sova | fcf0edf3418c9fb60f2899e86035aef19060c391abc58b626afacd5f42db81c9 | Triage

Submit
Reports

Overview

overview

Static

static

7

Chrome.apk

android-9-x86

Chrome.apk

android-10-x64

Chrome.apk

android-11-x64

Sharing

General

Target

Chrome.apk
Size

4.6MB
Sample

230125-payp7she81
MD5

bea9df0dc4a7cd1a1114e62421c813c7
SHA1

dd598b5178be37846db2f68dfb8fb496cfd96914
SHA256

fcf0edf3418c9fb60f2899e86035aef19060c391abc58b626afacd5f42db81c9
SHA512

defddb84ff5520f8a69c59983ecb24579b68c40aaf3354269d3233e17ed63125a3ee982324bac1464ba6ea0fcb7cfd38f90375b81eaa6e90e9b7da49e6ec94a0
SSDEEP

98304:tnr0WBTR7r0GLvBxKN2yn/dw0XiF1tjDquyibszsEVJvTyPg8iT:tr0W5Z00KpVatDqhiDEbvbLT

Score

10^/10

sova sova_v5 android banker evasion infostealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Chrome.apk

Resource

android-x86-arm-20220823-en

sova sova_v5 banker evasion infostealer trojan

android-9-x86

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

Chrome.apk

Resource

android-x64-20220823-en

sova sova_v5 banker infostealer trojan

android-10-x64

5 signatures

150 seconds

Behavioral task

behavioral3

Sample

Chrome.apk

Resource

android-x64-arm64-20220823-en

sova banker evasion infostealer trojan

android-11-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

sova_v5

C2

aHR0cDovLzUuMTYxLjEyMC4yODo1MDAw

aHR0cDovL3lhbG5pc2dlemVuYWRhbWxhcmRhbmJpemhhYmVyLmNvLnZ1

Targets

- Target
  
  Chrome.apk
- Size
  
  4.6MB
- MD5
  
  bea9df0dc4a7cd1a1114e62421c813c7
- SHA1
  
  dd598b5178be37846db2f68dfb8fb496cfd96914
- SHA256
  
  fcf0edf3418c9fb60f2899e86035aef19060c391abc58b626afacd5f42db81c9
- SHA512
  
  defddb84ff5520f8a69c59983ecb24579b68c40aaf3354269d3233e17ed63125a3ee982324bac1464ba6ea0fcb7cfd38f90375b81eaa6e90e9b7da49e6ec94a0
- SSDEEP
  
  98304:tnr0WBTR7r0GLvBxKN2yn/dw0XiF1tjDquyibszsEVJvTyPg8iT:tr0W5Z00KpVatDqhiDEbvbLT
Score

10^/10

sova sova_v5 banker evasion infostealer trojan
- SOVA_v5 payload
- Sova
  Android banker first seen in July 2021.
  banker trojan infostealer sova
- Sova_v5
  Android banker first seen in July 2021.
  banker trojan infostealer sova_v5
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

sovasova_v5bankerevasioninfostealertrojan

behavioral2

sovasova_v5bankerinfostealertrojan

behavioral3

sovabankerevasioninfostealertrojan

© 2018-2025

Terms | Privacy