Malware Analysis Report

2025-01-19 05:33

Sample ID 220812-ja8yaaadap
Target 3EB7EFA71648AE819F1BFF89399717805129487081E8261DD65BF596F2467054.apk
SHA256 3eb7efa71648ae819f1bff89399717805129487081e8261dd65bf596f2467054
Tags
malibot banker infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3eb7efa71648ae819f1bff89399717805129487081e8261dd65bf596f2467054

Threat Level: Known bad

The file 3EB7EFA71648AE819F1BFF89399717805129487081E8261DD65BF596F2467054.apk was found to be: Known bad.

Malicious Activity Summary

malibot banker infostealer trojan

malibot

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Acquires the wake lock.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-08-12 07:29

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-12 07:29

Reported

2022-08-12 07:32

Platform

android-x86-arm-20220621-en

Max time network

183s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
NL 216.58.208.106:443 tcp
NL 216.58.208.106:443 tcp
NL 216.58.214.14:443 tcp
NL 216.58.214.14:443 tcp
NL 142.251.36.34:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.131:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.39.110:443 android.apis.google.com tcp
US 1.1.1.1:853 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-12 07:29

Reported

2022-08-12 07:32

Platform

android-x64-20220621-en

Max time network

170s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 172.217.168.202:443 tcp
NL 172.217.168.202:443 tcp
NL 142.250.179.206:443 tcp
NL 216.58.208.98:443 tcp
NL 172.217.168.234:443 tcp
NL 142.250.179.195:443 tcp
NL 142.250.179.170:443 tcp
NL 172.217.168.202:443 tcp
NL 172.217.168.202:443 tcp
US 1.1.1.1:853 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-08-12 07:29

Reported

2022-08-12 07:31

Platform

android-x64-arm64-20220621-en

Max time kernel

2432129s

Max time network

137s

Command Line

com.slhytrowb.wfxaicaiw

Signatures

malibot

infostealer trojan banker malibot

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.slhytrowb.wfxaicaiw/ihoftigt8f/ffkyffUhHfh8I89/base.apk.hkyhafI1.g8k N/A N/A

Processes

com.slhytrowb.wfxaicaiw

Network

Country Destination Domain Proto
NL 142.250.179.195:443 tcp
NL 142.251.36.3:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 142.250.179.138:443 tcp
NL 142.250.179.138:443 tcp
NL 142.250.179.138:443 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 142.251.39.104:443 tcp
NL 172.217.168.206:443 tcp
NL 172.217.168.206:443 tcp

Files

/data/user/0/com.slhytrowb.wfxaicaiw/ihoftigt8f/ffkyffUhHfh8I89/g8yUt8ff.atdy

/data/user/0/com.slhytrowb.wfxaicaiw/ihoftigt8f/ffkyffUhHfh8I89/tmp-base.apk.hkyhafI8698955310780440046.g8k

/data/user/0/com.slhytrowb.wfxaicaiw/ihoftigt8f/ffkyffUhHfh8I89/base.apk.hkyhafI1.g8k

/data/user/0/com.slhytrowb.wfxaicaiw/shared_prefs/multidex.version.xml

/data/user/0/com.slhytrowb.wfxaicaiw/shared_prefs/com.android.launcher3.prefs.xml

/data/user/0/com.slhytrowb.wfxaicaiw/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.slhytrowb.wfxaicaiw/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.slhytrowb.wfxaicaiw/shared_prefs/WebViewChromiumPrefs.xml

MD5 97ccd9a2b2063143df56b6937f961ca4
SHA1 5e78a91ae5df289ce83443cb7d5589dd3504fb5d
SHA256 248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd
SHA512 86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

/data/user/0/com.slhytrowb.wfxaicaiw/app_webview/webview_data.lock

MD5 f9e92622bcb81fbebdfc8210438a9c4a
SHA1 fe4a1de192fd6e6d7ac28be34c8a8cebe345ea78
SHA256 992576746433823b1cfe64625e7613f8966bb07381a7282cef028a843180e21e
SHA512 df01c8a921bf2b2682bb9f6c3e4fe17d36e44daedb1e9d0c987b691b09f30fc904a771374d05a88d426ef236c2768c17cbc8e191e0346fceae4c2b62123aa0ba

/data/user/0/com.slhytrowb.wfxaicaiw/app_webview/Default/Web Data

MD5 a48cd9324b1f8754b07f00d863b840f3
SHA1 11c6614775b35a58f440971dfc87c8aaac6d6173
SHA256 8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420
SHA512 35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

/data/user/0/com.slhytrowb.wfxaicaiw/app_webview/Default/Web Data-journal

MD5 dac707e9efb928f642741b0cdfae19db
SHA1 45744ee80d0d26ef0545148cdb64a7254e5388d3
SHA256 82e9d1d0118889548d83acb59ab16474b43a31eb70a916c13f7af2488324328b
SHA512 5ab0a6414866a48c06193cf1b2e581b8d7b2f127368a2a3a8ca87cfbe41eacf7b0062b8ababc2a43051836f310547036bd91cd49bd24adcda9d5f103017eff57

/data/user/0/com.slhytrowb.wfxaicaiw/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.slhytrowb.wfxaicaiw/cache/WebView/Default/HTTP Cache/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.slhytrowb.wfxaicaiw/app_webview/Default/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.slhytrowb.wfxaicaiw/app_webview/Default/GPUCache/index-dir/temp-index

MD5 215ad83344251574110f825ebb2b3ff3
SHA1 ef32bfadad806ee51c88b9d183bba3349b5503ab
SHA256 3448b0463d0fd37ad59266cefb50ad16f74a8a7ec08df1b76606a6a78aa8df90
SHA512 4eebda868c38cb26a4f665a0caa5cce2fea52a462bd8c5709a14a44627e37933df5e91fb3d988f451af99ade86cd8b48c1fcba5b60e1204f26c8c57277d3f0b7

/data/user/0/com.slhytrowb.wfxaicaiw/app_webview/Default/Cookies

MD5 dfb2098ca7b3bf16d6f5f1e7d3839af5
SHA1 ebb7a8bc886062d77a4092bd306b77a0ce7a3e9d
SHA256 e4119d32577d7fc63b267cc23eb7a9bbfb12d238f23e08918c38838fe0181224
SHA512 fccec45399258eb98220b7f01b492a72b8b3d1254dec6e196e344d89a0376c6ee24534a31a6675c866d4a17256d3ac6823657eaf04e1d386757d0cbfc6597e50

/data/user/0/com.slhytrowb.wfxaicaiw/app_webview/Default/Cookies-journal

MD5 dd2eb5a4234d95a1bdc259c4a2c5175a
SHA1 4bfd4920301493c4c91569e27ee929a7960d7bc5
SHA256 71156098b1636ea4b0c6331297f7b74d80fcae0b9e010393e2652bf35abe92fe
SHA512 4e553672f6ccdbd75b7d29815a46f2f0cb41f23efb46a639a92ef89d2aff23515cc73cf3a35f0ce9cdfe36a27c92ab6143afcbf151964765aac507a36ac7c879

/data/user/0/com.slhytrowb.wfxaicaiw/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

MD5 fa721ce295bb2015d3accd27e2b7233b
SHA1 e6cee45a331204f1f4f2d9fb5093a8c82e4f38b0
SHA256 f49768cc90962ce689ca90f09720a56be5aa6cbf8b5c3b7b5b7641126826d6f4
SHA512 bc16f4f00890559330be83291b01381440f80db587966670f1ad1555a2d302b54993463f8fa4955508020573089c18dcbe439e318934e42fa899713198c96099

/data/user/0/com.slhytrowb.wfxaicaiw/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

MD5 770b6697db8be5c77349d07fcfe1d4c4
SHA1 b972c2a60170475ba21366edf33dba7f0bf60bf0
SHA256 e78b55fb262884ad657637e5d86931fb3b55874754cef452760eff602390c314
SHA512 d59086415fec22f339ce9390e185d3dbcef82ab395d22cd4602da60183fb66a352ee5af29d66b04f68f4af0ae7aa947798b67fdde1a274ba0ec0299b4b5123a0

/data/user/0/com.slhytrowb.wfxaicaiw/cache/WebView/Default/HTTP Cache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.slhytrowb.wfxaicaiw/cache/WebView/Default/HTTP Cache/fc82c67fb2a675f5_0

MD5 f9aa47cfc60edf0df6ecee46b0767538
SHA1 5da05c630f6a367dba3f7865b599f842cdd22274
SHA256 5a3509522297b9aeaf2a9cc62f126e4c1e486ce2fefb74e964254d039a8a5e95
SHA512 3d117bd29dc20ca597a98e0bcad53240a67264d5ded1e0d48a78fe9cdc3a4d4ee8079ea19f5d4f59d96ccc40812df9fc7160f0052080d85f24274e11ef660897

/data/user/0/com.slhytrowb.wfxaicaiw/cache/WebView/Default/HTTP Cache/index-dir/temp-index

MD5 bd1dfd4cbf7dc5082d46b4eceaae626a
SHA1 ff35c07a41936ca21210cc6682312942ce32be69
SHA256 78415fe53cfba17b9c68027da8bd16bcea5ddd9a42bae8648140b2eee16075be
SHA512 0e4a1e14ffa637bc008ffc388b615568cdfbc097f9af9f6ae75bca0a6d64c28822003741976516e5c124e89c599ac4f1f34079f80fee4280f1903b4cb91f26b3

/data/user/0/com.slhytrowb.wfxaicaiw/cache/WebView/Crashpad/settings.dat

MD5 dc96d5499764a4f602614eea98966e88
SHA1 8501ef7e261cd2d8c10c842b0e35f229b477b13c
SHA256 4d699784af7c99fb1a04b080dae8957ae0854a8d35af4d6ca9ec8a5edc91d251
SHA512 290910401d92d82649a14474261f14b3e4f13b617e330b7434905c4163fc9234fefb11d02514590b32a549dabd3120a59dccc09a8cb04c9368b5c264325b9062

/data/user/0/com.slhytrowb.wfxaicaiw/cache/WebView/font_unique_name_table.pb

MD5 f080fa2a56ab5479d58063e5ea871447
SHA1 4b3fd57a98916fa5784305b76ba30af26b5253d9
SHA256 0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815
SHA512 8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

/data/user/0/com.slhytrowb.wfxaicaiw/cache/WebView/Default/HTTP Cache/2fa35442860d43fc_0

MD5 ca0c5821ae7912a675580872652adc8c
SHA1 5fc677ee0233d312237fb11f6e88d2b71896144f
SHA256 fa1e81aabc3cb9e37e34e026fe494848b5819bde99dad9369ff6f07eec956114
SHA512 b1ebb5bbc4ecf84315448390f50150d72b56f84f864544dedc7667166df72a54ae13aa7a9433f964ce9b4e8e5706b87900639cdddd3cabf3509403c1bb318b9b

/data/user/0/com.slhytrowb.wfxaicaiw/app_webview/.com.google.Chrome.JCZ1Qs

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.slhytrowb.wfxaicaiw/cache/WebView/Default/HTTP Cache/9083f7d8c2f97d68_0

MD5 7d278d7aed0f9e9e055ace29f4c35697
SHA1 21782b4d0af36882c2a9f0a8136992041153d476
SHA256 8d3a425e7697c3cf3a9fa6fbbcc582743920b140f43965d539f9ea284a4fb9e0
SHA512 f172b28b6ae14dabcef29bc3aa7c357fe309efb2f37093e2ca4a8dc06b9f6465626e14cc07883bbe1393fe530ac3abdd4f92d740b32fc25fe54882425e306a27

/data/user/0/com.slhytrowb.wfxaicaiw/cache/WebView/Default/HTTP Cache/index-dir/temp-index

MD5 fbddbd533d99c99d1ffb8cba95f93942
SHA1 ed295839360ea7c6474bfa1ac80460fdc5a64cb4
SHA256 5dd49918fd547fe279bc2a513c21911957864d234c971f046514d144630dc15c
SHA512 66db50af3e4ded749d18c5ff2746461986b2117a92b99606cc55fe7eeea6b95392aea40d140309d86ef3279f627f84010633c62801a5ffcb78726f4e7e6adc54