Skip to content

Latest commit

 

History

History

numando

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.adoc
README.adoc
 
 
samples.md5
samples.md5
 
 
samples.sha1
samples.sha1
 
 
samples.sha256
samples.sha256
 
 

README.adoc

Numando Indicators of Compromise

Table of Contents

Numando: Count once, code twice

The blog post about Numando "Numando: Count once, code twice" is available on WeLiveSecurity at https://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/.

Hashes

SHA-1 Description ESET detection name

E69E69FBF438F898729E0D99EF772814F7571728

MSI downloader for "decoy ZIP"

Win32/TrojanDownloader.Delf.CQR

4A1C48064167FC4AD5D943A54A34785B3682DA92

MSI installer

Win32/Spy.Numando.BA

BB2BBCA6CA318AC0ABBA3CD53D097FA13DB85ED0

Numando banking trojan

Win32/Spy.Numando.E

BFDA3EAAB63E23802EA226C6A8A50359FE379E75

Numando banking trojan

Win32/Spy.Numando.AL

9A7A192B67895F63F1AFDF5ADF7BA2D195A17D80

Numando banking trojan

Win32/Spy.Numando.AO

7789C57DCC3520D714EC7CA03D00FFE92A06001A

DLL with overlay window images

Win32/Spy.Numando.P

Abused legitimate applications

SHA-1 EXE name DLL name

A852A99E2982DF75842CCFC274EA3F9C54D22859

nvsmartmaxapp.exe

nvsmartmax.dll

F804DB94139B2E1D1D6A3CD27A9E78634540F87C

VBoxTray.exe

mpr.dll

65684B3D962FB3483766F9E4A9C047C0E27F055E

Dumpsender.exe

Oleacc.dll

C&C servers

  • 138.91.168[.]205:733

  • 20.195.196[.]231:733

  • 20.197.228[.]40:779

Delivery URLs

  • https://enjoyds.s3.us-east-2.amazonaws[.]com/H97FJNGD86R.zip

  • https://lksluthe.s3.us-east-2.amazonaws[.]com/B876DRFKEED.zip

  • https://procjdcals.s3.us-east-2.amazonaws[.]com/HN97YTYDFH.zip

  • https://rmber.s3.ap-southeast-2.amazonaws[.]com/B97TDKHJBS.zip

  • https://sucessmaker.s3.us-east-2.amazonaws[.]com/JKGHFD9807Y.zip

  • https://trbnjust.s3.us-east-2.amazonaws[.]com/B97T908ENLK.zip

  • https://webstrage.s3.us-east-2.amazonaws[.]com/G497TG7UDF.zip

VB2020 presentation

Those IoCs are an annex to the session "LATAM financial cybercrime: competitors in crime sharing TTPs" to be presented at VB2020.

Hashes

Numando banking trojan

SHA-1 Description ESET detection name

87158063CCF50C52A218FBC995774A6F0AFFF515

Numando banking trojan

Win32/Spy.Numando.L

7F600EBF3E0367D9521AF0380F2094B4F0C45B43

Numando banking trojan

Win32/Spy.Numando.AN

9A7A192B67895F63F1AFDF5ADF7BA2D195A17D80

Numando banking trojan (protected by Themida)

Win32/Spy.Numando.AO

A91339DDB0A4AA263CDA6BCDC0B0B6067468712F

Numando banking trojan

Win32/Spy.Numando.L

Numando downloader

SHA-1 Description ESET detection name

DDE2C52F30948690B63846A14DFE6B73FBC234ED

Numando downloader (MSI)

Win32/Spy.Numando.L

764262E0EF9517E5104AF362B4131CFE1D03C53D

Numando downloader (MSI)

Win32/Spy.Numando.AN

43F0E063BBC92A4CD68678509E1CEF49D52A6D9D

Numando downloader (MSI)

Win32/Spy.Numando.AO

29323D6DD4C587B4E27A5EDCB8F1AB15E4228682

Numando downloader (MSI)

Win32/TrojanDownloader.Agent.EQL

Other Numando tools

SHA-1 Description ESET detection name

C1C5885452CEB219975F8AF2EC821EDCFC3FBC5D

Bitcoins stealer

Win32/ClipBanker.JL

7789C57DCC3520D714EC7CA03D00FFE92A06001A

DLL with fake pop-up window designs

Win32/Spy.Numando.P