banload | f2e58ee2957e8000552cd12aec3773a0d70f67170f4dffc0b0eb5d4da85077ed

General

Target

f2e58ee2957e8000552cd12aec3773a0d70f67170f4dffc0b0eb5d4da85077ed.dll
Size

4.3MB
MD5

80ff198cb4385824119be0dbae268a88
SHA1

82a0c9d7f9c2ecc22b6ab3c597a6632987b7427f
SHA256

f2e58ee2957e8000552cd12aec3773a0d70f67170f4dffc0b0eb5d4da85077ed
SHA512

c1a4f761174c8ee038708dcd2c95a5e954c4bc8f1697afd3e007408377e0cd7db5761fc8930081955d743fe77198c62d1f4a5324a481486c4d09ac02053f1829

Score

10^/10

banload numando backdoor downloader dropper evasion trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Detect Numando Payload 6 IoCs

resource	yara_rule
behavioral1/memory/1984-64-0x00000000021B0000-0x0000000002F76000-memory.dmp	family_numando
behavioral1/memory/1984-65-0x00000000021B0000-0x0000000002F76000-memory.dmp	family_numando
behavioral1/memory/1984-66-0x00000000021B0000-0x0000000002F76000-memory.dmp	family_numando
behavioral1/memory/1984-67-0x00000000021B0000-0x0000000002F76000-memory.dmp	family_numando
behavioral1/memory/1984-68-0x00000000021B0000-0x0000000002F76000-memory.dmp	family_numando
behavioral1/memory/1984-69-0x00000000021B1000-0x0000000002477000-memory.dmp	family_numando

Numando
Numando is a banking trojan/backdoor targeting Latin America which uses Youtube and Pastebin for C2 communications.
trojan backdoor numando
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1468	1984	WerFault.exe	27

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\ToolboxBitmap32\ = "%CommonProgramFiles%\\Microsoft Shared\\Ink\\InkObj.dll, 212"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\Version	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\VersionIndependentProgID	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\VersionIndependentProgID\ = "msinkaut.InkPicture"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\ = "Microsoft InkPicture Control"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\Insertable	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\ProgID\ = "msinkaut.InkPicture.1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\MiscStatus\1	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\Programmable	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\Control	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\MiscStatus	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\ToolboxBitmap32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\TypeLib\ = "{7D868ACD-1A5D-4a47-A247-F39741353012}"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\InprocServer32\ = "%CommonProgramFiles%\\Microsoft Shared\\Ink\\InkObj.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\MiscStatus\ = "0"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\MiscStatus\1\ = "131473"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\TypeLib	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\Version\ = "1.0"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A2826C-82D8-F957-C494-315D7E35F82D}\ProgID	rundll32.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:4FF5F248	rundll32.exe
File opened for modification	C:\ProgramData\TEMP:4FF5F248	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1984	rundll32.exe
Token: SeIncBasePriorityPrivilege	1984	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1984	1928	rundll32.exe	27
PID 1928 wrote to memory of 1984	1928	rundll32.exe	27
PID 1928 wrote to memory of 1984	1928	rundll32.exe	27
PID 1928 wrote to memory of 1984	1928	rundll32.exe	27
PID 1928 wrote to memory of 1984	1928	rundll32.exe	27
PID 1928 wrote to memory of 1984	1928	rundll32.exe	27
PID 1928 wrote to memory of 1984	1928	rundll32.exe	27
PID 1984 wrote to memory of 1468	1984	rundll32.exe	28
PID 1984 wrote to memory of 1468	1984	rundll32.exe	28
PID 1984 wrote to memory of 1468	1984	rundll32.exe	28
PID 1984 wrote to memory of 1468	1984	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f2e58ee2957e8000552cd12aec3773a0d70f67170f4dffc0b0eb5d4da85077ed.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f2e58ee2957e8000552cd12aec3773a0d70f67170f4dffc0b0eb5d4da85077ed.dll,#1
  2⤵
  - Checks BIOS information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 692
    3⤵
    - Program crash
    PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1984-55-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1984-56-0x00000000021B0000-0x0000000002F76000-memory.dmp

Filesize
13.8MB

Download
memory/1984-57-0x0000000003450000-0x000000000365C000-memory.dmp

Filesize
2.0MB

Download
memory/1984-63-0x0000000003450000-0x000000000365C000-memory.dmp

Filesize
2.0MB

Download
memory/1984-64-0x00000000021B0000-0x0000000002F76000-memory.dmp

Filesize
13.8MB

Download
memory/1984-65-0x00000000021B0000-0x0000000002F76000-memory.dmp

Filesize
13.8MB

Download
memory/1984-66-0x00000000021B0000-0x0000000002F76000-memory.dmp

Filesize
13.8MB

Download
memory/1984-67-0x00000000021B0000-0x0000000002F76000-memory.dmp

Filesize
13.8MB

Download
memory/1984-68-0x00000000021B0000-0x0000000002F76000-memory.dmp

Filesize
13.8MB

Download
memory/1984-69-0x00000000021B1000-0x0000000002477000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing