teabot | 13e34ee48550c03e90008bace2279b3206333905c9b3de05756551c83674ce70

Resubmissions

27-01-2023 07:24

230127-h8ld7she43 10

25-04-2022 13:47

220425-q3kjqaccd4 8

23-04-2022 16:23

220423-tvtdfadcc3 10

22-04-2022 08:33

220422-kfyj6sgbam 10

Analysis

max time kernel
4062158s
max time network
167s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
27-01-2023 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47bb7f855cdf116c62499240089fa1b7a69585e8b7f639e192b9d038da4094cd.apk
Size

3.2MB
MD5

bf2ddaf430243461a8eab4aa1ed1e80d
SHA1

29c497dc416d903917e92ae347371b15009eaee1
SHA256

47bb7f855cdf116c62499240089fa1b7a69585e8b7f639e192b9d038da4094cd
SHA512

b50735a2d58e19038f56baf62704b4d7af726e812758ea7c43b4c5155828b93ea5d9284ec89ba8ce9704e4b8945bb832970fd7601bbdcd039972bdac78ab4739
SSDEEP

98304:ylxgweICNV+mN24ElmQjE9LBcGDIXAOthoV:ylxgBImV+mCmQjMLBarrc

Score

10^/10

teabot banker evasion infostealer trojan

Malware Config

Extracted

Family

teabot

http://51.38.166.153:80/api/

Signatures

TeaBot
TeaBot is an android banker first seen in January 2021.
banker trojan infostealer teabot

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.nnawozvvi.pamwhbawm

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.nnawozvvi.pamwhbawm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.nnawozvvi.pamwhbawm

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.nnawozvvi.pamwhbawm

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.nnawozvvi.pamwhbawm
Acquires the wake lock. 1 IoCs

Processes:

com.nnawozvvi.pamwhbawm

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.nnawozvvi.pamwhbawm
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.nnawozvvi.pamwhbawm

ioc pid process

/data/user/0/com.nnawozvvi.pamwhbawm/8jIIkIkopq/gkttjgFgiakjHfF/base.apk.gp8ghaf1.hth 4384 com.nnawozvvi.pamwhbawm
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.nnawozvvi.pamwhbawm

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.nnawozvvi.pamwhbawm
Removes a system notification. 1 IoCs
evasion

Processes:

com.nnawozvvi.pamwhbawm

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.nnawozvvi.pamwhbawm

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.nnawozvvi.pamwhbawm

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.nnawozvvi.pamwhbawm

ioc	pid	process
/data/user/0/com.nnawozvvi.pamwhbawm/8jIIkIkopq/gkttjgFgiakjHfF/base.apk.gp8ghaf1.hth	4384	com.nnawozvvi.pamwhbawm

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.nnawozvvi.pamwhbawm

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.nnawozvvi.pamwhbawm

com.nnawozvvi.pamwhbawm
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
PID:4384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.nnawozvvi.pamwhbawm/8jIIkIkopq/gkttjgFgiakjHfF/8whgwyuo.jwtf
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/8jIIkIkopq/gkttjgFgiakjHfF/base.apk.gp8ghaf1.hth
Filesize
622KB

MD5
35d61c7bf56572647255879d8226dafd

SHA1
27a1c7549d3d98793886f315600889d421696403

SHA256
b17570a35cee1028853df373c565da61fb1dff751f755001e8545093084464f3

SHA512
d88765b16177c83bc426af6959ed7ea5c58bb77b49ad9505a6f4c0e106ac4c5a43ba4cdde4ca0fefc9ca39c492f7a1e7a0442f3953b2fc1d97f1951e19387519

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/8jIIkIkopq/gkttjgFgiakjHfF/tmp-base.apk.gp8ghaf327436723791932643.hth
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/app_webview/.com.google.Chrome.6TPvPq
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/app_webview/Default/GPUCache/index
Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/app_webview/Default/GPUCache/index-dir/temp-index
Filesize
96B

MD5
34143481e3cb0190d5a5401f90dcf536

SHA1
500746d5f3c379f6b766c42a9a887f7d16eecea4

SHA256
55b2c6ae0ed6fb44af4da04795dfbfe8f081a5a9f80f0760395b011ccd9d7fc1

SHA512
d982e3a7c2acfe6cf01b457e7c7796dab4967756eabf219e2864e05abb1f7d4eed7508c66f02e737af5e4bf3a6bf466fcda32cc7239a8e99ab7c6df0674b50a2

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/app_webview/Default/Session Storage/000001.dbtmp
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/app_webview/Default/Session Storage/000003.log
Filesize
61B

MD5
9f7eadc15e13d0608b4e4d590499ae2e

SHA1
afb27f5c20b117031328e12dd3111a7681ff8db5

SHA256
5c3a5b578ab9fe853ead7040bc161929ea4f6902073ba2b8bb84487622b98923

SHA512
88455784c705f565c70fa0a549c54e2492976e14643e9dd0a8e58c560d003914313df483f096bd33ec718aeec7667b8de063a73627aa3436ba6e7e562e565b3f

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/app_webview/Default/Session Storage/LOCK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/app_webview/Default/Session Storage/LOG
Filesize
135B

MD5
65abeae1967c4bb8e2ede9690ab2081d

SHA1
53845f76cc4451ad6e8c27c84982ef83ae94abbc

SHA256
21a404c5ccbb6486073a4dcabdb6c5de441901e132755840aafa30d5f69dcc3d

SHA512
b229e420038f6208d5206e31ddc103b8b7436caf96fc0d5837bf61654135afee279252bbb7dcab270001a85b8ee2bf92e3e64652d5e52801024bea457d07ed98

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/app_webview/Default/Session Storage/MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/app_webview/Default/Web Data
Filesize
120KB

MD5
a48cd9324b1f8754b07f00d863b840f3

SHA1
11c6614775b35a58f440971dfc87c8aaac6d6173

SHA256
8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420

SHA512
35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/app_webview/Default/Web Data-journal
Filesize
2KB

MD5
7766cd7bf0bf185c9c4934e2ff3dfb67

SHA1
cead79698766c3433bc0695cbff523beeaad6542

SHA256
8c52a56f34d540cca00dce25048f65ae61d4ca159114d15d6847591f31c9beb6

SHA512
a781875030c78a781ad50b37ee110f3ce16084c5212b1276284c676268642b8e72a9d351bae61488f3e2b87fed1765eaed57172e4204d22c6e108b464eb03f12

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/app_webview/variations_seed_new
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/app_webview/variations_stamp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/app_webview/webview_data.lock
Filesize
29B

MD5
b4ed440f2b009449284b86e741e28d6b

SHA1
88330b7a1130206ff61d991da10dd8168b32a0ff

SHA256
6dc9f10c6756fcbf489a8d5c2b8cfb081e27fb71ab985c1a93b21f484bb69525

SHA512
89582ab6889772e61a1a8dcd149fc656f3c14d6fdd023ff1b72108da774d3dea92bd903c55df0a22d88990ed7f705a2d4424dd2d3fa1ae40122bb3e4dae0fa01

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/cache/WebView/Crashpad/settings.dat
Filesize
40B

MD5
4b7f94e98d2c3c6c81b2ebb6a8b94426

SHA1
09e5191954dd6c92db1c2807f77f63c6b33e935f

SHA256
afff6a051e7ca7f1c85d11c9f2d62bdd208987e40b86dc93ee2591a96b69b0cf

SHA512
eabb5479beedafb9738d8c181350a7c2620998194462c63488e35c9c481810ed589558a7c2db5091fe7c93bb52bfa9de32491e72d99683abdba8bc45dba01cd1

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/cache/WebView/Default/HTTP Cache/Code Cache/js/index
Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index
Filesize
96B

MD5
4f7ed8eddd9bef16b855fb3cf2105138

SHA1
8319cf1491d7be594419006b68b7e1f89113a7f8

SHA256
7540a5d68fd366138cb6676100efcb9f1d1dbbf27f60556fa77840e38d420324

SHA512
7a44b4bc5f89bd58509c6a706341a312d57d1392ac497f39a034671602a0b162fab1f93b30c805593b827c6b440d754251ec121d31a450f203876abf335a6646

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index
Filesize
48B

MD5
6d7d499960179766cd4261d12dacc411

SHA1
e6f8553b0015e12b23cc551afe98763f3b1c9bed

SHA256
c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182

SHA512
6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index
Filesize
96B

MD5
6a045081065f3f02f65e73ea0f5c69b7

SHA1
b2716f5ca4dd0f005064bec5d935d26291059958

SHA256
65ef2506229ed1071c94634f687f08932f544b54cfba7dd932e5ae41e96f863c

SHA512
19fa100c1785e6ffd7d95c06c7b07b91d89283d71f0680093a8b0dd4a1668b01d250b006069902027ba21696f96cfaa6622b295329044c8f167ed9a2fd9a028d

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/cache/WebView/font_unique_name_table.pb
Filesize
57KB

MD5
f080fa2a56ab5479d58063e5ea871447

SHA1
4b3fd57a98916fa5784305b76ba30af26b5253d9

SHA256
0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815

SHA512
8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/shared_prefs/WebViewChromiumPrefs.xml
Filesize
127B

MD5
97ccd9a2b2063143df56b6937f961ca4

SHA1
5e78a91ae5df289ce83443cb7d5589dd3504fb5d

SHA256
248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd

SHA512
86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

Download Submit
/data/user/0/com.nnawozvvi.pamwhbawm/shared_prefs/multidex.version.xml
Filesize
307B

MD5
0cb6708aa455194ce6001fbbb9d07682

SHA1
03406a025f1c26963cc68793ccf9ba9a80f8bb3a

SHA256
a2712836b21c378b3e5eba542e96cff01413aca751629f12794283d4f70734ed

SHA512
81f323073838735ee2af6dc5f497ba0ed4803d49a768bf3e88ddc7133d5d199ce182762d0fbf66ee456ec71a9e32774b8238446228ea89c94bc8927ea45bc9f7

Download Submit