teabot | ddabe5999dbc9ffbc8b804a7ea6bb61415bc88e346b2d2c0d53bfff9dcc88d32

Analysis

max time kernel
1962921s
max time network
170s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
25-09-2022 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DDABE5999DBC9FFBC8B804A7EA6BB61415BC88E346B2D2C0D53BFFF9DCC88D32.apk
Size

4.0MB
MD5

23e49cc28a5feeed4b9e362aa43e158a
SHA1

dede2bbf3c768f425f8aa33e4cc84b54d2c420de
SHA256

ddabe5999dbc9ffbc8b804a7ea6bb61415bc88e346b2d2c0d53bfff9dcc88d32
SHA512

cd823991e244861ab11d9157406e2a8fc10d0818670524766a1b26090848b2ad269aa3e9e305bcb79672c609486818a2eb4c63258835aa5e0c845696aa70c678
SSDEEP

98304:znWe8B4SyAR3u9E48GT3WC9ricWgyqTG+IicpcpYUBvBON:T829GmE4T59ricWgDTGjn/UBvU

Score

10^/10

teabot banker evasion infostealer trojan

Malware Config

Extracted

Family

teabot

http://51.38.166.153:80/api/

Signatures

TeaBot
TeaBot is an android banker first seen in January 2021.
banker trojan infostealer teabot

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.rmowa.wpamz

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.rmowa.wpamz
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.rmowa.wpamz

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.rmowa.wpamz

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.rmowa.wpamz
Acquires the wake lock. 1 IoCs

Processes:

com.rmowa.wpamz

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.rmowa.wpamz
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.rmowa.wpamz

ioc pid process

/data/user/0/com.rmowa.wpamz/8HygUgkfUy/iFUggghjjuyIgyj/base.apk.GgypFja1.Ugu 4376 com.rmowa.wpamz
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.rmowa.wpamz

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.rmowa.wpamz
Removes a system notification. 1 IoCs
evasion

Processes:

com.rmowa.wpamz

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.rmowa.wpamz

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.rmowa.wpamz

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.rmowa.wpamz

ioc	pid	process
/data/user/0/com.rmowa.wpamz/8HygUgkfUy/iFUggghjjuyIgyj/base.apk.GgypFja1.Ugu	4376	com.rmowa.wpamz

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.rmowa.wpamz

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.rmowa.wpamz

com.rmowa.wpamz
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
PID:4376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.rmowa.wpamz/8HygUgkfUy/iFUggghjjuyIgyj/HphfIUgT.g67u
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.rmowa.wpamz/8HygUgkfUy/iFUggghjjuyIgyj/base.apk.GgypFja1.Ugu
Filesize
707KB

MD5
355ac6087b40114924d0b89ce61fd9e0

SHA1
8c38ad50b852386962bb62622b091a5dca4586a5

SHA256
ca07ea8d0edea883be2297d1174b8046a3451619c9b78237975ddc58afdcff5a

SHA512
324521cfda04164249cb92151f5236dc3c9c1e41bdd0f4fe836d478ae5379a8ec843861c4cda6b99807635c0ce198c5f61fe9846154eb8b2d2f43fa77364c7e0

Download Submit
/data/user/0/com.rmowa.wpamz/8HygUgkfUy/iFUggghjjuyIgyj/tmp-base.apk.GgypFja8762824108947421678.Ugu
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.rmowa.wpamz/app_webview/.com.google.Chrome.sjmvgw
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.rmowa.wpamz/app_webview/Default/GPUCache/index
Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.rmowa.wpamz/app_webview/Default/GPUCache/index-dir/temp-index
Filesize
96B

MD5
2bd7182c80916fff3a4b4851422e1add

SHA1
95329fd8453880a8c9f27730a8eca7347463a13f

SHA256
8a6029c2c2130594db9d3dc7839340910f6ce970c279a1e7fef808e7975c58ae

SHA512
fd5922399d57897f259f1c1b8c19ee47d34906862afb1ed041abf644c3b2870f87b013488187832d5b6d142f8562caf95649df743d3b37e29a5af530cc0cd9b8

Download Submit
/data/user/0/com.rmowa.wpamz/app_webview/Default/Session Storage/000001.dbtmp
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
/data/user/0/com.rmowa.wpamz/app_webview/Default/Session Storage/000003.log
Filesize
61B

MD5
9f7eadc15e13d0608b4e4d590499ae2e

SHA1
afb27f5c20b117031328e12dd3111a7681ff8db5

SHA256
5c3a5b578ab9fe853ead7040bc161929ea4f6902073ba2b8bb84487622b98923

SHA512
88455784c705f565c70fa0a549c54e2492976e14643e9dd0a8e58c560d003914313df483f096bd33ec718aeec7667b8de063a73627aa3436ba6e7e562e565b3f

Download Submit
/data/user/0/com.rmowa.wpamz/app_webview/Default/Session Storage/LOCK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.rmowa.wpamz/app_webview/Default/Session Storage/LOG
Filesize
127B

MD5
328ac4fd8c227745517964ca3527b94d

SHA1
2e33fcd6e3658fb43b04cd5d8c84e0e8c5fae715

SHA256
6cd2a9aa6fcf9f070e9f631f1f52cd41f916fac2220090dda1855ad974a5b7e6

SHA512
5f0800e9a00142476ad538ce634cc3d7560e0afd11aaad153eefaba4c35a96c428a0ad59d122cecec0652fcd5e9486fc4bfa99e981e610de1ab03a6d5c003753

Download Submit
/data/user/0/com.rmowa.wpamz/app_webview/Default/Session Storage/MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
/data/user/0/com.rmowa.wpamz/app_webview/Default/Web Data
Filesize
120KB

MD5
a48cd9324b1f8754b07f00d863b840f3

SHA1
11c6614775b35a58f440971dfc87c8aaac6d6173

SHA256
8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420

SHA512
35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

Download Submit
/data/user/0/com.rmowa.wpamz/app_webview/Default/Web Data-journal
Filesize
2KB

MD5
2cf6a3fb03325088f225ac69c14f07d0

SHA1
7eeb887b8d0bff976bf020b954223b992db292b4

SHA256
a746f12f3c13cf56a8c5af1502a7e1caec391c6fefa7142364f2daa38d93f4fa

SHA512
9c658420a0db50dc005d3ce94dccf18f3ad8025ec8ad7f1e032f230d451721c5f37f27c3b093ac0ce9b56d653ebf38a52b37db3541703c7d147f149293181647

Download Submit
/data/user/0/com.rmowa.wpamz/app_webview/variations_seed_new
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.rmowa.wpamz/app_webview/variations_stamp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.rmowa.wpamz/app_webview/webview_data.lock
Filesize
21B

MD5
b7a1faa247f9163a9f49212b200325e8

SHA1
20ea64b20e087aa4002d3e0868463e4122a24bf7

SHA256
0b58c9fc57a60d5ece4b0162d93f3b42f7abc33316eb6e3dae9a8fec6290c5e9

SHA512
10e4f56b3654d5d8cb503dcc4c8e874cdbb0cdce83c5cbb22d3ee17b79c1b6b7a0d06d9092c51300567c0e5281272175e228aa1332a5a26aabbdc0fa1e8088fc

Download Submit
/data/user/0/com.rmowa.wpamz/cache/WebView/Crashpad/settings.dat
Filesize
40B

MD5
1baf85aad9173c7c95bc7065f47beb8c

SHA1
0f7135bfb5f6714c920daa30bfe02e74ffa0d6c0

SHA256
9bef7ed54633d1ce6fcca4af10c2607d1798b8e5b51a28d1b8d6af4512a8196a

SHA512
a3254bac3d1688022ba118256f673a5cf34b2592eb9e85dc7838689da454e69b1f9a05628c6f7cb08ab04c4d709266a84727cf3a7dc0a88e4deb37199de3a019

Download Submit
/data/user/0/com.rmowa.wpamz/cache/WebView/Default/HTTP Cache/Code Cache/js/index
Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.rmowa.wpamz/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index
Filesize
96B

MD5
2abd1dbdc40f17ac9cd07932bb33238f

SHA1
64c270c8decda7b9fc8547154dc8eb0d0a5c7227

SHA256
5a3695888f0c2e44f10e8c6d54cc19befb21da10495b09f8a81981ce489c000e

SHA512
7c8f73fca253b5fd26ba29110063be01065d5b8571a6f72b7a3e2a9a69b8177c8ec76bcf73a86d581727c90ce5605dbf44592bbbfb7590e5a7985c770e0b0b45

Download Submit
/data/user/0/com.rmowa.wpamz/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index
Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.rmowa.wpamz/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index
Filesize
96B

MD5
e16f0ecb6c4d59713eb8442b4e0d14fd

SHA1
414b7b1d61ecc2278365d587172f7a061d6c2c91

SHA256
6536667724288461703029d2cb92673b78ecb2d5392f6c00bee30bcc6f985b1b

SHA512
05df2e570bf47efe4cad0b900b7160f92460397f4daac14cc787ece59bf4bcdd386f098d7a2400cfd8d10d38e21c5c0514bf2fff605620143eeaa074a746fe77

Download Submit
/data/user/0/com.rmowa.wpamz/cache/WebView/font_unique_name_table.pb
Filesize
57KB

MD5
f080fa2a56ab5479d58063e5ea871447

SHA1
4b3fd57a98916fa5784305b76ba30af26b5253d9

SHA256
0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815

SHA512
8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

Download Submit
/data/user/0/com.rmowa.wpamz/shared_prefs/WebViewChromiumPrefs.xml
Filesize
127B

MD5
97ccd9a2b2063143df56b6937f961ca4

SHA1
5e78a91ae5df289ce83443cb7d5589dd3504fb5d

SHA256
248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd

SHA512
86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

Download Submit
/data/user/0/com.rmowa.wpamz/shared_prefs/multidex.version.xml
Filesize
307B

MD5
c382ddf535005d5b0fd72f69f630a111

SHA1
32804b8ba51e9b3a9ee3a23b193a307a675d8b94

SHA256
7497503927308e7aa2bff6640f5a982c030ecca539d380b1fd59601608ac77fa

SHA512
82d9d419fe7d3398ba934faaeafe1c4634d7a2538e85e4d7a8fae7722bac69f4506a193d38260312c5acccf8ec30f50757a28ab579b6b7a373772412cd604863

Download Submit