teabot | 767c218be4e7d2c99ee9c8b36128ac932d2dac0e3792ce638b804083f75e1096

Analysis

max time kernel
2280256s
max time network
151s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20/12/2023, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

767c218be4e7d2c99ee9c8b36128ac932d2dac0e3792ce638b804083f75e1096.apk
Size

1.2MB
MD5

c8793b4d4b5bedec055b8226358ed00a
SHA1

945feae70d7f65d36b30f97fe3ad5c995bc37bfc
SHA256

767c218be4e7d2c99ee9c8b36128ac932d2dac0e3792ce638b804083f75e1096
SHA512

ee9bff8b99de34ef8e283bca0ff3acf74a02abe9bc24bcb48396d96f21871bc366dbdcce0912b2477286146ad1ff3dfcca549a6e3dfabc00b2a78efd6a4bbcdc
SSDEEP

24576:N/bg0gs5w15vsuVe3DDFdeCpt8xCHuLTbFpOTg49FVXDTNMDCV:N/U0b02DDp2HFM3XGmV

Score

10^/10

teabot banker evasion infostealer trojan

Malware Config

Signatures

TeaBot
TeaBot is an android banker first seen in January 2021.
banker trojan infostealer teabot

TeaBot payload 1 IoCs

resource	yara_rule
behavioral3/memory/4611-0.dex	family_teabot

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.stone.observe
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.stone.observe

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.stone.observe/app_DynamicOptDex/kwLBB.json	4611	com.stone.observe

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.stone.observe

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.stone.observe

com.stone.observe
1⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4611

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.stone.observe/app_DynamicOptDex/kwLBB.json

Filesize
200KB

MD5
3ca956b3cc5c45ba72bb60d9fcced6e0

SHA1
8e674da3cde440af60a54647bae818d50f4a47cc

SHA256
82a063c41dad8f1e172bfcdfd399aad9b4a73790697765810578799cb2887cab

SHA512
aee8722d6d9520e21cf2b4cfaa3ec3361878881eeacdbbd0fc40d8534f80a50d7bbf184561d1a13fef5659d444fa1edbd1de1b80dd222451a870cd8525513cad

Download Submit
/data/user/0/com.stone.observe/app_DynamicOptDex/kwLBB.json

Filesize
200KB

MD5
c830784444dbaaf7e087a95c4d7ae2a8

SHA1
4d4a76997dfe510187f618731f7d0a67fc98da17

SHA256
366f0ae481e3fe81c4682c144925bd901b5567df6e956c382f056af9dc4484ab

SHA512
bf2d7a74a32fe45da083e5c9421411232b016f599f641971a9b0305091804b755027f42d23d7aeb0c4c47993acc9f6a68d4a80f31aa248a058cea8e169ccd977

Download Submit
/data/user/0/com.stone.observe/app_DynamicOptDex/kwLBB.json

Filesize
523KB

MD5
b78a911019dd2a99e6c6ea1e18e88398

SHA1
d8da4b8b4407e3ce4f895fcd1062246ab434016a

SHA256
af3732ed805c1f6e7f85fbd9a25371ed4c34be9a530914e493163f3cb03633a3

SHA512
521d754daae655b6d4e8b6793c4611dae5631f57bf0b06ba08e72554d7a363f67e1a2ee9c6e7eb6e357beab065d277aafc33326004151b0f317aa52fac23b7cc

Download Submit
/data/user/0/com.stone.observe/app_DynamicOptDex/oat/kwLBB.json.cur.prof

Filesize
965B

MD5
00084242d71ba62cd969641bd78239bf

SHA1
cd80d3fe6398f0cb9fa0105b334ebd3b6af071ab

SHA256
df65a64069d8b63df3317cb721f004681991d35b875a0594c20c09f0ed170d4c

SHA512
12832138331933206e068791d3e66efe9035babcb2f02fd9f060e7b9a1777182b207dd1aa0901168f824c80858af571622d0c1e56b83896445c27ba582fda5b7

Download Submit