malibot | bfa9a861d953247eea496f4a587f59e9ee847e47a68c67a4946a927c37b042c4

Analysis

max time kernel
2244440s
max time network
164s
platform
android_x86
resource
android-x86-arm-20220310-en
submitted
21-06-2022 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfa9a861d953247eea496f4a587f59e9ee847e47a68c67a4946a927c37b042c4.apk
Size

4.6MB
MD5

f418c75d5a0eb0186f5111770180e6dd
SHA1

f098f8a8f7a195e2c16dc2127e74237a65dbf024
SHA256

bfa9a861d953247eea496f4a587f59e9ee847e47a68c67a4946a927c37b042c4
SHA512

eb78728d813583a0b74e3ba1226dea8935cd4659f8a88e273f4dd16466a7449f1b2d9eed58faa90496745eb57644e699d8c332bfb4a632530ea40f9490007fd1

Score

10^/10

malibot banker evasion infostealer trojan

Malware Config

Signatures

Malibot payload 2 IoCs

resource	yara_rule
behavioral1/memory/5111-0.dex	family_malibot
behavioral1/memory/5075-0.dex	family_malibot

malibot
Malibot is an Android banking malware with the ability to bypass 2FA/MFA codes.
infostealer trojan banker malibot

Makes use of the framework's Accessibility service. 1 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.vvozewzes.zbggimdsu

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.vvozewzes.zbggimdsu

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.vvozewzes.zbggimdsu/httkGtUgfI/HUgItyj7It7Gauf/base.apk.w88gItg1.pUU	5111	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.vvozewzes.zbggimdsu/httkGtUgfI/HUgItyj7It7Gauf/base.apk.w88gItg1.pUU --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.vvozewzes.zbggimdsu/httkGtUgfI/HUgItyj7It7Gauf/oat/x86/base.apk.w88gItg1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.vvozewzes.zbggimdsu/httkGtUgfI/HUgItyj7It7Gauf/base.apk.w88gItg1.pUU	5075	com.vvozewzes.zbggimdsu

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
60	icanhazip.com
61	icanhazip.com

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.vvozewzes.zbggimdsu

com.vvozewzes.zbggimdsu
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
PID:5075
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.vvozewzes.zbggimdsu/httkGtUgfI/HUgItyj7It7Gauf/base.apk.w88gItg1.pUU --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.vvozewzes.zbggimdsu/httkGtUgfI/HUgItyj7It7Gauf/oat/x86/base.apk.w88gItg1.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5111

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.vvozewzes.zbggimdsu/app_webview/Cookies

Filesize
64KB

MD5
cb7543c4df600f2af58097cce0e334ba

SHA1
83cc92f38c27fdb4fa519b1ce2f37912f24af1f0

SHA256
64c022ae708f94ffde986e105d88f708884de325720bfb9925c4160a6d417233

SHA512
ad51cad0472327bd68aa2d791341cfafed58971752352537bb603ed18b15a3f9185e9150983a28ecd09606e8dcaef6d1c9d93213dd246ef7720f39842eb3d980

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/app_webview/Cookies-journal

Filesize
1KB

MD5
a46cc201f387055c319dc19510f3c1c8

SHA1
ba6883a1ce54039b54b2dff0541afae077e2c95b

SHA256
5935b71396de0d39a190b747e78983ab56841d014d028424cd5441cac369a77d

SHA512
c21a4a41059f94101eec775318b6c659fa2e298a509b3e62a33563fa1fa9f0619a9054a615080b15bd226c54d254022e6666306d1c65ae81c87ab7f79272a8ab

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
d34a636b071da3e3af0a781fb59f7783

SHA1
ad19348694d0229e214f1fd93b98a1284650fb1c

SHA256
8226d59138a54b97f63f9d1a737a66f618c2b3ed3961043c8084c4c9256965fc

SHA512
809e903c393431e2f313bc8596ee32f943394a2f82c755c73aba8a79030959b28008c5f28cdcc7bf16cb3e608eed946a1d238448dbaa751757e8ccda6138513c

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/app_webview/Web Data-journal

Filesize
1KB

MD5
76bb6b3d90791d354cc876f8b309e135

SHA1
c15d19ef622ae34ed0c5d5256d521108f3dcf3fe

SHA256
dd234365a381c517bccfa22d10fb6bd38955bd6e93da5276e81c8f55102b2f8f

SHA512
be8946dcaf3980b3f675012e100c83f24c40c513b12c3df6e7b9dc241e7d53d0d8b31e994fbf1bc90e2ee90e4c6fd5de85d5c7648eb1363ad2d5a338b0d5a1f3

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/app_webview/metrics_guid

Filesize
36B

MD5
35390f9584a003ec8a125d74f4682847

SHA1
dd61aba0cb23067501f209f94aae22b206f8a25b

SHA256
dd9944602a167f89d31e52249dbb74e87a0800f6ddd7c5348f21a34e94d0b4c3

SHA512
138939cb47f1776c9fa032484656eb9a4abf157c8e2cb51d92f939e62bc586207ff0525dd271eb3e8a2bea1d30f40345560ecb29fac4f1b601ffa7ddf9a19d00

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/cache/org.chromium.android_webview/01131ca22f15e68b_0

Filesize
849B

MD5
687dffe7c007f2ebd316766eb000f759

SHA1
f5a74adb1b0745954b7d6d3f2e28617ff1f8d7be

SHA256
9693171332512a471a81a482d2b94cd9bc32f977ba1ef91e45a28356b2212fc0

SHA512
5d800fd7f5937e5433522c8d044b18886417fb6c016e76aa650243b7b8007031e61c2507bd2a39d67cb088c6556c74e23d1667f3f90276fa7c8f9ede1baa7822

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/cache/org.chromium.android_webview/01131ca22f15e68b_0

Filesize
849B

MD5
8f98bf5a7e8f9779c4807fad4b5fcfaa

SHA1
deb5ab4aa974568c29bae1ab8ceafa050083cfe3

SHA256
0aa498d68501a51f4f5224ff72cde5cf27b661217262937ed8d0c100f1a7ed8c

SHA512
d476a5383796290129d6b3526f2064821f096571b713cfcc60159f411b5575eff15337f04852a5e43492a7a18223e5cf575856830d26d4c44cee8476a31520ae

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/cache/org.chromium.android_webview/01131ca22f15e68b_0

Filesize
849B

MD5
926e41d37bff64bc072aabdd4cba70ab

SHA1
897aa4dad5ab6208b091cc99d3fd7972dd46ae6d

SHA256
db577923b1ec0230c0145ca1ed51e6ddb9b31a41342759c34e8f88841e872b97

SHA512
77092b02c22788d73cf4b272e9b9460de8b94070e88e534efecc6387657c901234052b372267f7615b0894f53004b5adc66aeebe22e6bd30f81071744e91e4c8

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/cache/org.chromium.android_webview/08ee17bc8fab8361_0

Filesize
875B

MD5
30b638f2a8e630c24a8536d310a89725

SHA1
d4a290a94afd2c410471a4301095bc8360511ff9

SHA256
0c19c87a4308ead7e02dc6d012e578b93ce1837631bd3c88216836796863dad2

SHA512
524b56b5afb9311518db407f7b7c44500ccd4f74c14b061335ba9f0d1b6aad779fb7c6fa96c09ea2b3b95f0a471bedbce6b26b5f8fe4da4c9452c775c41158c8

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/cache/org.chromium.android_webview/0b7a414563fb2785_0

Filesize
880B

MD5
a188acf7eb56d3fd3b9aca2fe6566c00

SHA1
95106fa62b02fdd97b5cbbf5e946dd185c77e76e

SHA256
b98808ef5ffefc1d563a4e39ec7a32d4e77f2adf1d8dfe711684023f4a82de46

SHA512
c1d07f458187575647c08a67826e42912a6f62575e23f9f97a5dd89db5e48b3d8617ae9d083eeee1ed4db7f050a96053b0f1a1bfef1a90d4d371dc1746db867e

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/cache/org.chromium.android_webview/dcc98a8a8de22298_0

Filesize
876B

MD5
4c05ff2118d28c5105d93e039158cbaa

SHA1
d9fadb1b931a92f91def4b2280e0d84bf453642d

SHA256
823ed9566363d46f98d10c82e8d43d49d14a6c8413ce1ff240530f5b662e8b52

SHA512
fe6fb198f21d49b98ab7dd4e54a4ffe6223c447e04254edb237a320aeb2fc643a0f33c1aa1054716ba2334f483883739254a8db9b02fde7bccda70a0fbbda617

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/cache/org.chromium.android_webview/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/cache/org.chromium.android_webview/index-dir/temp-index

Filesize
48B

MD5
2a0e58f3f28231492b5cb967350273de

SHA1
f7bb1bf7af1fdc17f5d89b376e2127c7b4315712

SHA256
b9b65659d203228762c3128a4df83b786820cff133229c9dfd271ef769c1d59e

SHA512
9cf98e2dc0ca1ae67e20a609b021b795d81b4fa7a8750f3b1131e88e61d6e773b8f6f95b675471b87004501ab4dbf4703becc3bcc7d0dd1bf894ba1b089dcd9e

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/cache/org.chromium.android_webview/index-dir/temp-index

Filesize
144B

MD5
96e16c2fdae15abc2a565bffe4843d13

SHA1
aaf5fff2e09a236e970d41dc756f663dd412cc42

SHA256
8fa6f27d9b351fa0631f08d1171570945f4527148ac8b6715e5b83003d2bdbda

SHA512
eced707c8442c96bc17a187d69cf089e0a3cf41260d2640d312650fb4f293821682f32c1c11c39fdaca25da4309013283203414632a5bcaa637f5846243126b5

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/httkGtUgfI/HUgItyj7It7Gauf/base.apk.w88gItg1.pUU

Filesize
1.6MB

MD5
66ead0ba8ba7c2bf62bf986952693ccf

SHA1
6c2b4441b156184b3ddfdb198533366adf839d03

SHA256
f0fdc7446601a01cd48fb323d3c6c23c51c1c862bf29a96dfccce9f894636f0c

SHA512
f54cae87006cd9dcf4f69f9ff6efcbfe774f0b759e518488297a6e00c2821c0da46646852d18ce4f009ee3cdd7352133e367a08c0cf9508937938ccea9f5e97c

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/httkGtUgfI/HUgItyj7It7Gauf/base.apk.w88gItg1.pUU

Filesize
1.6MB

MD5
4b3be813c34424efcad30d504494195d

SHA1
abeedbd2027a0665d6bd4aa5183c1e6b1cc8eea0

SHA256
775f33a8982d6cd926c7caa95c7d11f497e9e7c3b389914f7812a1c2ded58938

SHA512
33f42ab3e8286682117a75216bfa34b22371805a8a902caaaf77d73fc3e89347f0a382e3de3c73803978f8ea5830f92b219c95cc553485a3e636c2be8520f2c1

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/shared_prefs/com.android.launcher3.prefs.xml

Filesize
128B

MD5
20837fd8daf2a2de8d6c4ccd8e90653a

SHA1
7ac08617bd4585151c239325aea243d9eca586f7

SHA256
e05f0ae0ee70ef2efac07e999da273b5f506462b67549f9080f6cdf469d70cec

SHA512
a4fd7ac1ce847a84fe4f47c2e7079f00b16b86213fe840b70e3a55992a043da99ca6fe1c9a723e709e2ee3985ed3b7c5a299d1cf5b29e8228f3f81d3cbb6876a

Download Submit
/data/user/0/com.vvozewzes.zbggimdsu/shared_prefs/multidex.version.xml

Filesize
305B

MD5
88fbfec9c637691acb224fe9f2e7d168

SHA1
c11bfbdb7b7c625288e4af422609d2008516e376

SHA256
452e3a5380b3f1b30180a9443e078db02ab9e8d377941114474144977883aedf

SHA512
54a7f7497a4d08e1a9958f6eb25c5e834c75b671688ffc5e95f58abe0d63b242a749aeb5c96357f4d5cee556606c49ce291594ee928c6b7e3cbb852f4f754002

Download Submit