teabot | 201d1e0492232be2f34bf699a08e516bd4d433a1071291f673a15b846216a7ce | Triage

Resubmissions

30-08-2023 14:03

230830-rc5mmsfg85 10

24-08-2023 14:38

230824-rzwcgsdb55 10

Sharing

General

Target

5413aa7824e00c2773031ca26b238e9a.apk
Size

2.2MB
Sample

230830-rc5mmsfg85
MD5

5413aa7824e00c2773031ca26b238e9a
SHA1

e83c48e09e8bc75d9b1c10748b6ea6913ce48508
SHA256

201d1e0492232be2f34bf699a08e516bd4d433a1071291f673a15b846216a7ce
SHA512

824c931eb212bec4ddf9cd1afc30364c3076ea8458dc1f95ac261ce99d3c70ff4e959c185c8203a86a7a01767291819e4da786d1f34f356521833fc226f0e36b
SSDEEP

49152:TiRU48uqFdL40DDKHY2tqzfAJio30O7Y8b56j6NQV:eRUhdL3fAY2tr30O7xb56s4

Score

10^/10

teabot android banker evasion infostealer ransomware stealth trojan

Malware Config

Extracted

Family

teabot

C2

http://91.215.85.55:85/api/

Targets

- Target
  
  5413aa7824e00c2773031ca26b238e9a.apk
- Size
  
  2.2MB
- MD5
  
  5413aa7824e00c2773031ca26b238e9a
- SHA1
  
  e83c48e09e8bc75d9b1c10748b6ea6913ce48508
- SHA256
  
  201d1e0492232be2f34bf699a08e516bd4d433a1071291f673a15b846216a7ce
- SHA512
  
  824c931eb212bec4ddf9cd1afc30364c3076ea8458dc1f95ac261ce99d3c70ff4e959c185c8203a86a7a01767291819e4da786d1f34f356521833fc226f0e36b
- SSDEEP
  
  49152:TiRU48uqFdL40DDKHY2tqzfAJio30O7Y8b56j6NQV:eRUhdL3fAY2tr30O7xb56s4
Score

10^/10

teabot banker evasion infostealer stealth trojan
- TeaBot
  TeaBot is an android banker first seen in January 2021.
  banker trojan infostealer teabot
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
  banker
- Removes its main activity from the application launcher
  stealth trojan
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Requests enabling of the accessibility settings.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
behavioral1 behavioral2 behavioral3
- Target
  
  HoneJSCoreJSBridge.js
- Size
  
  6KB
- MD5
  
  59ce8735ebb2e8f8a20f9de82489eb84
- SHA1
  
  7ac292a01a915bf879f9eed374ef952027d7f24f
- SHA256
  
  bb71154507c5b027417b83d58098b892fececabb37b7e698b69b4620881dd5f8
- SHA512
  
  3fe0e167829e51fb573fae63042c52e95d5d1861b6cb79de42d3477601801f88befdbc7336490085ef4de1a52d818c7c6961011b0bb88ef53ff36c8f3ef27e74
- SSDEEP
  
  192:l5Uwe+Kanfb6m3xb6R5HgR9uwcvAWgTFQZy/HqB5BaBvwB+kngd+mBPY+X7KUBYf:l5UN+7b6m3xb6RuRsJvAWpuHBvAnglYd
Score

1^/10
behavioral4 behavioral5
- Target
  
  liveWallpaperPlugin.apk
- Size
  
  162KB
- MD5
  
  91d33062e74043bb0bd9d5f66b343f3e
- SHA1
  
  aa3fab31cf6d5bc7fb1c012ada2b77ffe242a7c0
- SHA256
  
  4c3720917d9920cdec450cc85fe2fe3db39bc48cff4fea270914b475fc79f08a
- SHA512
  
  be5eb5cdab9e3348f3228fee40172b351a07d2d39ddd9d085593e3d78c13259be62425b4993a40696542902c452f7213a7b92410baf06192051640607389b80c
- SSDEEP
  
  3072:QV8ZyGg6GYtzqWn1Vmkv7YVQi5cRVl/51SGHHkmjVw:w8ZLGYtrv7O09bSGHHkYw
Score

5^/10

ransomware
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral6 behavioral7 behavioral8

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

teabotbankerevasioninfostealerstealthtrojan

behavioral2

teabotbankerevasioninfostealertrojan

behavioral3

teabotbankerevasioninfostealertrojan

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8