Overview

overview

10

Static

static

7

d277aa53a7...70.apk

android-10-x64

10

d277aa53a7...70.apk

android-11-x64

d277aa53a7...70.apk

android-9-x86

10

en-US.ps1

android-10-x64

en-US.ps1

android-11-x64

en-US.ps1

android-9-x86

libanw.21.so

android-10-x64

libanw.21.so

android-11-x64

libanw.21.so

android-9-x86

libavutil.so

android-10-x64

libavutil.so

android-11-x64

libavutil.so

android-9-x86

librsjni.so

android-10-x64

librsjni.so

android-11-x64

librsjni.so

android-9-x86

libvlcjni.so

android-10-x64

libvlcjni.so

android-11-x64

libvlcjni.so

android-9-x86

Analysis

  • max time kernel
    14910s
  • max time network
    159s
  • platform
    android_x86
  • resource
    android-x86-arm-20230831-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
  • submitted
    05-10-2023 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d277aa53a7b51eb15b31f0cb7893f63eff695def94c61102c219003c34785670.apk

  • Size

    3.3MB

  • MD5

    5ebb07b6637f81fbdce0040f780dffa7

  • SHA1

    aa5062769a8f855daf410de53cfd85ef6fdcf1bb

  • SHA256

    d277aa53a7b51eb15b31f0cb7893f63eff695def94c61102c219003c34785670

  • SHA512

    0f6de475da0c41097a9f9fea49ed2c6ef13d63a6635267a1c710793811f62237a5a78653160b36832261d5c13ce4a2de24c9e84d1e297bcc6f56a1b6b6d96271

  • SSDEEP

    49152:gF29DLLIbAAGD603nJvCL2yB2M5a5+yrqL7C5WtPbsN0IfD2a+qoR/kENawqo:gyDL9AGD6cJ6LDBjwrq/C5wo0O2dTcu

Score
10/10
teabotbankerevasioninfostealerstealthtrojan

Malware Config

Signatures

  • TeaBot

    TeaBot is an android banker first seen in January 2021.

    bankertrojaninfostealerteabot
  • TeaBot payload 4 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Removes a system notification. 1 IoCs
    evasion

Processes

  • wire.rocket.breeze
    1⤵
    • Makes use of the framework's Accessibility service.
    • Removes its main activity from the application launcher
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    PID:4159
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/wire.rocket.breeze/app_DynamicOptDex/WjC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/wire.rocket.breeze/app_DynamicOptDex/oat/x86/WjC.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4185

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/wire.rocket.breeze/app_DynamicOptDex/WjC.json
    Filesize

    1.3MB

    MD5

    a5321977ebddee92f84819d1ac5044af

    SHA1

    cb3fcb6b2b1720300944184a6104f3420e3cfd51

    SHA256

    35b8e1945e58c9bdfc812e0356c20ac2201db5d7ab09cf95de3537d7177429d3

    SHA512

    de98d625186a3ce448a675a6f92f1ebdd626949ad7045fc93d0a6e95a1bd61c725dc3d86ad286ea88c9fb8fd91843b20533c99162344b3f9207c462597e53e0a

    Download Submit
  • /data/data/wire.rocket.breeze/app_DynamicOptDex/WjC.json
    Filesize

    1.3MB

    MD5

    81640422d214e96f335096d74ea078ba

    SHA1

    4ff16cb72a7130bf64ef36e4cb922362d047183d

    SHA256

    ce100d7a870d6a48c083889f92a4ea7005618be40d05e39732bd2788b3166567

    SHA512

    f2802657d40982dc78f158a719f03a6982e3f63785ab01146b8ab9ab702c7d9cd4a1bc411e0351876881b81aec410e79ee9d5338564b38c2e26f49353e5754c5

    Download Submit
  • /data/data/wire.rocket.breeze/app_DynamicOptDex/oat/WjC.json.cur.prof
    Filesize

    1KB

    MD5

    0aa90f88310c71edefebc0d45c3739f8

    SHA1

    4771981a3d4baa21f6115cdb07051d4c400aff91

    SHA256

    3e38dcad93a879c08439578723fc534d14ceec3f24529efb1dd8353dfb82ad1d

    SHA512

    3ca4faa106c39c95d2dc10253385149ff525da8199ff113a9239251edc44809a77d3a51faa914df04fe8f6d7bc31c495d900d80841dbae3ec335c937a69e8f4d

    Download Submit
  • /data/user/0/wire.rocket.breeze/app_DynamicOptDex/WjC.json
    Filesize

    1.3MB

    MD5

    81640422d214e96f335096d74ea078ba

    SHA1

    4ff16cb72a7130bf64ef36e4cb922362d047183d

    SHA256

    ce100d7a870d6a48c083889f92a4ea7005618be40d05e39732bd2788b3166567

    SHA512

    f2802657d40982dc78f158a719f03a6982e3f63785ab01146b8ab9ab702c7d9cd4a1bc411e0351876881b81aec410e79ee9d5338564b38c2e26f49353e5754c5

    Download Submit
  • /data/user/0/wire.rocket.breeze/app_DynamicOptDex/WjC.json
    Filesize

    1.3MB

    MD5

    f0f122dd954b3c54cafc6fb2bb230371

    SHA1

    4c7929385a0c0ada754453f7b1ca88af159fe045

    SHA256

    19a43426c5eb7ba563b3599acd819888f5783c91aea0e58254a0fa3fbc61a0e7

    SHA512

    fcb71594bf8f6e6110eb4d4eb2d7dc320078d4813585b96d3a4fa859db29e5a7ba955914b142ddd6e7c36cd6c3dcd11f34e284d847cbebf87364b01dc421e3c9

    Download Submit
  • /data/user/0/wire.rocket.breeze/app_DynamicOptDex/WjC.json
    Filesize

    1.3MB

    MD5

    81640422d214e96f335096d74ea078ba

    SHA1

    4ff16cb72a7130bf64ef36e4cb922362d047183d

    SHA256

    ce100d7a870d6a48c083889f92a4ea7005618be40d05e39732bd2788b3166567

    SHA512

    f2802657d40982dc78f158a719f03a6982e3f63785ab01146b8ab9ab702c7d9cd4a1bc411e0351876881b81aec410e79ee9d5338564b38c2e26f49353e5754c5

    Download Submit