sova

Sharing

Copy URL

Twitter E-mail

General

Target

d8b81583ff8b6bbd0d16bf8dacd2aa66b6627d506e365efe0e15589c94eee56a.bin
Size

4.6MB
Sample

230808-1w6hqahe4v
MD5

be6e50b14431534cf3a87a080b7e0a74
SHA1

5074fc1dee2d8cfe26b65671398b0c4b4e1c6447
SHA256

d8b81583ff8b6bbd0d16bf8dacd2aa66b6627d506e365efe0e15589c94eee56a
SHA512

d1da324a1c0db96098f2d2a94d523835cfbfe758c3ff6bf2f81f8eed0317674ff824ef7951742b9d21f9d333ff456429ab75ee2f1a528cd88312d6e287dfff82
SSDEEP

98304:F/x5ntlwuBPRaIcSX7c3HTE6dcrxvlfU5ikBP0pjuoeKkCbo0Y8:F7/v5rcg7cDE6dcrVFU5ikBP0pjfIv8

Score

10^/10

Malware Config

Extracted

Family

sova

http://85.31.45.129

http://85.31.45.130

Targets

- Target
  
  d8b81583ff8b6bbd0d16bf8dacd2aa66b6627d506e365efe0e15589c94eee56a.bin
- Size
  
  4.6MB
- MD5
  
  be6e50b14431534cf3a87a080b7e0a74
- SHA1
  
  5074fc1dee2d8cfe26b65671398b0c4b4e1c6447
- SHA256
  
  d8b81583ff8b6bbd0d16bf8dacd2aa66b6627d506e365efe0e15589c94eee56a
- SHA512
  
  d1da324a1c0db96098f2d2a94d523835cfbfe758c3ff6bf2f81f8eed0317674ff824ef7951742b9d21f9d333ff456429ab75ee2f1a528cd88312d6e287dfff82
- SSDEEP
  
  98304:F/x5ntlwuBPRaIcSX7c3HTE6dcrxvlfU5ikBP0pjuoeKkCbo0Y8:F7/v5rcg7cDE6dcrVFU5ikBP0pjfIv8
Score

10^/10

sova banker infostealer trojan evasion
- SOVA_v5 payload
- Sova
  Android banker first seen in July 2021.
  banker trojan infostealer sova
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
behavioral1 behavioral2 behavioral3
- Target
  
  chrome.html
- Size
  
  441KB
- MD5
  
  193fb8df817a34729b76ce1f0a87e8f6
- SHA1
  
  b55294b97f0173ed3ca3f8ad37e42eb3278c4931
- SHA256
  
  c535c15602bff882ae427c2607e3f430c25d831f45f5bd3e3703461ae655a803
- SHA512
  
  be0c3da056cad4af28065ea97daf70fce9e15d67b904eff2d4ff4df552ec13e2a072b7e4a777ce9699bca9c42abdec105fff9f33644d75bf8fc419d8b50968f9
- SSDEEP
  
  6144:sTBhJ3tmnYBXD3xiXIMf/lxT0r/VAkh3EQMNykuv1HQAKogQJJvxlQrlBt:ijGnYBrTMVxgVAkhYNykuv1HT9Bx0
Score

1^/10
behavioral4 behavioral5
- Target
  
  libalog.so
- Size
  
  85KB
- MD5
  
  9c48fd1fe618ccb8e4ed9e03c8966585
- SHA1
  
  dd078380b23e77a0434d38b945c29078836a7dc3
- SHA256
  
  60d1ac4232db388b87baf0fbcb2057657791caf3c7fddacced54c971e9b8d99c
- SHA512
  
  e28a5ab16efce77b48b4d69f867a518866abb23a6c1455262c3abcc38b013fa36dec172f2c833166648bdefbafa3cdc713f9e2df2a6289f07128f5235864ff1e
- SSDEEP
  
  1536:z6AntjNn/qMrE064jooBORCkCqunbObAXcE40/GMKXKu7MqV:z6uxF/qMAx4EoBOzZunKzG7+3x
Score

1^/10
behavioral6
- Target
  
  libapminsighta.so
- Size
  
  85KB
- MD5
  
  93d401f38dd870dcff202d297d764832
- SHA1
  
  7b49b82709308954a6533d4ef285824632ac6f16
- SHA256
  
  f43718ae78b9721fea3550f3b5726b96775de15c681184fb3ed3284167bd3072
- SHA512
  
  13adf160f70e598f09fd126733e56e27601f084c6799d3668912628899c779e454bdd9d5a6fad7ad14e2e4b9c27b3b27c02a85ea2bea520f3e928f84be45af81
- SSDEEP
  
  1536:D9f3+17jGYgaxGX6GNql5D7H6OTx+tusrAkWCrR59OUhpyJ6SeKlh:D9fIjGNaDV+Ys1/9beN
Score

1^/10
behavioral7
- Target
  
  libvcnverify.so
- Size
  
  13KB
- MD5
  
  5be95d7d1e7eec0323f56559e1788919
- SHA1
  
  0163d15f83168e36d4af067a0c5f6faa63c6c013
- SHA256
  
  373bff62cc1d3c588878f938df42235800fe0b1d8889c67b56625a24421c3a83
- SHA512
  
  5920f1a2235356a89d61eee5e41a5599b97d10a062b5b55abba988ee7a0c70cd21b31725e1f0adf505586abd01e19d6f317ff3fb00bc0f71a19b636ea243a76c
- SSDEEP
  
  192:JWHhtuhm9VUrmdykvFxmxvU7MKhMCORvjc2H5rV3/vgY:JWHp7vFoqhMCOVjvVgY
Score

1^/10
behavioral8
- Target
  
  libvcnverifylite.so
- Size
  
  17KB
- MD5
  
  fb275cd918376ff46133e1d925c21de1
- SHA1
  
  02b9773e12009f99a2bcd9284d36ce997820d7fa
- SHA256
  
  6a550c34877c7681a177a517356c1de221a3d787e7f3a8950b6c3851e206fdb3
- SHA512
  
  c9304a9dfc856138a1942c2e18dcccd8d276505f286f767a7fc9ebe015b9a049c74973f45d69e9c571e09a1731bc1d4b31a3a4edb9d39fccb40d4307b7da2016
- SSDEEP
  
  192:nkHhiHmrebgmaKOhwJ9vqlBwW5fAE5cyWy/GN4simkSULKaEAKKhvCORvjcIiIwG:kHrUMwVEWqwMuchvCOVjTnP
Score

1^/10
behavioral9
- Target
  
  libvctfo.so
- Size
  
  13KB
- MD5
  
  0efe5933ceb6e0b048916aadf60ffa1e
- SHA1
  
  cb62bd1f28f9cc3d360a11efbc389401bdebef3b
- SHA256
  
  e14e5589497eb0a1c542b506eb3b1892afda010e2a8c8ca102d89a9785740ab5
- SHA512
  
  a0660e77bad36d4c9ddaed40369a2563dff5ad3abb90112e751269fe46c024d5669de43bee92a9cef4132d76865ea5e260d007f73e23fd3eb783b7b8334b98b6
- SSDEEP
  
  192:4kyZvTWK7QmA9GfRA8lOlRdBuxYjpjqZbqNQqe3C83kEgh+zoBaeXD/o9:43RKK7nAUJvkndeYNGZb8QxoXTe
Score

1^/10
behavioral10
- Target
  
  libvideodec.so
- Size
  
  37KB
- MD5
  
  dfcce6a86ee920754f6a8dd93dd9d1f4
- SHA1
  
  5e45413868a9ef17ac70e7af36b6886776954b96
- SHA256
  
  5c8e1e58a812668e6651aaa2cf0985258386d5f296a75dbf92d39136216e0837
- SHA512
  
  53559c685720d0df7c1acbc4f7c96464345f3dbdb75dff52cb90134d883aac83b1fe6e2d2dc1385987b8c4f608205756bebea757b4afb93ef985fcf5c0e14b75
- SSDEEP
  
  768:7XY41gyZkrZz3lrMY7444z8zBmxx0bLS4A4JeUyh444OR:7XY41tZkrZz17444JsS4A/h444i
Score

1^/10
behavioral11
- Target
  
  libxz-main.so
- Size
  
  5KB
- MD5
  
  84e56f925faa5a4908911c7664a09e61
- SHA1
  
  d762f07c0c3e72b6aa3e73f2da1eee560dbc4929
- SHA256
  
  3b29f7ad0604f99d7c6af7d13bfdde0919a520add8c8ade699ce6c238e57c9b8
- SHA512
  
  554bff1cf709164a017ab69302e597934bab3cc367a87bbdd3718e2038bdf3c29ba60498ba2290ca14812a600dab1ea406dbd59d76501f09590d6b360ae3074a
- SSDEEP
  
  96:61przPaZnaaxr4YmKUlMbG7I62oYoUzV7fOZL:6PvaZauzUlO62Y
Score

1^/10
behavioral12
- Target
  
  libzstd-jni-decompress.so
- Size
  
  63KB
- MD5
  
  71b79cb9cef7c4833de0db311fd4f7b0
- SHA1
  
  bf3b310a5e91a4a7e7b9a1925257fbc826031f70
- SHA256
  
  415462b2df9a219d5f5b9ae1578cf6a1f6b14a3fcc214d8d67c3e0d3db03853c
- SHA512
  
  d0d6a67b8c14746d5f468a26724109350d7e4f542e8a1d2cde65468faaab5a01f350210a837c11edcf226a5b46a446966f2fd4de6e9659c854f8997cbc27753b
- SSDEEP
  
  768:sP2rww8zLgp1qiyN4ogcHM2gTyihy7HPecXq8ngQW+vKoGvkx40YNDMR:sBc1VyN4odMRmisasqiWzoG8x0NDs
Score

1^/10
behavioral13
- Target
  
  nointernet.html
- Size
  
  551B
- MD5
  
  6c2f16445d9aec3236eaf027852b8ae0
- SHA1
  
  76854c00267dfc7276eeee12e6df96c5a82d1646
- SHA256
  
  9d647b7f81404d0744ebd1ead58bf8a6f3b6beb0a98583a907a00b38ff9843c2
- SHA512
  
  fc835b8d68aec6ebe727268148c36bc6e4ec991d984e5b80f4f15c75d9de1a52341ef09735bb16e3c390a45ca483032a2fd393bd63d86bd067f25a3276958437
Score

1^/10
behavioral14 behavioral15
- Target
  
  slardar_bridge.js
- Size
  
  2KB
- MD5
  
  a24b9d6eeff1611a37b1760b13a9589c
- SHA1
  
  fcf43fe41a6565c56dcda09411d0c8e95978c34f
- SHA256
  
  08fb56916965301925a88d67af376a5daf24961b25d032d56503b0b28e257d24
- SHA512
  
  804e81479661290866ebf4f16cdd8e782ee85c062429341a5c778112c1fa8b66eaa07cd8da7407b4771324e702b9d80e2f73a91803341c2eb5a0bdb26bcc38e5
Score

1^/10
behavioral16 behavioral17
- Target
  
  slardar_sdk.js
- Size
  
  45KB
- MD5
  
  d7d819e607629e2ed65bc8e20e43bbf6
- SHA1
  
  80dbaecad2447d753e5842d431b2969c18b183a7
- SHA256
  
  efc794574a9af3f9750f13137b8983893220d57deaf39ebaf5663bb16b5caf65
- SHA512
  
  44d3f9cf75e7e7991907674c4c94b5dbfececa809238bfb948bd734d6f28b856ad56726f25f28ae3892c4fa4cc206425b2942467f2f91016cb874eb5e3cb70a2
- SSDEEP
  
  768:wKmW2+4w24HY8GSwbJwHQpd5zkvY7S6mg3LX:w/wvpGSwbKHUzmzvg7X
Score

1^/10
behavioral18 behavioral19
- Target
  
  unique.html
- Size
  
  20KB
- MD5
  
  a5f8f406fc9e2dbfcdee2cad0c6703cf
- SHA1
  
  4903d7caad6fb3dfc6466896b7b9418bee381630
- SHA256
  
  1b5f986ddee68791fffe37baa4c551feae8016a1b3964ede7e49ec697c3ce26b
- SHA512
  
  d56389242b2c97471d3f7e99955d44c7cfe27452cfb60588e63b5e512919995408012a18bbb2201c761705ac367b4aeaa5262bc73372b63fdc2813382f5da4ae
- SSDEEP
  
  384:lF5gQ2RGaTQSHxpG82WiviKiIiciHi6iKiFi6iKiFicisiqili8inioinihiniZu:l3gQ2RGaTQSHcqzlRCjz0jz0RhTUxiFT
Score

1^/10
behavioral20 behavioral21

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

SOVA_v5 payload

Makes use of the framework's Accessibility service.

Acquires the wake lock.

Loads dropped Dex/Jar

Looks up external IP address via web service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21