Overview

overview

10

Static

static

7

5413aa7824...9a.apk

android-9-x86

10

5413aa7824...9a.apk

android-10-x64

10

5413aa7824...9a.apk

android-11-x64

10

HoneJSCoreJSBridge.js

windows7-x64

1

HoneJSCoreJSBridge.js

windows10-2004-x64

1

liveWallpa...in.apk

android-9-x86

1

liveWallpa...in.apk

android-10-x64

5

liveWallpa...in.apk

android-11-x64

1

Resubmissions

30-08-2023 14:03

230830-rc5mmsfg85 10

24-08-2023 14:38

230824-rzwcgsdb55 10

Analysis

  • max time kernel
    670963s
  • max time network
    174s
  • platform
    android_x64
  • resource
    android-x64-arm64-20230824-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230824-enlocale:en-usos:android-11-x64system
  • submitted
    24-08-2023 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5413aa7824e00c2773031ca26b238e9a.apk

  • Size

    2.2MB

  • MD5

    5413aa7824e00c2773031ca26b238e9a

  • SHA1

    e83c48e09e8bc75d9b1c10748b6ea6913ce48508

  • SHA256

    201d1e0492232be2f34bf699a08e516bd4d433a1071291f673a15b846216a7ce

  • SHA512

    824c931eb212bec4ddf9cd1afc30364c3076ea8458dc1f95ac261ce99d3c70ff4e959c185c8203a86a7a01767291819e4da786d1f34f356521833fc226f0e36b

  • SSDEEP

    49152:TiRU48uqFdL40DDKHY2tqzfAJio30O7Y8b56j6NQV:eRUhdL3fAY2tr30O7xb56s4

Score
10/10
teabotbankerevasioninfostealertrojan

Malware Config

Extracted

Family

teabot

C2

http://91.215.85.55:85/api/

Signatures

  • TeaBot

    TeaBot is an android banker first seen in January 2021.

    bankertrojaninfostealerteabot
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
    banker
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Removes a system notification. 1 IoCs
    evasion

Processes

  • com.kwfsrkyv.nkvjzgom.chapljek.lkmmgrrq
    1⤵
    • Makes use of the framework's Accessibility service.
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    PID:4564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.kwfsrkyv.nkvjzgom.chapljek.lkmmgrrq/rwurrebwrt/grwrfkkobvgowjr/base.apk.ttefr9f1.fgw
    Filesize

    751KB

    MD5

    94da31768475580aa793a92629b8214c

    SHA1

    3fdeba0b556dfb4fb818e060f65b8bac34a6f144

    SHA256

    1a5fc28b86b1c8b0e0bb202b0d7a8be37d968f33d162fe33a892b5476b0934aa

    SHA512

    6afa597eeda3580ee930e46f302bf4c5a949f037330d932f023b254cabcbcf9242db051930d08f670a7bb5afa4abace29efc10208cdfaa776f356b76c68d5347

    Download Submit
  • /data/user/0/com.kwfsrkyv.nkvjzgom.chapljek.lkmmgrrq/rwurrebwrt/grwrfkkobvgowjr/tmp-base.apk.ttefr9f7331694778157483826.fgw
    Filesize

    317KB

    MD5

    4aff80b7f8db95ead994b39eccb5c88d

    SHA1

    3da64d417047ad013fa59e7ea7e036e61918c4ea

    SHA256

    5d2c6492860c1185134d56896f4974da5db9adcf5ffeb1f2a53e090ff621cf39

    SHA512

    8155c21a0468abe498e3d32edd82b5f38eb1825a873fc2b8c7cc8e750be79da0a139cb4997dd2ae3258e92c7f72b8f125972050d64eb5d9f9997732bbd86c305

    Download Submit