed8aac2c65d470ff74505d9bd9068eaad0d.dll
Size

8.4MB
MD5

c243e95112cf3f78a08b10746279049e
SHA1

2bd84db1ceb13c6a47de90d95d07ffda75ecbaf5
SHA256

6729be401eb23017b85c357194720ed8aac2c65d470ff74505d9bd9068eaad0d
SHA512

1327b201c80859dc8e83cbf9db576c95a2ddcd2966253cd80d1b474c7b8166c91ab66ce08974d2233d594a632bdfc3febc93e12697aae0e49e3348d1e3e30830

Score

10^/10

Detect Numando Payload 2 IoCs

resource	yara_rule
behavioral2/memory/1044-138-0x0000000002320000-0x0000000003457000-memory.dmp	family_numando
behavioral2/memory/1044-140-0x0000000002320000-0x0000000003457000-memory.dmp	family_numando

Numando
Numando is a banking trojan/backdoor targeting Latin America which uses Youtube and Pastebin for C2 communications.
trojan backdoor numando

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/1044-131-0x0000000002320000-0x0000000003457000-memory.dmp	vmprotect
behavioral2/memory/1044-138-0x0000000002320000-0x0000000003457000-memory.dmp	vmprotect
behavioral2/memory/1044-140-0x0000000002320000-0x0000000003457000-memory.dmp	vmprotect

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2032	1044	WerFault.exe	78

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 1044	664	rundll32.exe	78
PID 664 wrote to memory of 1044	664	rundll32.exe	78
PID 664 wrote to memory of 1044	664	rundll32.exe	78

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6729be401eb23017b85c357194720ed8aac2c65d470ff74505d9bd9068eaad0d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:664
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6729be401eb23017b85c357194720ed8aac2c65d470ff74505d9bd9068eaad0d.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 700
    3⤵
    - Program crash
    PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1044 -ip 1044
1⤵
PID:1852

memory/1044-131-0x0000000002320000-0x0000000003457000-memory.dmp

Filesize
17.2MB

Download
memory/1044-132-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/1044-133-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/1044-134-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/1044-135-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/1044-136-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/1044-137-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/1044-138-0x0000000002320000-0x0000000003457000-memory.dmp

Filesize
17.2MB

Download
memory/1044-140-0x0000000002320000-0x0000000003457000-memory.dmp

Filesize
17.2MB

Download