numando | 31a643afb563c602c0985b40788ce5a0c0bed87123c916baff0a664e132d9e79

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 06:52

Target

cd6216e237f9005c8fd9dd7226b7d63e.dll
Size

1.4MB
MD5

cd6216e237f9005c8fd9dd7226b7d63e
SHA1

0bd2c522b02772e1e28f98064959792d9308a313
SHA256

31a643afb563c602c0985b40788ce5a0c0bed87123c916baff0a664e132d9e79
SHA512

e146dd477c86668a1625c92ec8756fdddf4896c1ab7a4ecc99fe7e3a6d0c1b77993e2854a07bad94d59fe6308e0ff03690fda926bf525212c7606ff197a5f802
SSDEEP

24576:r5+kiX8lJBLMHZrMm1A2vCHespF/uCLk+/xPv45MYhBCXxU2mb2cN:r5niXcKZrU2vCHeikQPQ5MYhBWxU2m24

Score

10^/10

Detect Numando payload 1 IoCs

resource	yara_rule
behavioral1/memory/2316-1-0x0000000002020000-0x000000000246E000-memory.dmp	family_numando

Numando
Numando is a banking trojan/backdoor targeting Latin America which uses Youtube and Pastebin for C2 communications.
trojan backdoor numando

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2316-0-0x0000000002020000-0x000000000246E000-memory.dmp	upx
behavioral1/memory/2316-1-0x0000000002020000-0x000000000246E000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1960	2316	WerFault.exe	28

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2316	1540	rundll32.exe	28
PID 1540 wrote to memory of 2316	1540	rundll32.exe	28
PID 1540 wrote to memory of 2316	1540	rundll32.exe	28
PID 1540 wrote to memory of 2316	1540	rundll32.exe	28
PID 1540 wrote to memory of 2316	1540	rundll32.exe	28
PID 1540 wrote to memory of 2316	1540	rundll32.exe	28
PID 1540 wrote to memory of 2316	1540	rundll32.exe	28
PID 2316 wrote to memory of 1960	2316	rundll32.exe	29
PID 2316 wrote to memory of 1960	2316	rundll32.exe	29
PID 2316 wrote to memory of 1960	2316	rundll32.exe	29
PID 2316 wrote to memory of 1960	2316	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd6216e237f9005c8fd9dd7226b7d63e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd6216e237f9005c8fd9dd7226b7d63e.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 332
    3⤵
    - Program crash
    PID:1960

memory/2316-0-0x0000000002020000-0x000000000246E000-memory.dmp

Filesize
4.3MB

Download
memory/2316-1-0x0000000002020000-0x000000000246E000-memory.dmp

Filesize
4.3MB

Download