teabot | bd0390766d997a2f74af7f563219bc53a095fd7cd7edda0143e86d1b218b13e1

Analysis

max time kernel
2963752s
max time network
130s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
24/12/2023, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd0390766d997a2f74af7f563219bc53a095fd7cd7edda0143e86d1b218b13e1.apk
Size

3.7MB
MD5

12d484ec42fce57aef35ba1ee71b7956
SHA1

2a1400ed401aa5cace9609c32ebf8d168acd58ff
SHA256

bd0390766d997a2f74af7f563219bc53a095fd7cd7edda0143e86d1b218b13e1
SHA512

288e71fe7121b2b0fc51dae92932af984fb54eaf2b1bc6e8b071b28358cbc0c9c240fb32c01b2106614cce2ef0f617704318746917a87fbc13db1d47b7b827f4
SSDEEP

98304:b0vbtMkG1CR4Ud1/HOtIuHTqaSkF85jLD8cEv0P:b02D+exHJSy85jHEe

Score

10^/10

teabot banker evasion infostealer stealth trojan

Malware Config

Signatures

TeaBot
TeaBot is an android banker first seen in January 2021.
banker trojan infostealer teabot

TeaBot payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-2.dat	family_teabot
behavioral1/memory/4486-1.dex	family_teabot

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	enhance.twist.there
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	enhance.twist.there

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4486	enhance.twist.there

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/enhance.twist.there/app_DynamicOptDex/dAjX.json	4486	enhance.twist.there
/data/user/0/enhance.twist.there/app_DynamicOptDex/dAjX.json	4541	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/enhance.twist.there/app_DynamicOptDex/dAjX.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/enhance.twist.there/app_DynamicOptDex/oat/x86/dAjX.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/enhance.twist.there/app_DynamicOptDex/dAjX.json	4486	enhance.twist.there

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	enhance.twist.there

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	enhance.twist.there

enhance.twist.there
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4486
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/enhance.twist.there/app_DynamicOptDex/dAjX.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/enhance.twist.there/app_DynamicOptDex/oat/x86/dAjX.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4541

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/enhance.twist.there/app_DynamicOptDex/dAjX.json

Filesize
1.4MB

MD5
13fa02ede4c8f08aee28e34635b7080c

SHA1
d1f223226269a855173b79e41ed663db06d43834

SHA256
2704656e1b36047855f416132c9e15cf25bad8dcbbf1d3d99c67612661398b6d

SHA512
237148f5fb6983dbed360e336c3cad2d5d919d58e4086e72a0d71520c50d59ebdd80c91302495012058eba5c952a268c7a20a8a62eb4f21c3616d92193b75b72

Download Submit
/data/data/enhance.twist.there/app_DynamicOptDex/dAjX.json

Filesize
1.4MB

MD5
6a2bea327fa4955baf7cc5cc549747c3

SHA1
40ec234f83439eb0cdb2270f65b266d244b25298

SHA256
fdf9880ac07430bd890b23d321534647693c2c8f564ce7949f49bbf307b5e019

SHA512
5756c2a669708f7149baca3620613935583a2d175f20641c23ce4b19ac5d0502ae839b0a2932be0890a060687c8fd3f8f2d5dcb258f317946dfa50394ef7cb54

Download Submit
/data/data/enhance.twist.there/app_DynamicOptDex/oat/dAjX.json.cur.prof

Filesize
1KB

MD5
9c6b90138c3a34459037b6d5769683c6

SHA1
43f79b1e1b68a5829dd63d3514b84d227a14ece8

SHA256
f9dbdee86d893a8f289b0d617f52e10141b0e990870ead1228db6e3116d0f365

SHA512
d5dff931d90eb18a2ce992106ca3aac0c98dc4ed49910aaa4bce820af180ba7f6d64f7f25d48dc9a63b71f3832a3e77739034c0bc71839280a70d56db7893401

Download Submit
/data/user/0/enhance.twist.there/app_DynamicOptDex/dAjX.json

Filesize
1.4MB

MD5
bfe3c5e0b4260c01f9fc25f4ea7c20a9

SHA1
c5e10dc2665caca59c160fdd18b35ccb22e53fa8

SHA256
92dd0496b94bee5800cee2ac85f01bd0071bccdbe1d47a1552d56f43e88363d4

SHA512
139a5b2e0ba73525e49787908fbd30b520a05c6c566cb7cab9fc34be779e7831baa683af5490a27a91c64c193f19fc7d784e30dd3bc4f23354b3c968611e6f79

Download Submit