teabot | 767c218be4e7d2c99ee9c8b36128ac932d2dac0e3792ce638b804083f75e1096

Analysis

max time kernel
2280242s
max time network
153s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
20-12-2023 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

767c218be4e7d2c99ee9c8b36128ac932d2dac0e3792ce638b804083f75e1096.apk
Size

1.2MB
MD5

c8793b4d4b5bedec055b8226358ed00a
SHA1

945feae70d7f65d36b30f97fe3ad5c995bc37bfc
SHA256

767c218be4e7d2c99ee9c8b36128ac932d2dac0e3792ce638b804083f75e1096
SHA512

ee9bff8b99de34ef8e283bca0ff3acf74a02abe9bc24bcb48396d96f21871bc366dbdcce0912b2477286146ad1ff3dfcca549a6e3dfabc00b2a78efd6a4bbcdc
SSDEEP

24576:N/bg0gs5w15vsuVe3DDFdeCpt8xCHuLTbFpOTg49FVXDTNMDCV:N/U0b02DDp2HFM3XGmV

Score

10^/10

teabot banker infostealer trojan

Malware Config

Signatures

TeaBot
TeaBot is an android banker first seen in January 2021.
banker trojan infostealer teabot

TeaBot payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.stone.observe/app_DynamicOptDex/kwLBB.json	family_teabot

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.stone.observe

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.stone.observe
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.stone.observe

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.stone.observe

ioc pid process

/data/user/0/com.stone.observe/app_DynamicOptDex/kwLBB.json 4918 com.stone.observe
Acquires the wake lock 1 IoCs

Processes:

com.stone.observe

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.stone.observe

ioc	pid	process
/data/user/0/com.stone.observe/app_DynamicOptDex/kwLBB.json	4918	com.stone.observe

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.stone.observe

com.stone.observe
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
- Acquires the wake lock
PID:4918

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.stone.observe/app_DynamicOptDex/kwLBB.json
Filesize
200KB

MD5
3ca956b3cc5c45ba72bb60d9fcced6e0

SHA1
8e674da3cde440af60a54647bae818d50f4a47cc

SHA256
82a063c41dad8f1e172bfcdfd399aad9b4a73790697765810578799cb2887cab

SHA512
aee8722d6d9520e21cf2b4cfaa3ec3361878881eeacdbbd0fc40d8534f80a50d7bbf184561d1a13fef5659d444fa1edbd1de1b80dd222451a870cd8525513cad

Download Submit
/data/data/com.stone.observe/app_DynamicOptDex/kwLBB.json
Filesize
200KB

MD5
c830784444dbaaf7e087a95c4d7ae2a8

SHA1
4d4a76997dfe510187f618731f7d0a67fc98da17

SHA256
366f0ae481e3fe81c4682c144925bd901b5567df6e956c382f056af9dc4484ab

SHA512
bf2d7a74a32fe45da083e5c9421411232b016f599f641971a9b0305091804b755027f42d23d7aeb0c4c47993acc9f6a68d4a80f31aa248a058cea8e169ccd977

Download Submit
/data/data/com.stone.observe/app_DynamicOptDex/oat/kwLBB.json.cur.prof
Filesize
1012B

MD5
0def9066bcf1a82b0334189a32f01dbe

SHA1
83576f3c0b239763e057008b0c8b4fcbe28a3bd2

SHA256
1255b5e02f2f005c85a8bc43fdd111c0bf7842368cf1144481be0e5072f769f3

SHA512
1efd5339b083cd96b724b165af6993e22066d744205e06dd9f79354e17c085f8cf23487708dd2ac5dc4175bca9cff8600cdd4f82d47281c395b7a0d5f948275e

Download Submit
/data/user/0/com.stone.observe/app_DynamicOptDex/kwLBB.json
Filesize
523KB

MD5
b78a911019dd2a99e6c6ea1e18e88398

SHA1
d8da4b8b4407e3ce4f895fcd1062246ab434016a

SHA256
af3732ed805c1f6e7f85fbd9a25371ed4c34be9a530914e493163f3cb03633a3

SHA512
521d754daae655b6d4e8b6793c4611dae5631f57bf0b06ba08e72554d7a363f67e1a2ee9c6e7eb6e357beab065d277aafc33326004151b0f317aa52fac23b7cc

Download Submit