teabot | d277aa53a7b51eb15b31f0cb7893f63eff695def94c61102c219003c34785670

Analysis

max time kernel
14912s
max time network
149s
platform
android_x64
resource
android-x64-20230831-en
resource tags

androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system
submitted
05/10/2023, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d277aa53a7b51eb15b31f0cb7893f63eff695def94c61102c219003c34785670.apk
Size

3.3MB
MD5

5ebb07b6637f81fbdce0040f780dffa7
SHA1

aa5062769a8f855daf410de53cfd85ef6fdcf1bb
SHA256

d277aa53a7b51eb15b31f0cb7893f63eff695def94c61102c219003c34785670
SHA512

0f6de475da0c41097a9f9fea49ed2c6ef13d63a6635267a1c710793811f62237a5a78653160b36832261d5c13ce4a2de24c9e84d1e297bcc6f56a1b6b6d96271
SSDEEP

49152:gF29DLLIbAAGD603nJvCL2yB2M5a5+yrqL7C5WtPbsN0IfD2a+qoR/kENawqo:gyDL9AGD6cJ6LDBjwrq/C5wo0O2dTcu

Score

10^/10

teabot banker evasion infostealer trojan

Malware Config

Signatures

TeaBot
TeaBot is an android banker first seen in January 2021.
banker trojan infostealer teabot

TeaBot payload 3 IoCs

resource	yara_rule
behavioral1/files/fstream-2.dat	family_teabot
behavioral1/memory/5106-0.dex	family_teabot
behavioral1/memory/5106-1.dex	family_teabot

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	wire.rocket.breeze
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	wire.rocket.breeze

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	wire.rocket.breeze

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/wire.rocket.breeze/app_DynamicOptDex/WjC.json	5106	wire.rocket.breeze
/data/user/0/wire.rocket.breeze/app_DynamicOptDex/WjC.json	5106	wire.rocket.breeze

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	wire.rocket.breeze

wire.rocket.breeze
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
PID:5106

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/wire.rocket.breeze/app_DynamicOptDex/WjC.json

Filesize
1.3MB

MD5
a5321977ebddee92f84819d1ac5044af

SHA1
cb3fcb6b2b1720300944184a6104f3420e3cfd51

SHA256
35b8e1945e58c9bdfc812e0356c20ac2201db5d7ab09cf95de3537d7177429d3

SHA512
de98d625186a3ce448a675a6f92f1ebdd626949ad7045fc93d0a6e95a1bd61c725dc3d86ad286ea88c9fb8fd91843b20533c99162344b3f9207c462597e53e0a

Download Submit
/data/data/wire.rocket.breeze/app_DynamicOptDex/WjC.json

Filesize
1.3MB

MD5
81640422d214e96f335096d74ea078ba

SHA1
4ff16cb72a7130bf64ef36e4cb922362d047183d

SHA256
ce100d7a870d6a48c083889f92a4ea7005618be40d05e39732bd2788b3166567

SHA512
f2802657d40982dc78f158a719f03a6982e3f63785ab01146b8ab9ab702c7d9cd4a1bc411e0351876881b81aec410e79ee9d5338564b38c2e26f49353e5754c5

Download Submit
/data/data/wire.rocket.breeze/app_DynamicOptDex/oat/WjC.json.cur.prof

Filesize
1KB

MD5
63012636697fa7377cdb4223341ad09f

SHA1
f21e563da76d38713696b72d67b44f87439d2ad7

SHA256
07b1c4c4a5bf429a44ff5ed29a98c0225a8390fbbf813a41e284ee1c6b50ae65

SHA512
71769d9e5a9b2d68d006e2a11033855fb7bcee86750441c8ed55bcedc527065ddd582b0a4586b011122a7cb8ebcbbd872abf5edab39550beb4c0cbf043c33248

Download Submit
/data/user/0/wire.rocket.breeze/app_DynamicOptDex/WjC.json

Filesize
1.3MB

MD5
81640422d214e96f335096d74ea078ba

SHA1
4ff16cb72a7130bf64ef36e4cb922362d047183d

SHA256
ce100d7a870d6a48c083889f92a4ea7005618be40d05e39732bd2788b3166567

SHA512
f2802657d40982dc78f158a719f03a6982e3f63785ab01146b8ab9ab702c7d9cd4a1bc411e0351876881b81aec410e79ee9d5338564b38c2e26f49353e5754c5

Download Submit
/data/user/0/wire.rocket.breeze/app_DynamicOptDex/WjC.json

Filesize
1.3MB

MD5
81640422d214e96f335096d74ea078ba

SHA1
4ff16cb72a7130bf64ef36e4cb922362d047183d

SHA256
ce100d7a870d6a48c083889f92a4ea7005618be40d05e39732bd2788b3166567

SHA512
f2802657d40982dc78f158a719f03a6982e3f63785ab01146b8ab9ab702c7d9cd4a1bc411e0351876881b81aec410e79ee9d5338564b38c2e26f49353e5754c5

Download Submit