Malware Analysis Report

2025-01-19 05:32

Sample ID 220630-fvqqnagaep
Target cryptoapp.apk
SHA256 b12dd66de4d180d4bbf4ae23f66bac875b3a9da455d9010720f0840541366490
Tags
malibot banker infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b12dd66de4d180d4bbf4ae23f66bac875b3a9da455d9010720f0840541366490

Threat Level: Known bad

The file cryptoapp.apk was found to be: Known bad.

Malicious Activity Summary

malibot banker infostealer trojan

malibot

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Acquires the wake lock.

Looks up external IP address via web service

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-30 05:11

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-30 05:11

Reported

2022-06-30 05:14

Platform

android-x86-arm-20220621-en

Max time kernel

3003670s

Max time network

154s

Command Line

werwerwee.qwetrydsf.yfdefes

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Processes

werwerwee.qwetrydsf.yfdefes

Network

Country Destination Domain Proto
NL 142.250.179.142:443 tcp
NL 142.250.179.195:443 tcp
NL 216.58.208.99:443 tcp
NL 142.250.179.195:443 tcp
NL 142.250.179.195:443 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 142.251.39.98:443 tcp
NL 142.251.39.104:443 tcp
NL 142.250.179.142:443 udp
NL 216.58.214.2:443 tcp
US 104.18.115.97:443 icanhazip.com tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
NL 172.217.168.232:443 tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
NL 216.58.208.110:443 tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp

Files

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml

MD5 20837fd8daf2a2de8d6c4ccd8e90653a
SHA1 7ac08617bd4585151c239325aea243d9eca586f7
SHA256 e05f0ae0ee70ef2efac07e999da273b5f506462b67549f9080f6cdf469d70cec
SHA512 a4fd7ac1ce847a84fe4f47c2e7079f00b16b86213fe840b70e3a55992a043da99ca6fe1c9a723e709e2ee3985ed3b7c5a299d1cf5b29e8228f3f81d3cbb6876a

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml

MD5 5cb0f79f329d68334f33e63750d88a49
SHA1 85428f62ef95c797f08ec410ba4fe84c91e817d1
SHA256 d79335b3b09224ffbb05b0a7d45d12d4bc1f2e7bd9263a7e5377fe3c1bc3604b
SHA512 039caa2de53e409b5b0db890149a612fc84bb726c9479aee85027838607d062feb6894fb0e24a2eb400b3917989ebf644153ad4fe83b0bd4632d74d3dac1569d

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-30 05:11

Reported

2022-06-30 05:15

Platform

android-x64-20220621-en

Max time network

161s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
NL 142.251.39.98:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 142.251.36.10:443 tcp
NL 142.251.36.10:443 tcp
NL 142.251.36.10:443 tcp
NL 142.251.36.14:443 udp
NL 142.251.36.40:443 tcp
NL 172.217.168.238:443 tcp
NL 142.250.179.170:443 tcp
NL 142.250.179.131:443 tcp
NL 142.250.179.170:443 tcp
NL 142.251.36.10:443 tcp
NL 142.251.36.10:443 tcp
NL 142.251.36.42:443 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 172.217.168.238:443 tcp
NL 142.251.36.10:443 tcp
NL 172.217.168.238:443 tcp
US 1.1.1.1:853 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-06-30 05:11

Reported

2022-06-30 05:14

Platform

android-x64-arm64-20220621-en

Max time kernel

3003673s

Max time network

164s

Command Line

werwerwee.qwetrydsf.yfdefes

Signatures

malibot

infostealer trojan banker malibot

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Processes

werwerwee.qwetrydsf.yfdefes

Network

Country Destination Domain Proto
NL 142.250.179.195:443 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
N/A 224.0.0.251:5353 udp
NL 216.58.214.2:443 tcp
NL 142.250.179.134:443 tcp
NL 142.251.39.104:443 tcp
NL 142.250.179.138:443 tcp
NL 172.217.168.194:443 tcp
NL 142.250.179.138:443 tcp
NL 142.251.36.35:443 tcp
NL 142.250.179.138:443 tcp
US 104.18.115.97:443 icanhazip.com tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
NL 142.251.36.40:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
NL 172.217.168.238:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
US 1.1.1.1:853 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
NL 142.250.179.170:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
US 1.1.1.1:853 tcp
NL 216.58.214.4:443 udp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
NL 216.58.208.106:443 tcp
NL 142.250.179.138:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp
RU 5.101.0.44:443 tcp

Files

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml

MD5 20837fd8daf2a2de8d6c4ccd8e90653a
SHA1 7ac08617bd4585151c239325aea243d9eca586f7
SHA256 e05f0ae0ee70ef2efac07e999da273b5f506462b67549f9080f6cdf469d70cec
SHA512 a4fd7ac1ce847a84fe4f47c2e7079f00b16b86213fe840b70e3a55992a043da99ca6fe1c9a723e709e2ee3985ed3b7c5a299d1cf5b29e8228f3f81d3cbb6876a

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml

MD5 40629fd218a1921144fccde51155abc1
SHA1 259981316f38f3b538443eac60839b8b0268c774
SHA256 edc51de6ea378118e3aee11c10db88b84059deeaaed9434cfe4154d73b149306
SHA512 013143b1efeca433127b20ae5ff045259ff19ce90729a66c218921d825293038747f5251043fd511533263eddb8f7ada758b75f62981044da872e2e5322b0943

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.device.prefs.xml

MD5 3c16cb4832deadb43a96abc38eb13af4
SHA1 7bcd9e314b0c3eae16aabe46a3aba681c5c516f9
SHA256 3f0ed1762d4f00d55093d9f6244be7cdf0298e5fde7e090421a2e66f2302ca91
SHA512 296f96a5b57add3dafc8d8b0eeb0333ff79497ac8451ce97d37ed7e72e88e01e6c65b5779c812bbedc7f956125fc734a38852c01727e0274adba27d2a5890007

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml

MD5 40e6801daac7f1acd559c527a34cdf6d
SHA1 832ac9144f5b1d76b309c0228e63d0878e8a8f7d
SHA256 a7d09131de77bab23af3f8f10290af517d6f0bafe3c0257b108edf837f3097e5
SHA512 77a0e86e62336afda48a3d51c2b4a79e32003a77efcccb0f2619e827c787701c258e8b29bcf3f994555d00a05e8039f2461caec57fef90e7a631f99d9630a1db

/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/launcher.db

MD5 7b871ca00b8bd1ca218ac0bd2e3d9c92
SHA1 9e6399c04781b15d9f37684aeca03a7e353a9d85
SHA256 18eb86ff1e51ccc7ddc3fac1d986d012e891abf133e041dd467d18c0a55d732c
SHA512 518806fd0b424fd4a655223c272279770b3a2691e6b0e7fa132ee6518ed0f5933db6bc578195b33ba8c63bc3549b7ba0a1d2840d32ae76957e37e0e7de09a2d3

/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/launcher.db-journal

MD5 ee5c6bc438210ab23ad69ea7ceb473cd
SHA1 4a872eff294ce4dfcb6eaaeda67a4448a3a482a9
SHA256 1aa936681cd790051e7be0cfa7ceee6431a950b63119b37c88f96b5828678b26
SHA512 3558b6b1514317944d8440ac2be7eea351e3a9d2fa6bfdf16fb5c0884c11574d4b2e1bbe993a5d69e893aa69d7da4efbdec727dc490a361fdcfbc9e1fc027617

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml

MD5 a44c2fb81476599162792952dc18e93d
SHA1 8b2dd43570ac7ccda7648c90f13788c1d507e51c
SHA256 8f27506efdf280d6a67f8cd3fd10307cc597e7dd40315f0cb100b171e432b0a7
SHA512 fe17a9cb751a4c4c7185e178b66a91e1113e4bddaa49429a0d36e1e2137a08d0bd8ec5531602debd1ae6e48a8e7a468d5b6ed47d8122608f755809d4b13f1734

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.managedusers.prefs.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/data/user/0/werwerwee.qwetrydsf.yfdefes/files/downgrade_schema.json

MD5 70435833064f71228d8d001901b56873
SHA1 2d68b64360bb323366fadab675f387c74b42a23a
SHA256 73353cdbb7fbf2ee224948f35a950ad7bbaad5269b59471e690b34988ecc19e2
SHA512 fb7642c1c01aeacc3d5748b8be977ef272e7e9325cfd9e64b8638d4be84ff030cab8483a92ea677ffc246223df81e4b2c544e121943ac9acc8e79b6255b5b55a

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml

MD5 40e6801daac7f1acd559c527a34cdf6d
SHA1 832ac9144f5b1d76b309c0228e63d0878e8a8f7d
SHA256 a7d09131de77bab23af3f8f10290af517d6f0bafe3c0257b108edf837f3097e5
SHA512 77a0e86e62336afda48a3d51c2b4a79e32003a77efcccb0f2619e827c787701c258e8b29bcf3f994555d00a05e8039f2461caec57fef90e7a631f99d9630a1db

/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/app_icons.db

MD5 161523450a470330265bf8ff98f2ded8
SHA1 e29137d1e367fda458d5c7946e600f8b60d97dde
SHA256 d33d965849bb902629f7b983873b83b624c2de8a58f502ab373596f32ab18982
SHA512 dd5cb932ddd500b65d9731395637ec65c403668402eb84d110b4043473f155cc0d1d23d3a3d6ede5387cc2dd0e621609afa475cea13ae222bbf16bd62a340794

/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/app_icons.db-journal

MD5 a27db5a03d599a9c179e085e955e8209
SHA1 afe84e1d4e05f8dd86a3914cad7b62d2775fd59d
SHA256 1aa450ef9011e3c4f50b0dca541091312d67d45ad6f26b489d3e28edaea91d38
SHA512 2a5411508951b507402ab4442575ff7bf49e2384c4287751a55bbb957314b2aa987e3545494c9ed7e2e250ea85ebf2c3fc38b5f752213e6206cd8cda75403978

/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/widgetpreviews.db

MD5 0678e6e6b1f4348088d4da865feed17f
SHA1 bb776ff575af7d93e0d673a42a23072e74e06956
SHA256 1620d357c5776920f359a8791327d4bb155107ee0b7278ebf8cd810595376d8b
SHA512 77b3dac14800fcfb6af4822ec77b0f85db66c626d72463e405fbfe5b90ae99a4a9096a877a08ccd5494e07d4c86e08be0ce9cf3d86af87445f7380e5730602de

/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/widgetpreviews.db-journal

MD5 a230198b1881635662cb309e3bc26509
SHA1 9037db35676c2aab7eeb47a71cf354c6b3fe03bc
SHA256 b3cc355d793022993bc700f1913d1a7bbe173e1aa86841207320f4e9320d8ff3
SHA512 e5290b59540852474e13f54f98c541933444a7f6840e1e0fce296536b8a9901f2dcbb5a228002d12d2e946d01f0c65353680e4ca77ee9c56afc0902f4e9c2fdc