sova

Resubmissions

09/03/2023, 12:51 UTC

230309-p3sdwsbd2x 10

24/01/2023, 13:11 UTC

230124-qe9hyadb3z 10

24/01/2023, 13:11 UTC

230124-qe3emabe74 7

16/01/2023, 15:02 UTC

230116-senmksgh58 10

16/01/2023, 14:58 UTC

230116-scnjsscg9v 10

Sharing

Copy URL

Twitter E-mail

General

Target

Video_Player.apk
Size

4.3MB
Sample

230116-scnjsscg9v
MD5

54013894dcaf20181b2ca431bb9d0575
SHA1

6cb71982ce39526340616a51ab45ccf46dcf799d
SHA256

894723b804ae51e7294a69169f0d7b0244a18ba712fa8e3042cb63e8e58cbccf
SHA512

fca6cf580c15e0e623b76fa83c9d1234d1f376a9059274e24debdab02ae6c9ab74c16be7b13c26cca810b93290405619a5a17a1dbf9d087dcea57953aa74369d
SSDEEP

98304:QkrGUuVDcQJBwXBtEgQJPL8dKNPtJOvar/xGvKp2QqP2kWnRUrCvLP95cd:Q21uZckBwXBtVQ9wG/QSpLhRUrCvxWd

Score

10^/10

Malware Config

Extracted

Family

sova_v5

aHR0cDovLzUuMTYxLjk3LjU3OjUwMDAv

aHR0cDovL2RheWlndXZlbmVjZWtoYWJlcmxhcmdlbGVjZWsuY28udnUv

aHR0cDovL2hlcmtlc2VhY2lraGFsZGVnZWxlY2VraGFiZXIuY28udnUv

aHR0cDovL2Jpemltc2l6ZGVuaGFiZXJhbGRpZ2ltaXpoYWJlcmxlci5jby52dS8\u003d

aHR0cDovL2thcmFrZWRpaGFiZXJsZXJpbmJhc2JlbGVzaW9sZHVpemwuY28udnUv

aHR0cDovL2Jpemltc2l6ZGVuYWxhY2FnaW1pemhhYmVybGVyZGVheS5jby52dS8\u003d

Targets

- Target
  
  Video_Player.apk
- Size
  
  4.3MB
- MD5
  
  54013894dcaf20181b2ca431bb9d0575
- SHA1
  
  6cb71982ce39526340616a51ab45ccf46dcf799d
- SHA256
  
  894723b804ae51e7294a69169f0d7b0244a18ba712fa8e3042cb63e8e58cbccf
- SHA512
  
  fca6cf580c15e0e623b76fa83c9d1234d1f376a9059274e24debdab02ae6c9ab74c16be7b13c26cca810b93290405619a5a17a1dbf9d087dcea57953aa74369d
- SSDEEP
  
  98304:QkrGUuVDcQJBwXBtEgQJPL8dKNPtJOvar/xGvKp2QqP2kWnRUrCvLP95cd:Q21uZckBwXBtVQ9wG/QSpLhRUrCvxWd
Score

10^/10

sova sova_v5 banker evasion infostealer trojan
- SOVA_v5 payload
- Sova
  Android banker first seen in July 2021.
  banker trojan infostealer sova
- Sova_v5
  Android banker first seen in July 2021.
  banker trojan infostealer sova_v5
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

SOVA_v5 payload

Sova_v5

Makes use of the framework's Accessibility service.

Acquires the wake lock.

Loads dropped Dex/Jar

Looks up external IP address via web service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3

We care about your privacy.