Malware Analysis Report

2025-01-19 05:36

Sample ID 240313-qyf1qseb4v
Target 55aa4dcfc250ca84ca996cc5f0f05cf25ed72249776e163564af1d37cfb0b3b6
SHA256 55aa4dcfc250ca84ca996cc5f0f05cf25ed72249776e163564af1d37cfb0b3b6
Tags
evasion stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

55aa4dcfc250ca84ca996cc5f0f05cf25ed72249776e163564af1d37cfb0b3b6

Threat Level: Likely malicious

The file 55aa4dcfc250ca84ca996cc5f0f05cf25ed72249776e163564af1d37cfb0b3b6 was found to be: Likely malicious.

Malicious Activity Summary

evasion stealth trojan

Removes its main activity from the application launcher

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-13 13:39

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 13:39

Reported

2024-03-13 13:43

Platform

android-x86-arm-20240221-en

Max time network

173s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.228:443 tcp
GB 142.250.187.227:80 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
GB 216.58.213.14:443 tcp
GB 172.217.169.2:443 tcp
GB 142.250.178.14:443 tcp
GB 216.58.212.195:443 tcp
GB 216.58.212.195:443 tcp
GB 142.250.200.14:443 tcp
BE 142.251.173.188:5228 tcp
GB 216.58.212.195:443 tcp
GB 142.250.200.14:443 tcp
GB 216.58.212.195:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.196:443 www.google.com tcp
US 1.1.1.1:53 qayteywucxw udp
US 1.1.1.1:53 qxeyayskqfr udp
US 1.1.1.1:53 pyfijjjxnnxnmmj udp
US 1.1.1.1:53 www.youtube.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 13:39

Reported

2024-03-13 13:42

Platform

android-x64-20240221-en

Max time kernel

155s

Max time network

152s

Command Line

quasar.bistrocook

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Processes

quasar.bistrocook

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 acal.acalaman.com udp
PL 51.75.61.102:80 acal.acalaman.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
GB 172.217.169.66:443 tcp
GB 172.217.169.14:443 tcp

Files

/data/data/quasar.bistrocook/files/Config

MD5 3272a7288219082a5971c90000518c7a
SHA1 7add6bfc142ff809d9a0370c29cf4f37bc713041
SHA256 4a207510188b773689aadb3f39c257be0be755c7f1c7e437bfeba925495f956d
SHA512 85229466674da864279c56a1d12d150a0a01afe2354c2ac17d66648c5561169ba0b28bb6643f1c14ff5db5619d79bddf7a8789b3ef52139fa98ba8a8ef9bd080

/data/data/quasar.bistrocook/files/Timer

MD5 bc3352929dc2909f85c94e79487352fb
SHA1 1fb2a974a91eaf6278f473341723fd85930e9ebb
SHA256 854cc745f8b2d7a628ef9ed45ad16335bb6ccdcdd6469fe00d5b8b51917aab6d
SHA512 59792d50fd2ff995cd7133a17c096bd94112c51b4ca40b06b864cdd5ec93c69b291caddecc1f2d6e4de5d5140eb97ea46591378c311d9e1609c1db94c84b0287

/data/data/quasar.bistrocook/files/Timer

MD5 58fee547899ec6dfbfa35608b4e1cd5a
SHA1 f00a079d1cff84906310bd0730590ac871c886de
SHA256 3774b3ebea1bd2c9ceede350fec3c7d37bae7fd001e53f518096ba8fe87b8b0b
SHA512 d32291a480a0f54331d3c44f65bedf4d6cdd3d482dc708b71a15a14a2eb177dd7592dba2dd2e4ac7ecb33d464d232315ffc9599e4f7c8b3b213f3f0b529b21e3

/data/data/quasar.bistrocook/files/Config

MD5 0e512f806ffeae26a97e82695a637705
SHA1 240a7e3b052b104e1519846d9cae95893f5ea79c
SHA256 cdd63311ff29911b3f6d509ceef51dbb9107c704b7d3d15d415d72c56594fb87
SHA512 eeed24d286acf47a82ec3fb5c7e775d3a8c7449c953f91f5a14f5429c94daed3baa782b7629f9e884d71c6e5217314d3f6ca90c162f6f8e58c03a1a549754796

/data/data/quasar.bistrocook/files/Timer

MD5 d726ce9914e8e0e201e2542d3edccdca
SHA1 f9ed939de0ed5db3dc1d75a72a76360b5686c81b
SHA256 0a9061b16cc978425d455470e22386de00b920a2ccb7f2fee2a8b9c5c920d171
SHA512 1cd51f7ada62411aa42248e72a842f1c87bedcdd8fb60754563a81a5b7cf1a2894cd0f5df8cbaea6f4ba888bb72ec2b5de6613c8e0a856ff74544c6c03bf78b5

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-13 13:39

Reported

2024-03-13 13:42

Platform

android-x64-arm64-20240221-en

Max time kernel

151s

Max time network

132s

Command Line

quasar.bistrocook

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Processes

quasar.bistrocook

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.14:443 udp
US 1.1.1.1:53 acal.acalaman.com udp
NL 5.149.249.226:80 acal.acalaman.com tcp
US 1.1.1.1:53 udp
GB 216.58.204.72:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp

Files

/data/user/0/quasar.bistrocook/files/Config

MD5 3b68942dfdd6140142d07eb624a13661
SHA1 3b9b27b8102c54cd1cc99034e9d8ca67c6648632
SHA256 4d5e7d3249f3e13a32dfadd36d37ce4f5a311b0005c82dde810e42e5b427bcfc
SHA512 0e87f2826ecb2329c109e76bea1724d366b875707ea1063aef00507ddaa832d58e3ae85f556d46760c9e645e0b66bfcb60c929dd05abecead01b678d98637b76

/data/user/0/quasar.bistrocook/files/Timer

MD5 df388127aca2ffe8249a14fe9cdcc762
SHA1 b0ea553eab75c16a0de709df5448ff3285f82f3a
SHA256 ffaa097d05a88b15e678b90e56110d823571569dd45b03e1477f84196f02e0d4
SHA512 0bd2fcca056d4ce4e1e7cdce274f086cdd60d9d5f370401041d037efb460b9ccd8a6cd03d778977997afcef311562df66f817ab92c444b6ba0b1754c5f00b406

/data/user/0/quasar.bistrocook/files/Timer

MD5 3d4b51e4add3413644684f7a08980897
SHA1 3073c88421b5767062ae96c77dc5b515f282db78
SHA256 7671a247007d552a0310c372adc43ccec814ab41ee01b9f47ac4c2eaeb95291c
SHA512 7eef4ecd2a0c86668541582cf0a32f6ac779bb80f87d0361ff7d2512ccb0a911f81cbfc74b67a56474f9e1d6247e358948582c10b40075e92c43e61d68311eff

/data/user/0/quasar.bistrocook/files/Config

MD5 327885264cc64f097fe8ce383036e4fe
SHA1 99f282a9452cbe7c59c03eb5b84044cfa943ca12
SHA256 6e829735d150b5e59310e3980e1e080a592dee861976b1faa0fa05208b3e8536
SHA512 aff817ae09fcfe5dbed3880f4774fd683a94961e2e24428ce290b83dba7fbef1943235ac18bfe34f94568064e1026b6b392d0c5858ce16ef151e61c62abdf17e

/data/user/0/quasar.bistrocook/files/Timer

MD5 866cbdbc66cb71ce9a4656356bb82067
SHA1 b112190a7d5a8f8aed9a4af17b3ff2ee16d946c1
SHA256 2337519392ed3a896c45676681f227301829518597fa0c5d3615f183b4ef9314
SHA512 c8a9ab3399a443f61a3214b1f345a8d3746e6bab5f2051b343003872b794559b8e2639e2ba7bd6475ef15c62dfe833ded9e9562323de6b53094083938cf7f127