Overview

overview

10

Static

static

7

7C805F51EE...02.apk

android-9-x86

10

7C805F51EE...02.apk

android-10-x64

10

7C805F51EE...02.apk

android-11-x64

10

Resubmissions

07/03/2023, 23:25 UTC

230307-3d95ascb71 10

06/10/2022, 16:35 UTC

221006-t321jshhe8 10

12/08/2022, 07:35 UTC

220812-jen4nschf5 8

Analysis

  • max time kernel
    2921963s
  • max time network
    148s
  • platform
    android_x64
  • resource
    android-x64-arm64-20220823-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
  • submitted
    06/10/2022, 16:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7C805F51EE3B2994E742D73954E51D7C2C24C76455B0B9A1B44D61CB4E280502.apk

  • Size

    4.0MB

  • MD5

    74b8956dc35fd8a5eb2f7a5d313e60ca

  • SHA1

    322bfcfc2f2cfcfb759bc61b021a498c1955937b

  • SHA256

    7c805f51ee3b2994e742d73954e51d7c2c24c76455b0b9a1b44d61cb4e280502

  • SHA512

    772e0ae703b9cb3bb62c490366023026845aa80d793211dbc95606795659f88fa58e510ab1fdb129ee01159560ae071312c9de98cbcdbf574b015a791a0960ac

  • SSDEEP

    98304:zQEneeg1QRd7c43GVDssvvO9h9CwfLyEefawrQ:zQEnzg2RD2Vjgfzyzawk

Score
10/10
sovabankerevasioninfostealertrojan

Malware Config

Signatures

  • SOVA_v5 payload 1 IoCs
  • Sova

    Android banker first seen in July 2021.

    bankertrojaninfostealersova
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Removes a system notification. 1 IoCs
    evasion

Processes

  • com.bean.cousin
    1⤵
    • Makes use of the framework's Accessibility service.
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    PID:4588

Network

  • flag-us
    DNS
    infinitedata-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    infinitedata-pa.googleapis.com
    IN A
  • flag-us
    DNS
    infinitedata-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    infinitedata-pa.googleapis.com
    IN A
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.251.36.40
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    172.217.168.206
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    satandemantenimiento.com
    Remote address:
    1.1.1.1:53
    Request
    satandemantenimiento.com
    IN A
  • flag-us
    DNS
    satandemantenimiento.com
    Remote address:
    1.1.1.1:53
    Request
    satandemantenimiento.com
    IN A
  • flag-us
    DNS
    infinitedata-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    infinitedata-pa.googleapis.com
    IN A
    Response
    infinitedata-pa.googleapis.com
    IN A
    142.250.179.170
    infinitedata-pa.googleapis.com
    IN A
    142.251.36.10
    infinitedata-pa.googleapis.com
    IN A
    142.251.39.106
    infinitedata-pa.googleapis.com
    IN A
    142.250.179.202
    infinitedata-pa.googleapis.com
    IN A
    172.217.168.202
    infinitedata-pa.googleapis.com
    IN A
    142.250.179.138
    infinitedata-pa.googleapis.com
    IN A
    216.58.208.106
    infinitedata-pa.googleapis.com
    IN A
    142.251.36.42
    infinitedata-pa.googleapis.com
    IN A
    172.217.168.234
  • flag-us
    DNS
    icanhazip.com
    Remote address:
    1.1.1.1:53
    Request
    icanhazip.com
    IN A
    Response
    icanhazip.com
    IN A
    104.18.114.97
    icanhazip.com
    IN A
    104.18.115.97
  • flag-us
    GET
    https://icanhazip.com/
    Remote address:
    104.18.114.97:443
    Request
    GET / HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: icanhazip.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Thu, 06 Oct 2022 16:36:18 GMT
    Content-Type: text/plain
    Content-Length: 13
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET
    Set-Cookie: __cf_bm=7mQUwSHBgawR4Oiq_1jaqEQKuMt1AWGI8e6jsSktB1I-1665074178-0-Af2eQ/0EGA9DDWOLgH8bxizfK5kgGFEItxZfb2GmxqBa0wXBsqGYgkLeRtCsz4sju6i9CxPvL3DXm5NBGsbrSfM=; path=/; expires=Thu, 06-Oct-22 17:06:18 GMT; domain=.icanhazip.com; HttpOnly; Secure; SameSite=None
    Vary: Accept-Encoding
    Server: cloudflare
    CF-RAY: 755fd0b25880b791-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
  • flag-us
    GET
    https://icanhazip.com/
    Remote address:
    104.18.114.97:443
    Request
    GET / HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: icanhazip.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Thu, 06 Oct 2022 16:36:48 GMT
    Content-Type: text/plain
    Content-Length: 13
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET
    Set-Cookie: __cf_bm=pRf8HcHMONQZu9XeBzcutbED3tf1IqWaxci6YTo1XRs-1665074208-0-AcvPGAOo3TOw6nHmMe2txLxWAsSuLeocI6FmNp3hIXNLbO109czjvUQzVgHa87IyD3oSSe0hlDPgz6ecFGq2O6s=; path=/; expires=Thu, 06-Oct-22 17:06:48 GMT; domain=.icanhazip.com; HttpOnly; Secure; SameSite=None
    Vary: Accept-Encoding
    Server: cloudflare
    CF-RAY: 755fd169ae71b791-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
  • flag-us
    DNS
    satandemantenimiento.com
    Remote address:
    1.1.1.1:53
    Request
    satandemantenimiento.com
    IN A
    Response
  • flag-us
    DNS
    satandemantenimiento.com
    Remote address:
    1.1.1.1:53
    Request
    satandemantenimiento.com
    IN A
  • flag-us
    DNS
    satandemantenimiento.com
    Remote address:
    1.1.1.1:53
    Request
    satandemantenimiento.com
    IN A
  • flag-us
    DNS
    wecrvtbyutrcewwretyntrverfd.xyz
    Remote address:
    1.1.1.1:53
    Request
    wecrvtbyutrcewwretyntrverfd.xyz
    IN A
  • flag-us
    DNS
    wecrvtbyutrcewwretyntrverfd.xyz
    Remote address:
    1.1.1.1:53
    Request
    wecrvtbyutrcewwretyntrverfd.xyz
    IN A
  • flag-us
    DNS
    wecrvtbyutrcewwretyntrverfd.xyz
    Remote address:
    1.1.1.1:53
    Request
    wecrvtbyutrcewwretyntrverfd.xyz
    IN A
    Response
  • flag-us
    DNS
    wecrvtbyutrcewwretyntrverfd.xyz
    Remote address:
    1.1.1.1:53
    Request
    wecrvtbyutrcewwretyntrverfd.xyz
    IN A
  • flag-us
    DNS
    wecrvtbyutrcewwretyntrverfd.xyz
    Remote address:
    1.1.1.1:53
    Request
    wecrvtbyutrcewwretyntrverfd.xyz
    IN A
  • flag-us
    DNS
    wecrvtbyutrcewwretyntrverfd.xyz
    Remote address:
    1.1.1.1:53
    Request
    wecrvtbyutrcewwretyntrverfd.xyz
    IN A
  • flag-us
    DNS
    wecrvtbyutrcewwretyntrverfd.xyz
    Remote address:
    1.1.1.1:53
    Request
    wecrvtbyutrcewwretyntrverfd.xyz
    IN A
  • flag-us
    DNS
    wecrvtbyutrcewwretyntrverfd.xyz
    Remote address:
    1.1.1.1:53
    Request
    wecrvtbyutrcewwretyntrverfd.xyz
    IN A
  • flag-us
    DNS
    wecrvtbyutrcewwretyntrverfd.xyz
    Remote address:
    1.1.1.1:53
    Request
    wecrvtbyutrcewwretyntrverfd.xyz
    IN A
  • flag-us
    DNS
    wecrvtbyutrcewwretyntrverfd.xyz
    Remote address:
    1.1.1.1:53
    Request
    wecrvtbyutrcewwretyntrverfd.xyz
    IN A
  • flag-us
    DNS
    wecrvtbyutrcewwretyntrverfd.xyz
    Remote address:
    1.1.1.1:53
    Request
    wecrvtbyutrcewwretyntrverfd.xyz
    IN A
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Thu, 06 Oct 2022 16:37:08 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 323
    Access-Control-Allow-Origin: *
    X-Ttl: 59
    X-Rl: 43
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Thu, 06 Oct 2022 16:37:37 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 323
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    GET
    http://ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: ip-api.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Thu, 06 Oct 2022 16:38:08 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 323
    Access-Control-Allow-Origin: *
    X-Ttl: 59
    X-Rl: 43
  • 142.250.186.174:443
    tls, https
    695 B
     40 B
     1
    1
  • 142.250.186.174:443
    android.apis.google.com
    tls
    999 B
     4.6kB
     8
    6
  • 142.251.36.10:443
    520 B
     10
  • 142.251.36.40:443
    ssl.google-analytics.com
    tls
    1.2kB
     5.8kB
     7
    6
  • 172.217.168.206:443
    android.apis.google.com
    tls
    5.3kB
     9.3kB
     21
    20
  • 104.18.114.97:443
    https://icanhazip.com/
    tls, http
    1.3kB
     5.0kB
     9
    8

    HTTP Request

    GET https://icanhazip.com/

    HTTP Response

    200

    HTTP Request

    GET https://icanhazip.com/

    HTTP Response

    200
  • 208.95.112.1:80
    http://ip-api.com/json
    http
    841 B
     1.7kB
     8
    4

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200

    HTTP Request

    GET http://ip-api.com/json

    HTTP Response

    200
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    infinitedata-pa.googleapis.com
    dns
    152 B
     2

    DNS Request

    infinitedata-pa.googleapis.com

    DNS Request

    infinitedata-pa.googleapis.com

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.251.36.40

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    172.217.168.206

  • 1.1.1.1:53
    ip-api.com
    dns
    112 B
     2

    DNS Request

    ip-api.com

    DNS Request

    ip-api.com

  • 1.1.1.1:53
    satandemantenimiento.com
    dns
    140 B
     2

    DNS Request

    satandemantenimiento.com

    DNS Request

    satandemantenimiento.com

  • 1.1.1.1:53
    infinitedata-pa.googleapis.com
    dns
    76 B
     220 B
     1
    1

    DNS Request

    infinitedata-pa.googleapis.com

    DNS Response

    142.250.179.170
    142.251.36.10
    142.251.39.106
    142.250.179.202
    172.217.168.202
    142.250.179.138
    216.58.208.106
    142.251.36.42
    172.217.168.234

  • 1.1.1.1:53
    icanhazip.com
    dns
    59 B
     91 B
     1
    1

    DNS Request

    icanhazip.com

    DNS Response

    104.18.114.97
    104.18.115.97

  • 1.1.1.1:53
    satandemantenimiento.com
    dns
    70 B
     143 B
     1
    1

    DNS Request

    satandemantenimiento.com

  • 1.1.1.1:53
    satandemantenimiento.com
    dns
    140 B
     2

    DNS Request

    satandemantenimiento.com

    DNS Request

    satandemantenimiento.com

  • 1.1.1.1:53
    wecrvtbyutrcewwretyntrverfd.xyz
    dns
    154 B
     2

    DNS Request

    wecrvtbyutrcewwretyntrverfd.xyz

    DNS Request

    wecrvtbyutrcewwretyntrverfd.xyz

  • 1.1.1.1:53
    wecrvtbyutrcewwretyntrverfd.xyz
    dns
    77 B
     142 B
     1
    1

    DNS Request

    wecrvtbyutrcewwretyntrverfd.xyz

  • 1.1.1.1:53
    wecrvtbyutrcewwretyntrverfd.xyz
    dns
    154 B
     2

    DNS Request

    wecrvtbyutrcewwretyntrverfd.xyz

    DNS Request

    wecrvtbyutrcewwretyntrverfd.xyz

  • 1.1.1.1:53
    wecrvtbyutrcewwretyntrverfd.xyz
    dns
    154 B
     2

    DNS Request

    wecrvtbyutrcewwretyntrverfd.xyz

    DNS Request

    wecrvtbyutrcewwretyntrverfd.xyz

  • 1.1.1.1:53
    wecrvtbyutrcewwretyntrverfd.xyz
    dns
    154 B
     2

    DNS Request

    wecrvtbyutrcewwretyntrverfd.xyz

    DNS Request

    wecrvtbyutrcewwretyntrverfd.xyz

  • 1.1.1.1:53
    wecrvtbyutrcewwretyntrverfd.xyz
    dns
    154 B
     2

    DNS Request

    wecrvtbyutrcewwretyntrverfd.xyz

    DNS Request

    wecrvtbyutrcewwretyntrverfd.xyz

  • 1.1.1.1:53
    ip-api.com
    dns
    112 B
     2

    DNS Request

    ip-api.com

    DNS Request

    ip-api.com

  • 1.1.1.1:53
    ip-api.com
    dns
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.bean.cousin/app_DynamicOptDex/CtaDwII.json
    Filesize

    2.2MB

    MD5

    c9ea4a96385657ebb6555b6d4d5eca0c

    SHA1

    5bae7c22a1bc9d4d0410a9a2a66056ebe00a7e93

    SHA256

    11b1cbdef463227d288271c05101ed180109d372d68fc924c29db43bf518922b

    SHA512

    e42bbc1ab5dcea9d0c54ff9ebf71919e97ec8ea49793e05179414a95a034f9108b709cbc52fd25c8a6f1d48d249b9d0bb59bfcabdac4f4853d0177ab3fdfce8c

    Download Submit

  • /data/user/0/com.bean.cousin/app_DynamicOptDex/CtaDwII.json
    Filesize

    6.0MB

    MD5

    cb83525904c2bff0cb586d662c5fe2b9

    SHA1

    2d63ff2e85b34006a5517f85deb470ff48734df5

    SHA256

    acd7234022738f4e8499749de805c474879fea06de0d7ca066483d03e7ef02f5

    SHA512

    33eced5d3bead49bb238f08bac960044c7359262fdd58ab559cb38c47528859e24f8578e32743ba6a1630ce7e45497c9f99edb0b96c5c8fa6c0a4ca7fb15fd3e

    Download Submit

  • /data/user/0/com.bean.cousin/no_backup/androidx.work.workdb
    Filesize

    8KB

    MD5

    e579a6b00eef1318f9166352228eba18

    SHA1

    76988896854f0139083e77862eea1a4846cf039f

    SHA256

    4b34cf505050facf47aa7936e4e7667e1969105665c632b3eefe7ecddf9a6935

    SHA512

    c47632e957d87727bf6504a82ca7a44d8da24d30cd997a0f449a96e4f97c656a1b4d9da3fcd827e2a48c59677688da0b872358ebd0f9369d898d1b8ec18d5699

    Download Submit

  • /data/user/0/com.bean.cousin/no_backup/androidx.work.workdb-journal
    Filesize

    1KB

    MD5

    0f211a2a19c027667a5bde62036ca286

    SHA1

    8109d107090188f11bce8c6cb089202a36f52fbb

    SHA256

    b95a289c28139e950e3341997def3c9940257008bf43b6a3bb0a0a8aaa1f1c29

    SHA512

    39c54ab3b6a40548a60ff8cecc81c9fb0c62e4d7f8c2d57c5aa231290383f29af678a29065376834838c95c040dd46a269a1714e2bf2b0233a9ca43f3b5e4ca2

    Download Submit

  • /data/user/0/com.bean.cousin/no_backup/androidx.work.workdb-shm
    Filesize

    16B

    MD5

    4ae71336e44bf9bf79d2752e234818a5

    SHA1

    e129f27c5103bc5cc44bcdf0a15e160d445066ff

    SHA256

    374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb

    SHA512

    0b6cbac838dfe7f47ea1bd0df00ec282fdf45510c92161072ccfb84035390c4da743d9c3b954eaa1b0f86fc9861b23cc6c8667ab232c11c686432ebb5c8c3f27

    Download Submit

  • /data/user/0/com.bean.cousin/no_backup/androidx.work.workdb-wal
    Filesize

    458KB

    MD5

    8124e13692243b2e82ab912a6e1569b8

    SHA1

    130052eab5c53a76a586b603733e2dac80571451

    SHA256

    22c193374419014f97e360176c591f3680aabe4464f1aa4ed2dd13b2993fa714

    SHA512

    b643d2b28a4d6413dcd3aae6b011ab8ff3c3c3132679093eaf7f358b3a4d1575f59deda047b69a03f6d366c2ecfca39afa753da8dc77de992893b5fa5fe700f0

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.