Overview

overview

10

Static

static

6

c737418c4c...f2.apk

android-9-x86

10

c737418c4c...f2.apk

android-10-x64

10

c737418c4c...f2.apk

android-11-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    157s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    10-03-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c737418c4c5f2791006f78249a005fed2106d7c332031f11fb240e2a3b02eff2.apk

  • Size

    1.5MB

  • MD5

    ffa54751315a246d14b966230632a6d7

  • SHA1

    2e7549273d71654567dae8b71270e5ad50fc93db

  • SHA256

    c737418c4c5f2791006f78249a005fed2106d7c332031f11fb240e2a3b02eff2

  • SHA512

    6df02db6a7c23ef59e5c0800e97f4c5399f617bb5ca3e2fcc3d5723105b99f28a946b7c45bafe1501b53e4f62b9380467198a0c02d8a40d13c0c13fb79e4f1f0

  • SSDEEP

    24576:Ff6RGkqHcKx4SpCMSe7vkVMSv3g/+BnZ67IOtNKeTMxg7Hnu:FfqGkq8enpPSeK3bZoIOtNKeQa7Hu

Score
10/10
eventbotbankercollectiondiscoveryevasioninfostealeroverlaystealthtrojan

Malware Config

Extracted

Family

eventbot

C2

http://pub.welcometothepub.com/gate_cb8a5aea1ab302f0_c

http://marta.martatovaglieri.it/gate_cb8a5aea1ab302f0_c
AES_key
RC4_key
RC4_key
RC4_key
RC4_key
RC4_key
RC4_key
RC4_key
RC4_key
RC4_key

Signatures

  • EventBot

    A new Android banking trojan started to appear in March 2020.

    bankertrojaninfostealeroverlayeventbot
  • Makes use of the framework's Accessibility service 2 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
    bankerdiscovery
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.d06fd321.f177b304e2c0.ae3ca3f4
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4178

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.d06fd321.f177b304e2c0.ae3ca3f4/app_dex/f2d49596a51f0ed43a27f1f7f85117.jar
    Filesize

    46KB

    MD5

    9ffa20cbdb632e72222bdf2d1c89bdbb

    SHA1

    2f41f99b936b1fd0382452b175d9e2e0f70ae4df

    SHA256

    b3a0692eddbb3a03a3913904d16b2d5bf335264efa494171840eaf50c683a76d

    SHA512

    829a9f8967ab363a54ecb8dd4dc303ba6f15b7e8d10323ccca3e82ba4df01d46e9f5c23015971df14483b50eec4e88b4af4deb2d27c9523f4ad4da3b0c323124

    Download Submit

  • /data/data/com.d06fd321.f177b304e2c0.ae3ca3f4/app_dex/oat/f2d49596a51f0ed43a27f1f7f85117.jar.cur.prof
    Filesize

    261B

    MD5

    c0f04572d128a16bd1c66f6a89dc0221

    SHA1

    7c6410b1b32325c4c7b8777b6bdf454bcb5ca082

    SHA256

    434609065c3fc9d03c80c9fc9a9f402e571142126a0666bc72ab75b955cc31c2

    SHA512

    b033ebe834e91e54c907c520632cff562bdd3bf5addcc18e041c7677f82cb79024c3c28bfad8681f70480e18ff58df0c8521ba8cf16792c268ca85c209c89849

    Download Submit

  • /data/user/0/com.d06fd321.f177b304e2c0.ae3ca3f4/app_dex/f2d49596a51f0ed43a27f1f7f85117.jar
    Filesize

    113KB

    MD5

    929bc0f1e14c153be1dbe6ad1bc84b9e

    SHA1

    9ffdd62b369aa4ce9c6ac6964059e3107f817d36

    SHA256

    b13b1a1d4c156147af1f8dae31f7bfaa7f509d27ecb190a4d033bbd7faac145e

    SHA512

    8f4b94c3177b4356bc960f7364beeaaf81845a5bc38d2bbdb4ac84365bb05e3e9ba8cecbaf97aa20249f4133280f058e0cd2813825f4555a2e35eb5766b0c392

    Download Submit