andrmonitor | 4b38232db89ffc202f41fee493a84b056f1115339439efb6635d170e05bfa85b

Analysis

max time kernel
149s
max time network
157s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
02-03-2024 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b38232db89ffc202f41fee493a84b056f1115339439efb6635d170e05bfa85b.apk
Size

20.5MB
MD5

3306391950192abec178615e5dfcee53
SHA1

73d7d97fa7943be3fb1a09021579de25f101d6f8
SHA256

4b38232db89ffc202f41fee493a84b056f1115339439efb6635d170e05bfa85b
SHA512

67e19e7dbaec8d102cd41a693a86203bf1b2ca4147d29b5d4d5b30e24969d937c1e3ef67f88ad1ecfee75fdd80ef5849ce56d10d55f9abec58f6933063932ddb
SSDEEP

393216:oyNMhsJA35z7A79L+oIv1mbgafiubcbZLbhT9i/zVN2I+TX296KpPbNiRSKcsgJk:jM6JA35z7c5KtmbBffcFLbi/zVN2Ikm4

Score

10^/10

andrmonitor banker collection discovery evasion infostealer spyware stealth trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs

banker discovery

Security Software Discovery

T1418.001

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	iznobhuck.ntcrxlglq

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4289	iznobhuck.ntcrxlglq
4289	iznobhuck.ntcrxlglq

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
Anonymous-DexFile@0xcd83d000-0xcdacb504	4289	iznobhuck.ntcrxlglq
Anonymous-DexFile@0xcdc1c000-0xcdd466dc	4289	iznobhuck.ntcrxlglq

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	iznobhuck.ntcrxlglq

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	iznobhuck.ntcrxlglq

Requests dangerous framework permissions 3 IoCs

description	ioc
Allows an application to read from external storage.	android.permission.READ_EXTERNAL_STORAGE
Allows an application to write to external storage.	android.permission.WRITE_EXTERNAL_STORAGE
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps.	android.permission.SYSTEM_ALERT_WINDOW

iznobhuck.ntcrxlglq
1⤵
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests cell location
PID:4289
- su
  2⤵
  PID:4363

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB

Filesize
96KB

MD5
a21bc5c4848e5b50e2097f24d1bac7d3

SHA1
82812b54e79d6f461b3425e4f0080624cc12925f

SHA256
27bfaa93b790b4a84283923442af7689177006e2fc65de6b716b38ba2420963c

SHA512
c8fb0c12c0cc6c634ab9c7e62fc8f227175aecf83af646cef029edc028a5bce5507b9aa76d45b0b583ac0a5635a9aacae736d26ad2ad134692012e7cc4d3ff74

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB

Filesize
96KB

MD5
d4fa746d15d448619879e8b034ad547a

SHA1
03dea1e14f0edbc286bd1f0cf99002e1723b8faa

SHA256
2886b1b8f3e9be0e8cc66c1a8bf4411048e17d791cb19879d5195b8ab121c530

SHA512
49ab00b95320cedfe51adcce026d15af076e9e8519e8aa375bece03a18d7e851e290798b61528871ce7c6f85a7169ef1bcf645ae69f1d366b95ac620c4af2c61

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB-journal

Filesize
512B

MD5
bc846d5c84bf61188446d4b1c10f90b2

SHA1
9ff3685afc78550f388fc44ab23ffc66bafb94f1

SHA256
01e103e0760b5797c1ca2cc1a08c53a1e71fcd77171a91756349a2d976f3252f

SHA512
154390d1681725bce33cc2a7d4e386297b9123422546d95b9c85dc9c3602636387dd5d0178e8852ea80e19f427c34d9d2462eaf1a03511cf289bc9dd99a69e54

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB-wal

Filesize
40KB

MD5
a3e89683c2767f4830c2e0c70a16f650

SHA1
caa544c1fa8c741cecd1779d856fd9d7d35237fe

SHA256
a066ab98f9812ea9b15fd4c68c15d4b10ea6b9eed878dc295f888f1991cf21ff

SHA512
518cdbfa3f7e5eb6510a7246ffdca1c1c78cf2606e217b7132f7d5ca5f1cf145054f5a3648ef1d9b906592f91be7e75b5966c7a3f1f66e8df1d8c5b5acfbd330

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB-wal

Filesize
8KB

MD5
65bc81ab5812ed18f26c49bc52c64582

SHA1
e70f4c2059caa235d3acdf94ed5a4c1e303fa583

SHA256
0716b8c3317cea42832e8c3ad499038c15d56d969e78d3aeb4bbf8e6e365c8ce

SHA512
7b4c7a37c5940878c36fbbaaeac104617fc56020b8939c356bf9906fcd194d24fc535f9d747368eeaf85e80beccf133b92c7aa54a4d0c24e48cd9a1e4dab87c1

Download Submit
/data/data/iznobhuck.ntcrxlglq/databases/SettingsDB-wal

Filesize
8KB

MD5
9bfa589275a6c37fa6f66aeea41eaefe

SHA1
787f0b229dc77c69cc6920bf11c62dcd17aac054

SHA256
d708e58991ddedb1055188067a9995214b70f79ee13643c0b9968ad0e4c41bec

SHA512
c30f35ccbbb242197dde725d3e0fcd7979dcf8f1bd53e11b4ac657b6dfc4711fdcc4a1c759ed45a090e92fc7b1fc79cf9e686d48bf0387eb3538f90736c9714c

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
1.2MB

MD5
7fe14061900237bc862f521570558808

SHA1
0658a9d25a4bd84de96d876c8adcf68d3c9bae2c

SHA256
631621e9ea04ee67dc4a70627e2e6932d9cf02df3082ec544bab81482157bcc9

SHA512
b58a7d552220828017c27cd787a0794f2e78677e07f4fea929f5a295e7513542f65c16580542902d8e9ca37043eed5325d0a5325e85b871baec6c1d84abc7e30

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
316KB

MD5
20a702b8cf6c476395841207c7b7a398

SHA1
f324f2de0f770ab662c2caeaeaa0d6589af4b84e

SHA256
b9e0d893db51780d99e915983c496fa66bb13d4c70e2895b452052fd52ce35b2

SHA512
aee5d97f9162c9f4918dc29cc9f466df617073abb98be433a0480dfb6490e89f0b20a2cb5bcc58257dce1a5369624f986858e80a582070884f5abeffcf17be48

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
170B

MD5
a284b007a768568ced1cd816ee4fdbe1

SHA1
f3f08b1f7442bc0f7a4feff02911ead8236d75a7

SHA256
04cfd9fdfc68fdc2ec81b010b1076518d7db2398e792daa509c6c2b9b2d0677d

SHA512
c370c96bcc4209ae65c94019536f9ef6c9b4b0a7224a6fd6bc9814d9bc08e30d5dafb65d797f4f3ae985d03bb66f4c32879909773032dbb5c22db366df7989b0

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
149B

MD5
95ade53f2a7d60c4762b530f7dc205b2

SHA1
654ffba2084b1b182ed4e58dc61e32b1483a1611

SHA256
1effe62832e6f3a2ba12208296875a481bfb66148e82c621119bc105cd311fc1

SHA512
a3c212bc68be965ad2773bc718c7219e79e3e15f4a5d0702174bb4f7bc02d05726c8c462bd95a5a73461b0effceedf489b918f4c70698589ab58e1e3b74a45fc

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
130B

MD5
1a81b962a3d906f2fe4f5063befa4dd4

SHA1
336eb1f20f078e47ff082405a47e64f8a669d807

SHA256
b9450b5e030b8ef6b37b86a111104ccefe20ae113138934e3b6456aa39ad347c

SHA512
17856f93f7ca95e095f31ae2b74cfb6165b2ee94c364d05bd622880a5613e3f71c2e92472321f49188ebd8ded2fd811e42163bc3f98d04e24a77006f9608fde9

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
61B

MD5
65d7378ef0e2bdd5890e36d750c03728

SHA1
77c6fc4ce4f09138b65ce70dd0ea089864e7ccb5

SHA256
b26b3edaf8f350f79c77c0ea511ad85ae0ad524f20f0911b46408b332c7c156e

SHA512
32e375641df74cb2fdd96a1f04c3105a2458398d466936f7e47cd25d640543a5d1104707730a11002e5af9f373064ba8aad969cdbfefc6095192cd48904afa92

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
69B

MD5
08e3a12d3fe8386b8381d895acd926e0

SHA1
03b71b9882868b4f591986ddf15c033db46c04d7

SHA256
7478460614b2c39857141a964f7df996bbe5291b81a0789a719d307dbf6694a9

SHA512
8d365104682bc0b8740db131e63d9680bd107e6430713bcfd059919b94ace53ddba05383c1102d759aecf0078f3d30907cf0d24a72c670ec40de30b9673e6547

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
164B

MD5
348be18595576716de4ae940dc81c9d7

SHA1
5368611b82dba02ccabae9f9879e98e1576f1ad2

SHA256
ca6a4766bf02be1e4c228ae417f2d9ea7771f9cba358c39fbced5a451553b494

SHA512
40be1cdd9c243956bdb8e6f8f88a5bc1b8512b4f8cbc62a7250ebe5abc15fc99616795d87c48aa7e632c552af013cd741ec8e54a142da17266e346bec128396d

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
133B

MD5
d8a0dc6133fea000b15f243a32b02318

SHA1
213e6d3d9f90bbd54c5325660d109417a805d0df

SHA256
b661b2f4d04fd72aaa0b5354d6d32fe597d9c9b3796956b7864f407e12fd9118

SHA512
2238902b684c36cb6c831469bc17cdb54ccfbc43693888afbba3df3a38b0326c4e82c88a0efa4c569a7be5a1dbd126c94f17eb023bd9dc4810f251b72c4e9e25

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
26KB

MD5
78dda7bcc39e87fe29cbef8b4d77a163

SHA1
3454381ccfa802e4ade8e705534a503cb8e91f73

SHA256
898b498d6f77ae9715d45d38b2c348591b6ec8bcf2d7afba520fa18b078191ca

SHA512
a6a8eb50cb799baf519f879ae8df002500475f7fdae6b6ba263b4a2863ae4e23f08117049285d567104def1eda60f4cc0983f59630b580874e16dcaae03caf1e

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
6KB

MD5
12060b872b8818e8ff3534a442e7a4b1

SHA1
2425c98dafd49d92a86b762505edb2e117655f9b

SHA256
daf7a891f9c49b70243552ac92789245f5960c6f8795295c3dbb3ca5f9eb56a5

SHA512
06f32236002854bfd99304e4fcfbf52ef78144805b8870b143e775c7c42b80133e59bd678168b695eb498c8023cdee75cbdba83228aaf1e0df8a23fb76e234b5

Download Submit
/storage/emulated/0/.am/log_1709356317175.txt.zip

Filesize
217B

MD5
06b0acb65763aec3161ec541d472e71b

SHA1
ffa15a513814d5f62835f098ec665ae9ca8fe46d

SHA256
1e9e53a46321126f2783febb9c7142056427f5077e0391d0945fd10ae34f4749

SHA512
2564e38a18afde2155d3859b52c4ec2a7c4fa74066bd9ef66ea15cc88375f5ccf4c7d9708ee7df4f2339f2bb96d3478dd3bdb80ec48ae96fb5b74ff07499ae5c

Download Submit
/storage/emulated/0/Android/data/iznobhuck.ntcrxlglq/files/Download/mch.apk

Filesize
25KB

MD5
3e9d5fc4422c976eda3559a777f00350

SHA1
693e9caa401ce3df81954819fb715aba6f4ac18f

SHA256
1e8865b40d9ad964489cde06b85624d772bd5e325aa8d7458d9672dde1ec3eb9

SHA512
0cb590c9593a89680ade31e4735cf78201bc35ae2a5eb647740c0afb815a56b38764942b84d42ef3a211cfe993b9896136805162224c0bbc982abb2868de4407

Download Submit
Anonymous-DexFile@0xcd83d000-0xcdacb504

Filesize
2.6MB

MD5
ba8f3d6915944853db58788045adef51

SHA1
198562ac8724166ee6b9a56d47ad66ddbd9eb335

SHA256
0f5b826f16eb47718340d7331b232cb5d88cc5df249c67d32a25f3b8f3e94ed2

SHA512
003918de4c7c0f7c12f1246038aebe70e805c240bceba062e60e040004bc15ec44aad3232a6f9cbd2ef1a9a790e609192216e5577994f04374d48ec534b94422

Download Submit
Anonymous-DexFile@0xcdc1c000-0xcdd466dc

Filesize
1.2MB

MD5
ea1666d1e54e80c67d0fd8291b2b2813

SHA1
7cef9ba94f0be6c627ca73764ddb2598966aafc3

SHA256
84db9e19f78b846657b65eda5b6c8b7a3d3a8eb76fc0a3cbf01990083daf8e2b

SHA512
751c608e201b83f4de66d668f90e0e5f54eb2866a364670b7981c96525d675a8dd46816e887c44e866416b55f37d24d754a9047b1e4068005bd8bed3191c6e64

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads