teabot | 0293d5232361c81d10ca817bc02001957e216af3d65c16f7226ebf30fd529684

Analysis

max time kernel
2182606s
platform
android_x86
resource
android-x86-arm
submitted
26-08-2021 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0293d5232361c81d10ca817bc02001957e216af3d65c16f7226ebf30fd529684.apk
Size

3.7MB
MD5

ea893f199a0df51bb6724934528b5cd7
SHA1

61a8f483486e4020dd829a5990f4ba85a93a1f8b
SHA256

0293d5232361c81d10ca817bc02001957e216af3d65c16f7226ebf30fd529684
SHA512

a3f641997c663e3457db37312ef5e68172001d5c243731a11a5998a632e67a983277a6b31f8efca997026d84714ba42bea62fd1590565a35cdb916bcbdb89495

Score

10^/10

teabot banker infostealer obfuscation trojan

Malware Config

Signatures

TeaBot
TeaBot is an android banker first seen in January 2021.
banker trojan infostealer teabot

TeaBot Payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/blush.wrong.slice/app_DynamicOptDex/TnEdAO.json	family_teabot
/data/user/0/blush.wrong.slice/app_DynamicOptDex/oat/x86/TnEdAO.vdex	family_teabot

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

blush.wrong.slice/system/bin/dex2oat

ioc	pid	process
/data/user/0/blush.wrong.slice/app_DynamicOptDex/TnEdAO.json	4961	blush.wrong.slice
/data/user/0/blush.wrong.slice/app_DynamicOptDex/TnEdAO.json	4986	/system/bin/dex2oat
/data/user/0/blush.wrong.slice/app_DynamicOptDex/TnEdAO.json	4961	blush.wrong.slice

Requests enabling of the accessibility settings. 1 IoCs

Processes:

blush.wrong.slice

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS blush.wrong.slice

description	ioc	process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	blush.wrong.slice

Uses reflection 2 IoCs

obfuscation

Processes:

blush.wrong.slice

description	pid	process
Invokes method android.content.pm.PackageManager.isInstantApp	4961	blush.wrong.slice
Invokes method android.os.SystemProperties.get	4961	blush.wrong.slice

blush.wrong.slice
1⤵
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Uses reflection
PID:4961

blush.wrong.slice
2⤵
PID:4986

/system/bin/dex2oat
2⤵
- Loads dropped Dex/Jar
PID:4986

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/blush.wrong.slice/app_DynamicOptDex/TnEdAO.json

MD5
f1f14135892f3947d0f570f7fab1a452

SHA1
f13c7fe5754b262e3a078e7795f2be612fad9162

SHA256
271270bc13d168a821e75f37d5431628391edc5c3b7222be35acfa55ea1c6ba3

SHA512
4b5a1f5b5dd1ce168e5491be8f4b8c603a0918a6548061a09fc34321736fef927ad1f25f2e58bcb7a014a7892e921aecf1285b9eee38a5a5904c58d043eb6b03

Download Submit
/data/user/0/blush.wrong.slice/app_DynamicOptDex/TnEdAO.json

MD5
404279cea98a7dd415d78aee81066811

SHA1
bda20a3829d0598732d5d0bf9ca10563e262201e

SHA256
1b7ad5771f823c4cd033074f492d835d5e4226b1a98ea7cccb1592337cab62eb

SHA512
8c36db1a8cc7b25c0dc3921ec3407d1a3d6dbcb031127f86f4f47f8c4d9196b8fb0dcab8aeece5ad10c99db8be4b129b62e1ffe201fd1f82cd8ddcaea80ac70a

Download Submit
/data/user/0/blush.wrong.slice/app_DynamicOptDex/TnEdAO.json

MD5
9f1d21786d39bbbafe74998cfc504f9b

SHA1
ed365c004c955d8b4cc8d1a639e72d775baed666

SHA256
4bf4ffb570176f3491cb19555aaf6a9117df4e7845c6ad7689ea96f663ba849b

SHA512
74831489273e5784d774e5a2ba0a5151aa76b8388f781ea6912a1a31f31b8c56f818464a2eff1c1bf52d94adbdc0054b54e8747f4f531550036721837abb74cd

Download Submit
/data/user/0/blush.wrong.slice/app_DynamicOptDex/TnEdAO.json

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/blush.wrong.slice/app_DynamicOptDex/TnEdAO.json.x86.flock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/blush.wrong.slice/app_DynamicOptDex/oat/TnEdAO.json.cur.prof

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/blush.wrong.slice/app_DynamicOptDex/oat/x86/TnEdAO.odex

MD5
8ec818c0aec662177ac3a4fa1fb1398d

SHA1
8c07168a488e2af91e0a161f21186032014fb2db

SHA256
c1174f0836f570c5655b948f32017ac44ffd29ad0d9dfb09dd6e6bf0fbd2794e

SHA512
823e67d961a9e199719a4ab318dcb249085257a5ff5846baf8462d79588a71fc7afc20b7fd38de90ff8d1af03eebae884b40919d1fa9a241237c7768ef91e9fc

Download Submit
/data/user/0/blush.wrong.slice/app_DynamicOptDex/oat/x86/TnEdAO.vdex

MD5
23ec13fde23152a1b2ab347c2def9ab8

SHA1
b44de546691bf46eece99796b8ff268b33c5434b

SHA256
b3c855b10fae0483f08209e9f76dcc5ff74a1f33d233a792641b969f0bad53f8

SHA512
3b217e620234c13e065c176a18fde3b249f753c8e40b22eecf493009185b0e1e9b9b672a98a5240e35ed80fb05e5ad7608a4af21e17b1c626f4201ad8c7bfe49

Download Submit
/data/user/0/blush.wrong.slice/app_webview/GPUCache/index

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/blush.wrong.slice/app_webview/GPUCache/index-dir/temp-index

MD5
9b2ee7eb541e34435fc2de00dd3a4998

SHA1
06948f43334859e3854b680506d4910d5a93ccf5

SHA256
c672d13211a06a8b9346aa3ab56b6ddab342f74185fd5db850f87b601fc9677e

SHA512
32e79e5adb3d9cc536372a0bf70a4d3ddc9cb65755ed1dc10bf61fd393cb3a46921fab660e85fca28b29dabaec1e2316c78d04e36fdc28017c9675da056f712b

Download Submit
/data/user/0/blush.wrong.slice/app_webview/GPUCache/index-dir/temp-index

MD5
5d6112df8180d97280ad753468bbf314

SHA1
fa4fd9d121a1831c4c4c700d0af3bbcd10433edc

SHA256
b950486e3d386f9945adab4c8bcd8329a82416fa27f0907e72a8b43523c6d840

SHA512
9e81f9309369bdca96c87bea350e7da46c7a404bb9369107adffc0e01f57585882045f0106e120f2a6b9dbe9a82f05c9c80a190e0643f4f1acc38c5e7503f7d1

Download Submit
/data/user/0/blush.wrong.slice/app_webview/GPUCache/index-dir/temp-index

MD5
5d6112df8180d97280ad753468bbf314

SHA1
fa4fd9d121a1831c4c4c700d0af3bbcd10433edc

SHA256
b950486e3d386f9945adab4c8bcd8329a82416fa27f0907e72a8b43523c6d840

SHA512
9e81f9309369bdca96c87bea350e7da46c7a404bb9369107adffc0e01f57585882045f0106e120f2a6b9dbe9a82f05c9c80a190e0643f4f1acc38c5e7503f7d1

Download Submit
/data/user/0/blush.wrong.slice/app_webview/Web Data

MD5
5168d8c4556ac22decc2362ce61ddafb

SHA1
664cb3c7b0b5b13c3b915c28354793bcc0afd408

SHA256
5057cf5dab27589d93f7d55ffa505ea8249c213b79fd8c85ac39423c135c5db6

SHA512
81cefa22b3b1d30acf590b44b97a47b68c265a15b3725ff348ac0256faae0aa76b6a9bedece897c912bbcc86623c3a20c193ff131d9a25d0ee8e315394ae332d

Download Submit
/data/user/0/blush.wrong.slice/app_webview/Web Data-journal

MD5
a5a7d0bd2eabff730491c47d7e3ca179

SHA1
29cf65b3da334dbdb08e004969b767f60f8ec6ea

SHA256
13edb498bff664224e4d1613c32260fa2d08f65c378882e5a4a93a963e73684b

SHA512
0c158836d4082c3dc94dff2931bd3335b1ca688c657fa80b02ed7b3b20059955d3d8f36d53a5ea79d05742e349dd97bb3864828dda85bcbc8e7b0b7f5fdf8ebc

Download Submit
/data/user/0/blush.wrong.slice/app_webview/metrics_guid

MD5
ba5297156e5e1fb9aa92bbdf9c68987b

SHA1
f58a943932706cb152c57d5b40ad8070f6acd95b

SHA256
5c2f74b35b9ffa76cabaf23dcea6cf66cb582435bc50832584c005e6d7ed6391

SHA512
c61e9f1da93cbe460d594082eb0f2a69f315448c171598663a89687a2a6f8c0fd5029a608dce4f14c917aeaebb647b2f6e4702eb2a218a5996d48d077bdacf3d

Download Submit
/data/user/0/blush.wrong.slice/app_webview/metrics_guid

MD5
ba5297156e5e1fb9aa92bbdf9c68987b

SHA1
f58a943932706cb152c57d5b40ad8070f6acd95b

SHA256
5c2f74b35b9ffa76cabaf23dcea6cf66cb582435bc50832584c005e6d7ed6391

SHA512
c61e9f1da93cbe460d594082eb0f2a69f315448c171598663a89687a2a6f8c0fd5029a608dce4f14c917aeaebb647b2f6e4702eb2a218a5996d48d077bdacf3d

Download Submit
/data/user/0/blush.wrong.slice/app_webview/variations_seed_new

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/blush.wrong.slice/app_webview/variations_stamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/blush.wrong.slice/app_webview/webview_data.lock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/blush.wrong.slice/shared_prefs/WebViewChromiumPrefs.xml

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit
/data/user/0/blush.wrong.slice/shared_prefs/config.xml

MD5
10788cf4d0231229d3be02049c0a24f5

SHA1
d601b238f5357cf869413c6d2393e486214373f0

SHA256
a46885e6e24e9a295dd626cd855c169f76539b0545176ea50a1c23b4dd6a7b67

SHA512
508f60b7dda2e77a51da8451f20162b566e27b193c333280439e2d6980d0a8709898f8f40bc99e73061928c7af3b6c1ba383d464251424e96c663d6308a9cc5a

Download Submit
/data/user/0/blush.wrong.slice/shared_prefs/config.xml

MD5
7f10d75409d7bb5dbaddbe32f9d3fcba

SHA1
1e09fb2ddfc6dc800edcea56a3dcb07442570743

SHA256
406d701c1d06cc3c389bd3e8110721db0c17fed7586338faaca151314616d60e

SHA512
04688ae72b57b799b496abce2b0c3b73f24192b2ac83636c702e6f8e144cb53e94b49abe0a38c74b3b1de93043806bb8b8190d90628fda66311f19a229cf53c3

Download Submit