teabot | d277aa53a7b51eb15b31f0cb7893f63eff695def94c61102c219003c34785670

Analysis

max time kernel
17031s
max time network
162s
platform
android_x64
resource
android-x64-20230831-en
resource tags

androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system
submitted
05-10-2023 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d277aa53a7b51eb15b31f0cb7893f63eff695def94c61102c219003c34785670.apk
Size

3.3MB
MD5

5ebb07b6637f81fbdce0040f780dffa7
SHA1

aa5062769a8f855daf410de53cfd85ef6fdcf1bb
SHA256

d277aa53a7b51eb15b31f0cb7893f63eff695def94c61102c219003c34785670
SHA512

0f6de475da0c41097a9f9fea49ed2c6ef13d63a6635267a1c710793811f62237a5a78653160b36832261d5c13ce4a2de24c9e84d1e297bcc6f56a1b6b6d96271
SSDEEP

49152:gF29DLLIbAAGD603nJvCL2yB2M5a5+yrqL7C5WtPbsN0IfD2a+qoR/kENawqo:gyDL9AGD6cJ6LDBjwrq/C5wo0O2dTcu

Score

10^/10

teabot banker evasion infostealer trojan

Malware Config

Signatures

TeaBot
TeaBot is an android banker first seen in January 2021.
banker trojan infostealer teabot

TeaBot payload 3 IoCs

Processes:

resource	yara_rule
/data/data/wire.rocket.breeze/app_DynamicOptDex/WjC.json	family_teabot
/data/user/0/wire.rocket.breeze/app_DynamicOptDex/WjC.json	family_teabot
/data/user/0/wire.rocket.breeze/app_DynamicOptDex/WjC.json	family_teabot

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

wire.rocket.breeze

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	wire.rocket.breeze
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	wire.rocket.breeze

Acquires the wake lock. 1 IoCs

Processes:

wire.rocket.breeze

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock wire.rocket.breeze

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	wire.rocket.breeze

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

wire.rocket.breeze

ioc	pid	process
/data/user/0/wire.rocket.breeze/app_DynamicOptDex/WjC.json	4972	wire.rocket.breeze
/data/user/0/wire.rocket.breeze/app_DynamicOptDex/WjC.json	4972	wire.rocket.breeze

Removes a system notification. 1 IoCs
evasion

Processes:

wire.rocket.breeze

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag wire.rocket.breeze

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	wire.rocket.breeze

wire.rocket.breeze
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
PID:4972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/wire.rocket.breeze/app_DynamicOptDex/WjC.json
Filesize
1.3MB

MD5
a5321977ebddee92f84819d1ac5044af

SHA1
cb3fcb6b2b1720300944184a6104f3420e3cfd51

SHA256
35b8e1945e58c9bdfc812e0356c20ac2201db5d7ab09cf95de3537d7177429d3

SHA512
de98d625186a3ce448a675a6f92f1ebdd626949ad7045fc93d0a6e95a1bd61c725dc3d86ad286ea88c9fb8fd91843b20533c99162344b3f9207c462597e53e0a

Download Submit
/data/data/wire.rocket.breeze/app_DynamicOptDex/WjC.json
Filesize
1.3MB

MD5
81640422d214e96f335096d74ea078ba

SHA1
4ff16cb72a7130bf64ef36e4cb922362d047183d

SHA256
ce100d7a870d6a48c083889f92a4ea7005618be40d05e39732bd2788b3166567

SHA512
f2802657d40982dc78f158a719f03a6982e3f63785ab01146b8ab9ab702c7d9cd4a1bc411e0351876881b81aec410e79ee9d5338564b38c2e26f49353e5754c5

Download Submit
/data/data/wire.rocket.breeze/app_DynamicOptDex/oat/WjC.json.cur.prof
Filesize
1KB

MD5
d3f5325cf65ea15d0b2ddc44a1f3be55

SHA1
4f9037221f4307b66aa15b1b99174eecb2e81844

SHA256
2e810d29e130eb45954af3e52a027f18631c75a7dd09bb00376ec9db7e2c6362

SHA512
a95cbe51fb7e3ccaaa14f9a1490dcf65417183b7feddb37c4c2e340d95e35b65b1350eb219c97f0f495d02fd6b7c420a93dd32127e3be0cd720558570c7e18cf

Download Submit
/data/data/wire.rocket.breeze/app_DynamicOptDex/oat/WjC.json.cur.prof
Filesize
1KB

MD5
d0720770cd83251f729789a58953db52

SHA1
fad45d1583b77361769e99097abb73bb523fbaca

SHA256
5bac569883b2c5f62ba8e44620dc60bd2ad3a7653dcf4efdd718e783b6e011c2

SHA512
e1d46e932eb97e0441195ebf95d4ba668065c8345780cbe3a76c413fb4b5e47a10fa7af1d3fdf7449dcbeb2e64d124dc64a8c3442eb656a6e526905c248260a2

Download Submit
/data/user/0/wire.rocket.breeze/app_DynamicOptDex/WjC.json
Filesize
1.3MB

MD5
81640422d214e96f335096d74ea078ba

SHA1
4ff16cb72a7130bf64ef36e4cb922362d047183d

SHA256
ce100d7a870d6a48c083889f92a4ea7005618be40d05e39732bd2788b3166567

SHA512
f2802657d40982dc78f158a719f03a6982e3f63785ab01146b8ab9ab702c7d9cd4a1bc411e0351876881b81aec410e79ee9d5338564b38c2e26f49353e5754c5

Download Submit
/data/user/0/wire.rocket.breeze/app_DynamicOptDex/WjC.json
Filesize
1.3MB

MD5
81640422d214e96f335096d74ea078ba

SHA1
4ff16cb72a7130bf64ef36e4cb922362d047183d

SHA256
ce100d7a870d6a48c083889f92a4ea7005618be40d05e39732bd2788b3166567

SHA512
f2802657d40982dc78f158a719f03a6982e3f63785ab01146b8ab9ab702c7d9cd4a1bc411e0351876881b81aec410e79ee9d5338564b38c2e26f49353e5754c5

Download Submit