teabot | 59c60b90cd4d4885b207bf35a6b239f53a9ce1fb00904755294c79ac57865663

Analysis

max time kernel
1391634s
platform
android_x86
resource
android-x86-arm
submitted
17-08-2021 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59c60b90cd4d4885b207bf35a6b239f53a9ce1fb00904755294c79ac57865663.apk
Size

4.3MB
MD5

52963ba0407c23ea640257b805023301
SHA1

eddfc247f13a93b9b57e4ba36d6dd9c6c5246fad
SHA256

59c60b90cd4d4885b207bf35a6b239f53a9ce1fb00904755294c79ac57865663
SHA512

594a1393b074a640624fe5c99e5e31fcfdfbce3f4947b317fcc39c10b14e00291ea5443727025d81bd15c4110ef87e1496ca233a6e02a5eb31fb7cc0f5d8e839

Score

10^/10

teabot banker infostealer obfuscation trojan

Malware Config

Signatures

TeaBot
TeaBot is an android banker first seen in January 2021.
banker trojan infostealer teabot

TeaBot Payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/put.company.ribbon/app_DynamicOptDex/SemyJQ.json	family_teabot
/data/user/0/put.company.ribbon/app_DynamicOptDex/oat/x86/SemyJQ.vdex	family_teabot

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

put.company.ribbon/system/bin/dex2oat

ioc	pid	process
/data/user/0/put.company.ribbon/app_DynamicOptDex/SemyJQ.json	4973	put.company.ribbon
/data/user/0/put.company.ribbon/app_DynamicOptDex/SemyJQ.json	4997	/system/bin/dex2oat
/data/user/0/put.company.ribbon/app_DynamicOptDex/SemyJQ.json	4973	put.company.ribbon

Requests enabling of the accessibility settings. 1 IoCs

Processes:

put.company.ribbon

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS put.company.ribbon

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	put.company.ribbon

Uses reflection 2 IoCs

obfuscation

Processes:

put.company.ribbon

description	pid	process
Invokes method android.content.pm.PackageManager.isInstantApp	4973	put.company.ribbon
Invokes method android.os.SystemProperties.get	4973	put.company.ribbon

put.company.ribbon
1⤵
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Uses reflection
PID:4973

put.company.ribbon
2⤵
PID:4997

/system/bin/dex2oat
2⤵
- Loads dropped Dex/Jar
PID:4997

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/put.company.ribbon/app_DynamicOptDex/SemyJQ.json

MD5
8467aace79dc7d10821c4f84adddf69d

SHA1
d98616daddee3f9ca223a6d507f225ecff0f57e1

SHA256
c7968e699928389d81623814f23b95de3989c5c27bbd413559f9196d43d89084

SHA512
297f466a66b99c713914dd7d9ab86248930a54c6742219262dc56378101bc175d48e11cdc454f6e3c77121caa7c7338bd10d4b1dc21f767a0c38fb7519b798f7

Download Submit
/data/user/0/put.company.ribbon/app_DynamicOptDex/SemyJQ.json

MD5
d428bb2ac134b6b5c51dcd65cbf54ecf

SHA1
5f3597e1a949e1d9fee18a6e3abd1b58b62f14d7

SHA256
bc68e988d8f8520df165506fc2b704efb5c18f4d56bbd43adbeaa7c01b7ff3bb

SHA512
b3e04a8a5ab34ce7537edbcce3203235de571c28ab979b1af4833cff8da072341c07e9b764beb5239166b6ad130096eaf3916077809e698ac2dd3b6e17de56ce

Download Submit
/data/user/0/put.company.ribbon/app_DynamicOptDex/SemyJQ.json

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/put.company.ribbon/app_DynamicOptDex/SemyJQ.json

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/put.company.ribbon/app_DynamicOptDex/SemyJQ.json.x86.flock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/put.company.ribbon/app_DynamicOptDex/oat/SemyJQ.json.cur.prof

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/put.company.ribbon/app_DynamicOptDex/oat/x86/SemyJQ.odex

MD5
c22d943650b96bcaba8a5c7bc76bf06d

SHA1
179486be72a23e68c7953db305a37b3ce10babb0

SHA256
81a18ce9476bbb094fae55aca32237db37495ff54a1ac6e85a663e113dd2ed96

SHA512
fd266abcbd025522cf395b394d55c4694de03e690230c6a9229a085f389e36c30c5d320302b2e98fa9710f860bd2d7fbbe0c4352ebf9e728fbcb9a39c0571a5e

Download Submit
/data/user/0/put.company.ribbon/app_DynamicOptDex/oat/x86/SemyJQ.vdex

MD5
183847d861326ba27cab3e23fdf9b388

SHA1
01c3e26e184e21b7dc3570938aaed68ca870bd9f

SHA256
80d752233a864f8cf1e377c97227238eea7f421ccd36bd17877e43bcfac7c449

SHA512
6f56a12a33de75b00987959181b961957943bc5b1e51ebe94c394b3ee76aa258fa00d26c433c20d87ddf8965939be0c37930864ee01113e1a684efad2d09349a

Download Submit
/data/user/0/put.company.ribbon/app_webview/GPUCache/index

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/put.company.ribbon/app_webview/GPUCache/index-dir/temp-index

MD5
e5d78f2b07930bbf7c2697bda46f392f

SHA1
8b652299a8e07bf0130a08274f4411977aa484ac

SHA256
40f871e3b035aa941f45085c3dd927d798cf0e6e9862aeb85d86ee73cb4b1797

SHA512
ae2e9f1196cd5b0299ddfb08fac498d854f53c18cc6cf01ec564d2108cda27c2f4c6b7ba4af51d2c153c910bde535055d88fe896ed42114f8ca1503289ab0ad8

Download Submit
/data/user/0/put.company.ribbon/app_webview/GPUCache/index-dir/temp-index

MD5
8c106a9c98d5e82ca7f44a348cdcc1f2

SHA1
224bed8e4861aa524cbb798ce150cf9bf259ed5d

SHA256
d3bde9bf0043c952c8862d40f8fbc0ed88cf18c7d6aecddb1fa10679e82dfd8a

SHA512
fb55512b9279b83170c65e50dca004dfe37c4580790024bb845c1f07d836bf17ccd661e03a37d57807c8963e11aef43656ed43d10142d60ef8851b2490ad2ae2

Download Submit
/data/user/0/put.company.ribbon/app_webview/Web Data

MD5
5168d8c4556ac22decc2362ce61ddafb

SHA1
664cb3c7b0b5b13c3b915c28354793bcc0afd408

SHA256
5057cf5dab27589d93f7d55ffa505ea8249c213b79fd8c85ac39423c135c5db6

SHA512
81cefa22b3b1d30acf590b44b97a47b68c265a15b3725ff348ac0256faae0aa76b6a9bedece897c912bbcc86623c3a20c193ff131d9a25d0ee8e315394ae332d

Download Submit
/data/user/0/put.company.ribbon/app_webview/Web Data-journal

MD5
82d334eefc82d935af96ef9d60a433d2

SHA1
a9bcdfb7258afa03c7aa17d331cd41b58026c3b1

SHA256
ed24d292dc56c2346e096a5f48d8e51ad073945a85d686e4837ad355a324b4b5

SHA512
9527ee113c2b047850b5d34c01f7ee38015ea1cd47489bc10c4ae3215a53f368dd72e931c31110c88e9881a0c4d1e0a3461d2756a1f6f62efe6219aaf2f1d001

Download Submit
/data/user/0/put.company.ribbon/app_webview/metrics_guid

MD5
edcd20a8e9aa6b648db46979db440df9

SHA1
0c025950fff8e4f3e2db8264f06be2e2eebac797

SHA256
74dc50aa2b2d0f572df33b263a4c4437a6acc49792fb6ec0aced96cf28acfe90

SHA512
b7a681fc6cb3961f1861b71500d7b78ef5fc10f19beb0b2fa85fb87d7ca11d0da2de32a623823f71ccfbd43205c3ae0c6f2c19f8878328e2171e9962a431028a

Download Submit
/data/user/0/put.company.ribbon/app_webview/metrics_guid

MD5
edcd20a8e9aa6b648db46979db440df9

SHA1
0c025950fff8e4f3e2db8264f06be2e2eebac797

SHA256
74dc50aa2b2d0f572df33b263a4c4437a6acc49792fb6ec0aced96cf28acfe90

SHA512
b7a681fc6cb3961f1861b71500d7b78ef5fc10f19beb0b2fa85fb87d7ca11d0da2de32a623823f71ccfbd43205c3ae0c6f2c19f8878328e2171e9962a431028a

Download Submit
/data/user/0/put.company.ribbon/app_webview/variations_seed_new

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/put.company.ribbon/app_webview/variations_stamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/put.company.ribbon/app_webview/webview_data.lock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/put.company.ribbon/shared_prefs/WebViewChromiumPrefs.xml

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit
/data/user/0/put.company.ribbon/shared_prefs/config.xml

MD5
10788cf4d0231229d3be02049c0a24f5

SHA1
d601b238f5357cf869413c6d2393e486214373f0

SHA256
a46885e6e24e9a295dd626cd855c169f76539b0545176ea50a1c23b4dd6a7b67

SHA512
508f60b7dda2e77a51da8451f20162b566e27b193c333280439e2d6980d0a8709898f8f40bc99e73061928c7af3b6c1ba383d464251424e96c663d6308a9cc5a

Download Submit
/data/user/0/put.company.ribbon/shared_prefs/config.xml

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit