eventbot | c737418c4c5f2791006f78249a005fed2106d7c332031f11fb240e2a3b02eff2

Analysis

max time kernel
21s
max time network
162s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
10-03-2024 22:03

Target

c737418c4c5f2791006f78249a005fed2106d7c332031f11fb240e2a3b02eff2.apk
Size

1.5MB
MD5

ffa54751315a246d14b966230632a6d7
SHA1

2e7549273d71654567dae8b71270e5ad50fc93db
SHA256

c737418c4c5f2791006f78249a005fed2106d7c332031f11fb240e2a3b02eff2
SHA512

6df02db6a7c23ef59e5c0800e97f4c5399f617bb5ca3e2fcc3d5723105b99f28a946b7c45bafe1501b53e4f62b9380467198a0c02d8a40d13c0c13fb79e4f1f0
SSDEEP

24576:Ff6RGkqHcKx4SpCMSe7vkVMSv3g/+BnZ67IOtNKeTMxg7Hnu:FfqGkq8enpPSeK3bZoIOtNKeQa7Hu

Score

10^/10

Family

eventbot

http://pub.welcometothepub.com/gate_cb8a5aea1ab302f0_c

http://marta.martatovaglieri.it/gate_cb8a5aea1ab302f0_c

AES_key

RC4_key

EventBot
A new Android banking trojan started to appear in March 2020.
banker trojan infostealer overlay eventbot

Makes use of the framework's Accessibility service 2 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.d06fd321.f177b304e2c0.ae3ca3f4

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.d06fd321.f177b304e2c0.ae3ca3f4

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
banker discovery

T1418.001

Processes:

com.d06fd321.f177b304e2c0.ae3ca3f4

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.d06fd321.f177b304e2c0.ae3ca3f4
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

T1628.001

Processes:

com.d06fd321.f177b304e2c0.ae3ca3f4

pid process

5032 com.d06fd321.f177b304e2c0.ae3ca3f4
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
evasion

T1407

Processes:

com.d06fd321.f177b304e2c0.ae3ca3f4

ioc pid process

/data/user/0/com.d06fd321.f177b304e2c0.ae3ca3f4/app_dex/f2d49596a51f0ed43a27f1f7f85117.jar 5032 com.d06fd321.f177b304e2c0.ae3ca3f4
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes:

com.d06fd321.f177b304e2c0.ae3ca3f4

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.d06fd321.f177b304e2c0.ae3ca3f4

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.d06fd321.f177b304e2c0.ae3ca3f4

pid	process
5032	com.d06fd321.f177b304e2c0.ae3ca3f4

ioc	pid	process
/data/user/0/com.d06fd321.f177b304e2c0.ae3ca3f4/app_dex/f2d49596a51f0ed43a27f1f7f85117.jar	5032	com.d06fd321.f177b304e2c0.ae3ca3f4

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.d06fd321.f177b304e2c0.ae3ca3f4

/data/data/com.d06fd321.f177b304e2c0.ae3ca3f4/app_dex/f2d49596a51f0ed43a27f1f7f85117.jar
Filesize
46KB

MD5
9ffa20cbdb632e72222bdf2d1c89bdbb

SHA1
2f41f99b936b1fd0382452b175d9e2e0f70ae4df

SHA256
b3a0692eddbb3a03a3913904d16b2d5bf335264efa494171840eaf50c683a76d

SHA512
829a9f8967ab363a54ecb8dd4dc303ba6f15b7e8d10323ccca3e82ba4df01d46e9f5c23015971df14483b50eec4e88b4af4deb2d27c9523f4ad4da3b0c323124

Download Submit
/data/user/0/com.d06fd321.f177b304e2c0.ae3ca3f4/app_dex/f2d49596a51f0ed43a27f1f7f85117.jar
Filesize
113KB

MD5
929bc0f1e14c153be1dbe6ad1bc84b9e

SHA1
9ffdd62b369aa4ce9c6ac6964059e3107f817d36

SHA256
b13b1a1d4c156147af1f8dae31f7bfaa7f509d27ecb190a4d033bbd7faac145e

SHA512
8f4b94c3177b4356bc960f7364beeaaf81845a5bc38d2bbdb4ac84365bb05e3e9ba8cecbaf97aa20249f4133280f058e0cd2813825f4555a2e35eb5766b0c392

Download Submit