teabot | 767c218be4e7d2c99ee9c8b36128ac932d2dac0e3792ce638b804083f75e1096

Analysis

max time kernel
2301195s
max time network
150s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
20/12/2023, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

767c218be4e7d2c99ee9c8b36128ac932d2dac0e3792ce638b804083f75e1096.apk
Size

1.2MB
MD5

c8793b4d4b5bedec055b8226358ed00a
SHA1

945feae70d7f65d36b30f97fe3ad5c995bc37bfc
SHA256

767c218be4e7d2c99ee9c8b36128ac932d2dac0e3792ce638b804083f75e1096
SHA512

ee9bff8b99de34ef8e283bca0ff3acf74a02abe9bc24bcb48396d96f21871bc366dbdcce0912b2477286146ad1ff3dfcca549a6e3dfabc00b2a78efd6a4bbcdc
SSDEEP

24576:N/bg0gs5w15vsuVe3DDFdeCpt8xCHuLTbFpOTg49FVXDTNMDCV:N/U0b02DDp2HFM3XGmV

Score

10^/10

teabot banker evasion infostealer stealth trojan

Malware Config

Signatures

TeaBot
TeaBot is an android banker first seen in January 2021.
banker trojan infostealer teabot

TeaBot payload 2 IoCs

resource	yara_rule
behavioral1/memory/4532-0.dex	family_teabot
behavioral1/memory/4504-0.dex	family_teabot

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.stone.observe
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.stone.observe

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4504	com.stone.observe

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.stone.observe/app_DynamicOptDex/kwLBB.json	4532	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.stone.observe/app_DynamicOptDex/kwLBB.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.stone.observe/app_DynamicOptDex/oat/x86/kwLBB.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.stone.observe/app_DynamicOptDex/kwLBB.json	4504	com.stone.observe

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.stone.observe

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.stone.observe

com.stone.observe
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4504
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.stone.observe/app_DynamicOptDex/kwLBB.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.stone.observe/app_DynamicOptDex/oat/x86/kwLBB.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.stone.observe/app_DynamicOptDex/kwLBB.json

Filesize
200KB

MD5
3ca956b3cc5c45ba72bb60d9fcced6e0

SHA1
8e674da3cde440af60a54647bae818d50f4a47cc

SHA256
82a063c41dad8f1e172bfcdfd399aad9b4a73790697765810578799cb2887cab

SHA512
aee8722d6d9520e21cf2b4cfaa3ec3361878881eeacdbbd0fc40d8534f80a50d7bbf184561d1a13fef5659d444fa1edbd1de1b80dd222451a870cd8525513cad

Download Submit
/data/data/com.stone.observe/app_DynamicOptDex/kwLBB.json

Filesize
200KB

MD5
c830784444dbaaf7e087a95c4d7ae2a8

SHA1
4d4a76997dfe510187f618731f7d0a67fc98da17

SHA256
366f0ae481e3fe81c4682c144925bd901b5567df6e956c382f056af9dc4484ab

SHA512
bf2d7a74a32fe45da083e5c9421411232b016f599f641971a9b0305091804b755027f42d23d7aeb0c4c47993acc9f6a68d4a80f31aa248a058cea8e169ccd977

Download Submit
/data/data/com.stone.observe/app_DynamicOptDex/oat/kwLBB.json.cur.prof

Filesize
1013B

MD5
b280a8a26674404f11dacb9bbff8b994

SHA1
0c86d773433423c9e28046db8cfd0cbd132be053

SHA256
2900ed24f2969087d0f76729d6ac56b41197e79ae0e1ab3093f56a0c372ea590

SHA512
f7db0acdf5c53e2a0ff46789f99affc93fa4176c50c944166bdea248cbb1776c1f3bc47db614ace18400bbcce27d3d20844cdf3ddc215b019068ae3e5cc9736f

Download Submit
/data/user/0/com.stone.observe/app_DynamicOptDex/kwLBB.json

Filesize
523KB

MD5
41237a25435999702fe1e489b2997af5

SHA1
5015d1e9c346bf98a4d205cc25a2218690185946

SHA256
05adbc38c89f294182ac1379f612d4c2885aac3c4df3a8c6f67a6bcd89dcbc89

SHA512
75d839fb4f37bc63b44013a36973889222de491bfd7baa4cf06ccaacca096cca9ff04cefa240b643bc39711dce92a1a976deb17d5d3d445de3e6fd0d501ce5ac

Download Submit
/data/user/0/com.stone.observe/app_DynamicOptDex/kwLBB.json

Filesize
523KB

MD5
b78a911019dd2a99e6c6ea1e18e88398

SHA1
d8da4b8b4407e3ce4f895fcd1062246ab434016a

SHA256
af3732ed805c1f6e7f85fbd9a25371ed4c34be9a530914e493163f3cb03633a3

SHA512
521d754daae655b6d4e8b6793c4611dae5631f57bf0b06ba08e72554d7a363f67e1a2ee9c6e7eb6e357beab065d277aafc33326004151b0f317aa52fac23b7cc

Download Submit