{
	"id": "3861fb95-20bb-4dc4-b713-aeb51b839259",
	"created_at": "2026-04-06T00:14:38.718842Z",
	"updated_at": "2026-04-10T13:12:27.351233Z",
	"deleted_at": null,
	"sha1_hash": "538ad27d9aacd45defd89ccaf099cb3af67266e1",
	"title": "Numando: Count once, code twice",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1292795,
	"plain_text": "Numando: Count once, code twice\r\nBy ESET Research\r\nArchived: 2026-04-05 17:09:47 UTC\r\nESET Research\r\nThe (probably) penultimate post in our occasional series demystifying Latin American banking trojans.\r\n17 Sep 2021  •  , 6 min. read\r\nBefore concluding our series, there is one more LATAM banking trojan that deserves a closer look – Numando. The\r\nthreat actor behind this malware family has been active since at least 2018. Even though it is not nearly as lively as\r\nMekotio or Grandoreiro, it has been consistently used since we started tracking it, bringing interesting new\r\ntechniques to the pool of Latin American banking trojans’ tricks, like using seemingly useless ZIP archives or\r\nbundling payloads with decoy BMP images. Geographically, it focuses almost exclusively on Brazil with rare\r\ncampaigns in Mexico and Spain.\r\nCharacteristics\r\nAs with all the other Latin American banking trojans described in this series, Numando is written in Delphi and\r\nutilizes fake overlay windows to lure sensitive information out of its victims. Some Numando variants store these\r\nimages in an encrypted ZIP archive inside their .rsrc sections, while others utilize a separate Delphi DLL just for this\r\nstorage.\r\nhttps://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/\r\nPage 1 of 9\n\nBackdoor capabilities allow Numando to simulate mouse and keyboard actions, restart and shutdown the machine,\r\ndisplay overlay windows, take screenshots and kill browser processes. Unlike other Latin American banking trojans,\r\nhowever, the commands are defined as numbers rather than strings (see Figure 1), which inspired our naming of this\r\nmalware family.\r\nFigure 1. Numando command processing – part of command 9321795 processing (red)\r\nStrings are encrypted by the most common algorithm among Latin American banking trojans (shown in Figure 5 of\r\nour Casbaneiro write-up) and are not organized into a string table. Numando collects the victimized machine’s\r\nWindows version and bitness.\r\nUnlike most of the other Latin American banking trojans covered in this series, Numando does not show signs of\r\ncontinuous development. There are some minor changes from time to time, but overall the binaries do not tend to\r\nchange much.\r\nDistribution and execution\r\nNumando is distributed almost exclusively by spam. Based on our telemetry, its campaigns affect several hundred\r\nvictims at most, making it considerably less successful than the most prevalent LATAM banking trojans such as\r\nMekotio and Grandoreiro. Recent campaigns simply add a ZIP attachment containing an MSI installer to each\r\nspammed message. This installer contains a CAB archive with a legitimate application, an injector, and an encrypted\r\nNumando banking trojan DLL. If the potential victim executes the MSI, it eventually runs the legitimate application\r\nas well, and that side-loads the injector. The injector locates the payload and then decrypts it using a simple XOR\r\nalgorithm with a multi-byte key, as in the overview of this process illustrated in Figure 2.\r\nhttps://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/\r\nPage 2 of 9\n\nFigure 2. Numando MSI and its contents distributed in the latest campaigns\r\nFor Numando, the payload and injector are usually named identically – the injector with the .dll extension and the\r\npayload with no extension (see Figure 3) – making it is easy for the injector to locate the encrypted payload.\r\nSurprisingly, the injector is not written in Delphi – something very rare among Latin American banking trojans. The\r\nIoCs at the end of this blogpost contain a list of legitimate applications we have observed Numando abuse.\r\nFigure 3. Files used for executing Numando. Legitimate application (Cooperativa.exe), injector (Oleacc.dll),\r\nencrypted payload (Oleacc) and legitimate DLLs.\r\nDecoy ZIP and BMP overlay\r\nhttps://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/\r\nPage 3 of 9\n\nThere is one interesting distribution chain from the recent past worth mentioning. This chain starts with a Delphi\r\ndownloader downloading a decoy ZIP archive (see Figure 4). The downloader ignores the archive’s contents and\r\nextracts a hex-encoded encrypted string from the ZIP file comment, an optional ZIP file component stored at the end\r\nof the file. The downloader does not parse the ZIP structure, but rather looks for the last { character (used as a\r\nmarker) in the whole file. Decrypting the string results in a different URL that leads to the actual payload archive.\r\nFigure 4. The decoy is a valid ZIP file (ZIP structures highlighted in green) with an encrypted URL included in a ZIP\r\nfile comment at the end of the archive (red)\r\nThe second ZIP archive contains a legitimate application, an injector and a suspiciously large BMP image. The\r\ndownloader extracts the contents of this archive and executes the legitimate application, which side-loads the injector\r\nthat, in turn, extracts the Numando banking trojan from the BMP overlay and executes it. The process is illustrated in\r\nFigure 5.\r\nhttps://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/\r\nPage 4 of 9\n\nFigure 5. Numando distribution chain using a decoy ZIP archive\r\nThis BMP file is a valid image and can be opened in a majority of image viewers and editors without issue, as the\r\noverlaly is simply ignored. Figure 6 shows some of the decoy images the Numando threat actor uses.\r\nFigure 6. Some BMP images Numando uses as decoys to carry its payload\r\nRemote configuration\r\nLike many other Latin American banking trojans, Numando abuses public services to store its remote configuration –\r\nYouTube and Pastebin in this case. Figure 7 shows an example of the configuration stored on YouTube – a technique\r\nsimilar to Casbaneiro, though much less sneaky. Google took the videos down promptly based on ESET’s\r\nnotification.\r\nhttps://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/\r\nPage 5 of 9\n\nFigure 7. Numando remote configuration on YouTube\r\nThe format is simple – three entries delimited by “:” between the DATA:{ and } markers. Each entry is encrypted\r\nseparately the same way as other strings in Numando – with the key hardcoded in the binary. This makes it difficult\r\nto decrypt the configuration without having the corresponding binary, however Numando does not change its\r\ndecryption key very often, making decryption possible.\r\nConclusion\r\nNumando is a Latin American banking trojan written in Delphi. It targets mainly Brazil with rare campaigns in\r\nMexico and Spain. It is similar to the other families described in our series – it uses fake overlay windows, contains\r\nbackdoor functionality and utilizes MSI.\r\nWe have covered its most typical features, distribution methods and remote configuration. It is the only LATAM\r\nbanking trojan written in Delphi that uses a non-Delphi injector and its remote configuration format is unique,\r\nmaking two reliable factors when identifying this malware family.\r\nFor any inquiries, contact us at threatintel@eset.com. Indicators of Compromise can also be found in our GitHub\r\nrepository.\r\nIndicators of Compromise (IoCs)\r\nHashes\r\nhttps://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/\r\nPage 6 of 9\n\nSHA-1 Description ESET detection name\r\nE69E69FBF438F898729E0D99EF772814F7571728\r\nMSI\r\ndownloader\r\nfor “decoy\r\nZIP”\r\nWin32/TrojanDownloader.Delf.CQR\r\n4A1C48064167FC4AD5D943A54A34785B3682DA92\r\nMSI\r\ninstaller\r\nWin32/Spy.Numando.BA\r\nBB2BBCA6CA318AC0ABBA3CD53D097FA13DB85ED0\r\nNumando\r\nbanking\r\ntrojan\r\nWin32/Spy.Numando.E\r\nBFDA3EAAB63E23802EA226C6A8A50359FE379E75\r\nNumando\r\nbanking\r\ntrojan\r\nWin32/Spy.Numando.AL\r\n9A7A192B67895F63F1AFDF5ADF7BA2D195A17D80\r\nNumando\r\nbanking\r\ntrojan\r\nWin32/Spy.Numando.AO\r\n7789C57DCC3520D714EC7CA03D00FFE92A06001A\r\nDLL with\r\noverlay\r\nwindow\r\nimages\r\nWin32/Spy.Numando.P\r\nAbused legitimate applications\r\nExample SHA-1 EXE name DLL name\r\nA852A99E2982DF75842CCFC274EA3F9C54D22859 nvsmartmaxapp.exe nvsmartmax.dll\r\nF804DB94139B2E1D1D6A3CD27A9E78634540F87C VBoxTray.exe mpr.dll\r\n65684B3D962FB3483766F9E4A9C047C0E27F055E Dumpsender.exe Oleacc.dll\r\nC\u0026C servers\r\n138.91.168[.]205:733\r\n20.195.196[.]231:733\r\n20.197.228[.]40:779\r\nDelivery URLs\r\nhttps://enjoyds.s3.us-east-2.amazonaws[.]com/H97FJNGD86R.zip\r\nhttps://lksluthe.s3.us-east-2.amazonaws[.]com/B876DRFKEED.zip\r\nhttps://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/\r\nPage 7 of 9\n\nhttps://procjdcals.s3.us-east-2.amazonaws[.]com/HN97YTYDFH.zip\r\nhttps://rmber.s3.ap-southeast-2.amazonaws[.]com/B97TDKHJBS.zip\r\nhttps://sucessmaker.s3.us-east-2.amazonaws[.]com/JKGHFD9807Y.zip\r\nhttps://trbnjust.s3.us-east-2.amazonaws[.]com/B97T908ENLK.zip\r\nhttps://webstrage.s3.us-east-2.amazonaws[.]com/G497TG7UDF.zip\r\nMITRE ATT\u0026CK techniques\r\nNote: This table was built using version 9 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nNumando operators register domains to be used\r\nas C\u0026C servers.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nNumando is likely developed by its operator.\r\nInitial Access T1566\r\nPhishing: Spearphishing\r\nAttachment\r\nNumando is distributed as a malicious email\r\nattachment.\r\nExecution T1204.002\r\nUser Execution: Malicious\r\nFile\r\nNumando relies on the victim to execute the\r\ndistributed MSI file.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files\r\nor Information\r\nNumando encrypts its payload or hides it inside\r\na BMP image file, and some variants encrypt\r\nand hex encode their main payload URLs in a\r\ncomment in decoy ZIP files.\r\nT1574.002\r\nHijack Execution Flow:\r\nDLL Side-Loading\r\nNumando is often executed by DLL side-loading.\r\nT1027.002\r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\nSome Numando binaries are packed with\r\nVMProtect or Themida.\r\nT1218.007\r\nSigned Binary Proxy\r\nExecution: Msiexec\r\nNumando uses the MSI format for execution.\r\nDiscovery\r\nT1010\r\nApplication Window\r\nDiscovery\r\nNumando monitors the foreground windows.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nNumando collects the Windows version and\r\nbitness.\r\nCollection T1113 Screen Capture Numando can take screenshots.\r\nhttps://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/\r\nPage 8 of 9\n\nTactic ID Name Description\r\nCommand and\r\nControl\r\nT1132.002\r\nData Encoding: Non-Standard Encoding\r\nNumando uses custom encryption.\r\nExfiltration T1041\r\nExfiltration Over C2\r\nChannel\r\nNumando exfiltrates data via a C\u0026C server.\r\nSource: https://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/\r\nhttps://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/"
	],
	"report_names": [
		"numando-latam-banking-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434478,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/538ad27d9aacd45defd89ccaf099cb3af67266e1.pdf",
		"text": "https://archive.orkl.eu/538ad27d9aacd45defd89ccaf099cb3af67266e1.txt",
		"img": "https://archive.orkl.eu/538ad27d9aacd45defd89ccaf099cb3af67266e1.jpg"
	}
}