numando | cdf4b776599edc5640c53c2ecdf0959b24d49245e6fae4d1ec57c03cf3660ae9

Analysis

Target

cdf4b776599edc5640c53c2ecdf0959b24d49245e6fae4d1ec57c03cf3660ae9.dll
Size

3.5MB
MD5

c0a26edbd8e0bb5ba4e32eb3fceb250b
SHA1

a6dfd89164d12ffb403c57a22c65fcbe43bd873d
SHA256

cdf4b776599edc5640c53c2ecdf0959b24d49245e6fae4d1ec57c03cf3660ae9
SHA512

de2cfeadf4b3eb2e5e2bffdf048bcdbfc67622f2befd1391407a00c07e38c0c80ce497060d70f6ce1b797012c795f515d880ceb984c82824c3c92ea7144d2695

Score

10^/10

Detect Numando Payload 1 IoCs

resource	yara_rule
behavioral1/memory/360-56-0x0000000002170000-0x00000000024FF000-memory.dmp	family_numando

Numando
Numando is a banking trojan/backdoor targeting Latin America which uses Youtube and Pastebin for C2 communications.
trojan backdoor numando

Blocklisted process makes network request 10 IoCs

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2020	360	WerFault.exe	27

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 360	800	rundll32.exe	27
PID 800 wrote to memory of 360	800	rundll32.exe	27
PID 800 wrote to memory of 360	800	rundll32.exe	27
PID 800 wrote to memory of 360	800	rundll32.exe	27
PID 800 wrote to memory of 360	800	rundll32.exe	27
PID 800 wrote to memory of 360	800	rundll32.exe	27
PID 800 wrote to memory of 360	800	rundll32.exe	27
PID 360 wrote to memory of 2020	360	rundll32.exe	28
PID 360 wrote to memory of 2020	360	rundll32.exe	28
PID 360 wrote to memory of 2020	360	rundll32.exe	28
PID 360 wrote to memory of 2020	360	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cdf4b776599edc5640c53c2ecdf0959b24d49245e6fae4d1ec57c03cf3660ae9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cdf4b776599edc5640c53c2ecdf0959b24d49245e6fae4d1ec57c03cf3660ae9.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 360 -s 432
    3⤵
    - Program crash
    PID:2020

memory/360-55-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/360-56-0x0000000002170000-0x00000000024FF000-memory.dmp

Filesize
3.6MB

Download