andrmonitor | 4b38232db89ffc202f41fee493a84b056f1115339439efb6635d170e05bfa85b

Analysis

max time kernel
149s
max time network
152s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
01-03-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b38232db89ffc202f41fee493a84b056f1115339439efb6635d170e05bfa85b.apk
Size

20.5MB
MD5

3306391950192abec178615e5dfcee53
SHA1

73d7d97fa7943be3fb1a09021579de25f101d6f8
SHA256

4b38232db89ffc202f41fee493a84b056f1115339439efb6635d170e05bfa85b
SHA512

67e19e7dbaec8d102cd41a693a86203bf1b2ca4147d29b5d4d5b30e24969d937c1e3ef67f88ad1ecfee75fdd80ef5849ce56d10d55f9abec58f6933063932ddb
SSDEEP

393216:oyNMhsJA35z7A79L+oIv1mbgafiubcbZLbhT9i/zVN2I+TX296KpPbNiRSKcsgJk:jM6JA35z7c5KtmbBffcFLbi/zVN2Ikm4

Score

10^/10

andrmonitor banker collection discovery evasion infostealer spyware stealth trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs

banker discovery

Security Software Discovery

T1418.001

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	iznobhuck.ntcrxlglq

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4261	iznobhuck.ntcrxlglq
4261	iznobhuck.ntcrxlglq

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
Anonymous-DexFile@0xc8ae1000-0xc8d6f504	4261	iznobhuck.ntcrxlglq
Anonymous-DexFile@0xc7ee3000-0xc800d6dc	4261	iznobhuck.ntcrxlglq

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	iznobhuck.ntcrxlglq

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	iznobhuck.ntcrxlglq

Requests dangerous framework permissions 3 IoCs

description	ioc
Allows an application to read from external storage.	android.permission.READ_EXTERNAL_STORAGE
Allows an application to write to external storage.	android.permission.WRITE_EXTERNAL_STORAGE
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps.	android.permission.SYSTEM_ALERT_WINDOW

iznobhuck.ntcrxlglq
1⤵
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests cell location
PID:4261
- su
  2⤵
  PID:4343

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB

Filesize
52KB

MD5
b6815b344f6926d458cea05acd052cdd

SHA1
88f524aff1d4c5fee979a203dd952427871a7097

SHA256
028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

SHA512
0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB

Filesize
96KB

MD5
23e07833fad0a234ba0955f3d4c1b83e

SHA1
686368d76f8e73e8e7ed2618a1ba372de08de693

SHA256
55a8cec3d11f14050fe40116ca7a37fd94bfb43795b5dafd0fa96d4a197fd335

SHA512
f223e7b799c68c7467bf1cf8bbc89a2dfe3ea1cecbd948b49221f85cbf29fc7a1040d1c45e67bc178bc618ed2d0e8bf38e2c93b37aa342b4c469fe0b56a8060d

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB

Filesize
96KB

MD5
b8e6084e054c595300c47aa40e15fc76

SHA1
7a8baba0541665e360b451ced7e75dd02bd92cb4

SHA256
7144816486549a1a85af325263c13a6b2d4e99fdd2f9f3f72a36e5955defb12e

SHA512
01f66376fcb0b638b8e3449dc8b4fbced57415ea9281ae71e4fb5a2c2dae39a1c838e7449355ed82ea2e9b2b40e161a0e9cf20f179b02893a507f45e17337771

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB

Filesize
96KB

MD5
3a00d6c749ab3403e4dbcaa186a2f66d

SHA1
e60f05fda800081ab924dcb36e55204b5af031d3

SHA256
e85efbc15e60ac39447011677012a557453ded115cdf0850fa3c8c3e568fe2ff

SHA512
942cc112b0149fb1d75cdb6f68e1b9a2869426eec6a84b770ecc8d397420b5da1ec9be8cd854a72dcf83ba3f2d86d721c374287149a6f4cdd22e4674e9cc3373

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB-journal

Filesize
512B

MD5
b74d04d036940cb73ce59611f023a022

SHA1
77038735542aa1c2a54d63625d93bab4490b667e

SHA256
51c0ea36a12354491e49f7be72e66cd82cf55fe83b476bb67910bc385f8de04d

SHA512
abee473cb10f62c380964273296928e8bbb9ba77368c19b6398f90ef49f6299a1dac78610fed679a998b20971127bef7c224c6787ec61d3f59a99e31a50dfa70

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB-shm

Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB-wal

Filesize
205KB

MD5
19b3e3fafd335cf792544b0a17b36518

SHA1
e8cb1f9c96ae095707d0d77af99707d5263a6730

SHA256
1340030d3a9bdc9eab013501272ab5c7e8084a04a06d9e182656c5b4423508cb

SHA512
0d7725806ac08c8eb7514a8cfd413582443eecdb3e8d5c354f7e3d91db66130ced2aa1d0e7a8544de46e0f1c51c218a08cfe1d4fd8cd1d4dfbbaabceb515b13d

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB-wal

Filesize
4KB

MD5
85da8a013037b558d91ec3d56f951abe

SHA1
5aaf38bbc4ba05a0f37a556592dd2567efbdb7c1

SHA256
b82f6ba8a9762a3c746bf456f8095559c2b6523945a3540deabdb0055c79925a

SHA512
a2f10f24e7881caaaa824a829f863b9a37f9c1e45f87bb717f77ca92e91aad15fd2543b09f5c8f1e39c501eb4f5869fdc6b7a63c15e0ff38c20f85e325c7a700

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB-wal

Filesize
8KB

MD5
250fdb921e7db8ab5f630be04895bbb4

SHA1
f95f3800e68b89ad97436899df5a8c0c86bb99fd

SHA256
d0201908e478da59a692fa1e67ed4931bd213607c773ff607103b869854cc3e0

SHA512
90443550efd41a5626f7445e94580301b4442aaefc9ecc21d12322db1cfaf59ff16312f00f9443fa8987e0c79ca654eaa865a5993cdab471b14d6178b1b7191f

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB-wal

Filesize
8KB

MD5
d97f709683d5d2b88431c5a7074a8de4

SHA1
b3ac19adba8f8670d20715c6fca7343b85f9716c

SHA256
eb771cb4c364345ee74d82207b4dbc5470be6f0ac2465790ca9d9746aa7edad6

SHA512
5b27e14a3021a72a11d2e3e42069273d847284e7cc806cb8e19f590907a59d88a03c1f324f90610cdf345a2b5bc75cf712e3bd0743439d6f698edbfd731793c8

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB-wal

Filesize
8KB

MD5
cb55d2a1238bbff468e5a94548d6a739

SHA1
ccb683151bde92f32b3d7d6596111cb2b6b2240f

SHA256
648a7961a8c9d373c8ba57fd77cc3ad86c8e9fe5b32b47781facb4bbfceb91d5

SHA512
69eb29cf4f4eaf75f2280b5587788fdabebe3be79c8b1bb81c55a5f8c88914a6c108e9b2035b317b9b3b258aface4b2dab618cf88a69cb32b3fb1ef11103eb61

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
76KB

MD5
4d4425560335e54826fdc46d2fa1f172

SHA1
855e81560e402303e462728c33f345938abba671

SHA256
cd61c80ef991533808e8dfefda9b50d1baa17fad7581dbd269ca7edaf7bcc53b

SHA512
086f958b0c25a2723396c1b3e9b191a7698579046e2935f080a10b450c23588a4520264c0508b23fc1c6e5c1fa0cd0115379cac1b625a2c7f4eb05249adf3f0d

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
d8d9b85813e38cf8944dae8dcee6741f

SHA1
4df0493630565537092e5103a2eac78b9c42b509

SHA256
c5b4638af9ef95c87a26acc25fd095727ae202a3b78e7484fa7e9ebcaece71b2

SHA512
62af911be5cb92df1db591c87691c2e4c72057b16bba85959cf27d0bb9efd034c3a70fe05eefafaec00a163f714d8af081b0d795bfae2325d8dce2593c2482be

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
170B

MD5
8048b3e4306cdf9befb07a30c3cf6491

SHA1
8f0e04526a0eedb3e009863fb37d7f0ed66efddd

SHA256
22a40d9dc448e758489224d8006c362ad20ec3b7cda03537a16dbc7b913a48ee

SHA512
15679db7d7eae8e9c797a362d81505895c481fd8f955d35d90242f7a7948d65ba8607a835b008e428d6080c43fd1d73f03491ef9a3f53960667715229b87f470

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
149B

MD5
cf1ac1a00c2c001e1d268638a06e78f2

SHA1
931bbc33e66c38d892fc35b4c1bdd8d20761cb35

SHA256
c3c39dbfdbd03b59e76239ab72f893ec1eef39bd3e8ccb787c14b1badd1772ad

SHA512
401669738f051b649d204cc710b592508bf9ba5add21afbabe1ba11b127fd51804fea37d135c8764dcb1c78981883b2b0a5e6a3eac7d9df66502ee7d57add069

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
130B

MD5
c5388c394bde10e2ef196e42fab99fe0

SHA1
e52dd93a31f4a292f905672c114f1a0fd95be875

SHA256
31c0d654e46028bcf80d3e15501c8a237c38e9bfbaf79a76047ca7767d33c284

SHA512
bcaba971b0971ee5b6a6ba91f3ac8e913aa910008c913a2aa2c9a4e5efd7d8b655b30735d737e5ee42dd5cfe7930fab8e82b7ffb119b18e2aaa50dca932fb8f1

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
61B

MD5
e3c63373b0f84bcb4581380c27ff88bf

SHA1
b2660c25f983f1375321e4406e960d67ca3442ee

SHA256
6c5e13844ff0f4d5013712656dcf665661d8b23d9e49fbdda9bcf9e296146e30

SHA512
9609df789d9d3baa032d261219f15ed1c1805e1d1513c5bf46dd7cce457fb8efe2980bd44fae6a1756ee4806c2b2cba7bfba7d863bc9fd109682dc9ec4b24d72

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
69B

MD5
6bab4e4d9625fb0f57994e0c2020c654

SHA1
0c486314c14f7cf8e87f239c4456aaa5081e1173

SHA256
aba69a7e8eb6028cef31a82ce0fe7e595487a8bc7f3f04553e8acb21331b20ca

SHA512
d94474aace1f2b263c20fba8308f2298af5437deeb796163fb14e752880fa2986046c7abf846ef8aa3a162c60f22c6b347228540047ac1282581ed546c1a2651

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
164B

MD5
0a1ebcd6f4b3360fc598d70f8a62810e

SHA1
554ae5a814660e96718064a18fb5132c0ecf17f2

SHA256
54bf131dbc0793047ba9a5a6982e845a7efb3b13af95a091fcefa890c3c8cc90

SHA512
408e829f2e1460dc5d122fccacf9a5f0e9575947312e7897e0b9821cfd48f82a82cbab3d88a1a8832e097fe5855ac11c0f387094419e705cb0f6f35b7660c41e

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
133B

MD5
9d32a4c5d717492703ae8bb2224d633d

SHA1
c486386fe69499bfde957ca24f74f7d64da98bee

SHA256
da5e251eb8d6c14b7ab7a9a62ce972fd7de70b3833cb6766413bd372348ed62b

SHA512
108cbfaddc3f8fa14b0b77262ee5a1eac257b4a492cea8da82a175a5ee24ebb803d149e7b364ac97889aee1a9b29dfb5bb104b5f7363b553b91509c614534b56

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
26KB

MD5
372b5766c7839d72e7c5c822f445aaac

SHA1
d58e682301479ed717ba7ba886e249030321f64a

SHA256
9a635647fc7a33944aec525c4850857c187fffeea83b91cff1e7a6defa74a783

SHA512
bed89ecc4418e027e5e2b484e6b9b8b74c06b7f4a1a79a9550109106d2c08c0b9b63ba122c328acfa9f2157e45c1379d12e33933b79904de67b7444ff0915190

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
6KB

MD5
efc66fc586aed00b8b1cf9849ad4c6c4

SHA1
b012980d7f1191d5d888f4bdd35bab597f1d6f41

SHA256
2b550edb633083e063fc0b0029164e6cf5ea6512b3ee3c19b4302e49388a4da3

SHA512
61896601129bb052de40cdc1e225c08a867995d9fb70be603c0af6b2c14e696bf5c95d896c21a64c4e47e953ac3f15e334ac8e3dee41accf36efc2b5b00c30c1

Download Submit
/storage/emulated/0/.am/log_1709258242860.txt.zip

Filesize
217B

MD5
4dccb1c324ed48c294c87d35996d3205

SHA1
f54ecab605009e4733cad96858fa1fe608d2a1ce

SHA256
97642d747e62f1dee48600b5dac7ea2d042a2b1af72716c4976f1fc564f48446

SHA512
7ecc09b832d4406e9a9bbf8f7cf32e87b4501373944bad89a972fe25aa1be2d5d063d29cf04c2a19673d49f6282dfe5a7848c41a7f77f5f8567f62fc3ad40398

Download Submit
/storage/emulated/0/Android/data/iznobhuck.ntcrxlglq/files/Download/mch.apk

Filesize
64KB

MD5
13684d2547f64dabfe299d1c6553a05f

SHA1
b000477d2cb51e917f2ebce3a8c53745ba7e0fd0

SHA256
3cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0

SHA512
e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217

Download Submit
/storage/emulated/0/Android/data/iznobhuck.ntcrxlglq/files/Download/mch.apk

Filesize
64KB

MD5
fc1e8b284031201103e5895c243bc0bd

SHA1
e65ef20d7bfb3a8b039d606396c796d97016c432

SHA256
eab1a37866b3cde01a36d72d53d6fc163cbee74367bff35c3efda8773fc1276d

SHA512
090088ad637ff65396a73a62db1a41700a0b34919577de67846d2c92842412a2893bc3768eade2143361a037d7ce7bcca374167dedbd835119ba781b3f1c8b8d

Download Submit
Anonymous-DexFile@0xc7ee3000-0xc800d6dc

Filesize
1.2MB

MD5
ea1666d1e54e80c67d0fd8291b2b2813

SHA1
7cef9ba94f0be6c627ca73764ddb2598966aafc3

SHA256
84db9e19f78b846657b65eda5b6c8b7a3d3a8eb76fc0a3cbf01990083daf8e2b

SHA512
751c608e201b83f4de66d668f90e0e5f54eb2866a364670b7981c96525d675a8dd46816e887c44e866416b55f37d24d754a9047b1e4068005bd8bed3191c6e64

Download Submit
Anonymous-DexFile@0xc8ae1000-0xc8d6f504

Filesize
2.6MB

MD5
ba8f3d6915944853db58788045adef51

SHA1
198562ac8724166ee6b9a56d47ad66ddbd9eb335

SHA256
0f5b826f16eb47718340d7331b232cb5d88cc5df249c67d32a25f3b8f3e94ed2

SHA512
003918de4c7c0f7c12f1246038aebe70e805c240bceba062e60e040004bc15ec44aad3232a6f9cbd2ef1a9a790e609192216e5577994f04374d48ec534b94422

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads