teabot | 7d91d0923fcc9f4f672e2767a3024d27755bb5949d6e9926594c4fa2b1059168

General

Target

UPS974.apk
Size

2.6MB
MD5

992a51cb63c965afe06247db64b3471c
SHA1

b3e8d4958d4c2979a940c70d054511cf009a5199
SHA256

7d91d0923fcc9f4f672e2767a3024d27755bb5949d6e9926594c4fa2b1059168
SHA512

b67c61bbfe10be9aa79cbf39847d1852758caf4e4d7678908e2504a4144de1840842f3f355a98f92d1697b3246978ac6ee159e96021b8f7468b8ab016c8afd2b

Score

10^/10

teabot banker infostealer obfuscation trojan

Malware Config

Extracted

Family

teabot

AES_key

Signatures

TeaBot
TeaBot is an android banker first seen in January 2021.
banker trojan infostealer teabot

Loads dropped Dex/Jar 4 IoCs

Runs executable file dropped to the device during analysis.

Processes:

life.reverse.gear

ioc	pid	process
/data/user/0/life.reverse.gear/app_apkprotector_dex/classes-v1.bin	3619	life.reverse.gear
/data/user/0/life.reverse.gear/app_apkprotector_dex/classes-v1.bin	3619	life.reverse.gear
/data/user/0/life.reverse.gear/app_ded/hY4g77hpr32cZTTgILzJYqlbgyCPMHLb.dex	3619	life.reverse.gear
/data/user/0/life.reverse.gear/app_ded/hY4g77hpr32cZTTgILzJYqlbgyCPMHLb.dex	3619	life.reverse.gear

Uses reflection 31 IoCs

obfuscation

Processes:

life.reverse.gear

description	pid	process
Invokes method android.app.ActivityThread.currentActivityThread	3619	life.reverse.gear
Acesses field android.app.ActivityThread.mPackages	3619	life.reverse.gear
Acesses field android.app.LoadedApk.mClassLoader	3619	life.reverse.gear
Acesses field android.app.LoadedApk.mClassLoader	3619	life.reverse.gear
Acesses field dalvik.system.BaseDexClassLoader.pathList	3619	life.reverse.gear
Acesses field dalvik.system.DexPathList.dexElements	3619	life.reverse.gear
Invokes method dalvik.system.DexPathList.makePathElements	3619	life.reverse.gear
Acesses field dalvik.system.DexPathList.dexElements	3619	life.reverse.gear
Invokes method android.app.ActivityThread.currentActivityThread	3619	life.reverse.gear
Acesses field android.app.ActivityThread.mBoundApplication	3619	life.reverse.gear
Acesses field android.app.ActivityThread$AppBindData.info	3619	life.reverse.gear
Acesses field android.app.LoadedApk.mApplication	3619	life.reverse.gear
Acesses field android.app.ActivityThread.mInitialApplication	3619	life.reverse.gear
Acesses field android.app.ActivityThread.mAllApplications	3619	life.reverse.gear
Acesses field android.app.LoadedApk.mApplicationInfo	3619	life.reverse.gear
Acesses field android.app.ActivityThread$AppBindData.appInfo	3619	life.reverse.gear
Acesses field dalvik.system.BaseDexClassLoader.pathList	3619	life.reverse.gear
Acesses field dalvik.system.DexPathList.dexElements	3619	life.reverse.gear
Invokes method dalvik.system.DexPathList.makePathElements	3619	life.reverse.gear
Acesses field dalvik.system.DexPathList.dexElements	3619	life.reverse.gear
Invokes method android.app.LoadedApk.makeApplication	3619	life.reverse.gear
Acesses field android.app.ActivityThread.mInitialApplication	3619	life.reverse.gear
Invokes method android.app.Application.attach	3619	life.reverse.gear
Acesses field android.app.ContextImpl.mOuterContext	3619	life.reverse.gear
Acesses field android.app.ContextImpl.mMainThread	3619	life.reverse.gear
Acesses field android.app.ActivityThread.mInitialApplication	3619	life.reverse.gear
Acesses field android.app.ActivityThread.mAllApplications	3619	life.reverse.gear
Acesses field android.app.ContextImpl.mPackageInfo	3619	life.reverse.gear
Acesses field android.app.LoadedApk.mApplication	3619	life.reverse.gear
Acesses field android.app.LoadedApk.mApplicationInfo	3619	life.reverse.gear
Invokes method android.os.SystemProperties.get	3619	life.reverse.gear

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads