Malware Analysis Report

2025-01-19 05:36

Sample ID 240313-rz3rkahb92
Target 55aa4dcfc250ca84ca996cc5f0f05cf25ed72249776e163564af1d37cfb0b3b6
SHA256 55aa4dcfc250ca84ca996cc5f0f05cf25ed72249776e163564af1d37cfb0b3b6
Tags
evasion stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

55aa4dcfc250ca84ca996cc5f0f05cf25ed72249776e163564af1d37cfb0b3b6

Threat Level: Likely malicious

The file 55aa4dcfc250ca84ca996cc5f0f05cf25ed72249776e163564af1d37cfb0b3b6 was found to be: Likely malicious.

Malicious Activity Summary

evasion stealth trojan

Removes its main activity from the application launcher

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-13 14:38

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 14:38

Reported

2024-03-13 14:41

Platform

android-x86-arm-20240221-en

Max time kernel

145s

Max time network

140s

Command Line

quasar.bistrocook

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Processes

quasar.bistrocook

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 acal.acalaman.com udp
PL 51.75.52.77:80 acal.acalaman.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp

Files

/data/data/quasar.bistrocook/files/Config

MD5 485c7215a9f9a6b5741025e7250c4617
SHA1 a1698cd0a75051c9ccccc5dfdb4d3f67f5a0ee00
SHA256 da202202283002827776330a5edc24aba804fb348998a6fe7b2b6a4caf3969c5
SHA512 d41cb53647ded58c58b8641ddbc6f7b560b9f5f6b30f968ebf194d67f5f053b4639cd2eb04661d78161d0f908cd5903d4fbfc662b6cf0246f3e1cb357c946432

/data/data/quasar.bistrocook/files/Timer

MD5 2d57f34a0ddd427052e4d13d8457f9b7
SHA1 ae1a85d092aebd23f2aaaa41ba9379dbb07f09bd
SHA256 54fed8177efccf7acfabd387724ba4e160d59864f870446ebe98681de731ee76
SHA512 911f75b5b0ba0ecee5b9c6162cc928f8dcca33ed02bc5a82f8249abc34eeb5325330dcc7e314d9cf8e51f7e5df965864e8736b0466f2b816dcb2707189b40e88

/data/data/quasar.bistrocook/files/Timer

MD5 71cff3318468bd7b4429cb0326e4b205
SHA1 9789813fcd9c44e5e8fd7f5b2b828983f71e3183
SHA256 7551cb022726842cc5eb505253a9332264aa7bc990700aedbf2211713c870ca9
SHA512 d8bba136d8a04a119f883de8c37f3e5d8e836c26546943bf81227834a66cfff453fa6f0bc5da9af34bfd5dc2481e06ff68a359dab681dddab5a08e90f802569f

/data/data/quasar.bistrocook/files/Config

MD5 06606258c71825bbe3f53d5373df533e
SHA1 4fd15bcebad5929d527d8d21aa8a328d5dabbb63
SHA256 bebfffdfc7d2ed055f04f059f89a62596450cb1a92827e1506716f7be13768f1
SHA512 e149197b6287d3697a771ee4ae9ac7b1e78c004dfe273163dcdf1a7cd3c0593b6664ce4cda7c8cb440b40dd05e7ee0fc05dfe02e2c5bda1fb39683022363eee8

/data/data/quasar.bistrocook/files/Timer

MD5 9a6b48f0031365ef79b8f8c80d49d192
SHA1 45eaf359cb6b2d2bc7b23784a55a4fd20a11888d
SHA256 c4dc5f7d7126760fca3532a3817582234424d59652c7b9d3c041bbbce1544ed7
SHA512 863189a2b6360cbb6abecf6da5ee3ec50d5ec63272dd54251cc8c6a35c268ee214347dc991424c7750ba8919d66e7dc594d7c4de01066a620284cd6c9e5f6a73

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 14:38

Reported

2024-03-13 14:41

Platform

android-x64-20240221-en

Max time kernel

150s

Max time network

136s

Command Line

quasar.bistrocook

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Processes

quasar.bistrocook

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 acal.acalaman.com udp
PL 51.75.61.103:80 acal.acalaman.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/data/quasar.bistrocook/files/Config

MD5 3272a7288219082a5971c90000518c7a
SHA1 7add6bfc142ff809d9a0370c29cf4f37bc713041
SHA256 4a207510188b773689aadb3f39c257be0be755c7f1c7e437bfeba925495f956d
SHA512 85229466674da864279c56a1d12d150a0a01afe2354c2ac17d66648c5561169ba0b28bb6643f1c14ff5db5619d79bddf7a8789b3ef52139fa98ba8a8ef9bd080

/data/data/quasar.bistrocook/files/Timer

MD5 89508be40b540c3987c1371387692adf
SHA1 30853c20aff54a79b64bfe98016b2a8b0ac46837
SHA256 571ee8dd9b150873d64a392eb52f79f751fbdbeeacd7a8bb8fed8445afafddfd
SHA512 fad85ef142787214dd951cbbb639a338602eb1b49e6af74416716ea8272150635a3d4cef2b678f79134e4c2c3ac514bcd5dab2773e200fa647252214fe0391d2

/data/data/quasar.bistrocook/files/Timer

MD5 dcecf3f39de93d95985461fcf8ff5b6a
SHA1 7fa36710904a5e8bbbdb03dde817e87342592a6b
SHA256 9f45fa8a5630b146e69a5bc329cee9cb0468707149faf45d222b861d326352a8
SHA512 c84b597bd06029c44b8cf4f7e4c3acc9b87ff23cc018a13b6ce615297a406d172e9b3817a4a09d45eef5c42b4be9175791012510c897b3aa89633438fb82307c

/data/data/quasar.bistrocook/files/Config

MD5 0e512f806ffeae26a97e82695a637705
SHA1 240a7e3b052b104e1519846d9cae95893f5ea79c
SHA256 cdd63311ff29911b3f6d509ceef51dbb9107c704b7d3d15d415d72c56594fb87
SHA512 eeed24d286acf47a82ec3fb5c7e775d3a8c7449c953f91f5a14f5429c94daed3baa782b7629f9e884d71c6e5217314d3f6ca90c162f6f8e58c03a1a549754796

/data/data/quasar.bistrocook/files/Timer

MD5 6d9204f20a1fce06cf501a677c211743
SHA1 eafb77cfd010daa466f098bb46fe0ed3963e4280
SHA256 7bac7ba505ee25bbdae57a984dbd59834cb6d14d56273e96af6b5f34516d310b
SHA512 afd24a7c40e8a4f292751432f4a69c55c74d73dd548c8b3966614e7f2005bfafb64322fd74d17a1afb9a8b81d696dd9008729392e155c05971c52d2a34012d82

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-13 14:38

Reported

2024-03-13 14:41

Platform

android-x64-arm64-20240221-en

Max time kernel

150s

Max time network

132s

Command Line

quasar.bistrocook

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Processes

quasar.bistrocook

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.46:443 udp
US 1.1.1.1:53 acal.acalaman.com udp
PL 51.75.52.77:80 acal.acalaman.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/user/0/quasar.bistrocook/files/Config

MD5 3b68942dfdd6140142d07eb624a13661
SHA1 3b9b27b8102c54cd1cc99034e9d8ca67c6648632
SHA256 4d5e7d3249f3e13a32dfadd36d37ce4f5a311b0005c82dde810e42e5b427bcfc
SHA512 0e87f2826ecb2329c109e76bea1724d366b875707ea1063aef00507ddaa832d58e3ae85f556d46760c9e645e0b66bfcb60c929dd05abecead01b678d98637b76

/data/user/0/quasar.bistrocook/files/Timer

MD5 c477021bcaf3bb3e7af8a7efde7a254e
SHA1 d5efc619530714ddd9ef53b98b15088a4709c929
SHA256 233a5a1ebdbd6aca125d565fa5c2f99671846b364ccdb5cfd4c83d427ace3192
SHA512 b532f1be249c5845b7cd59190eb2c0c9455f5d28595ee5c92d6a7bf0f310b91abac18bab3b9e7d498fb64ed07bfd6454b624188ac27ec24a9b2afb8986a43cb7

/data/user/0/quasar.bistrocook/files/Timer

MD5 8bacb6a3c986153764cba39d64ef2595
SHA1 7e7f8c891717213d6a0f1fc5f81cee6c3f3678c4
SHA256 782568a8a99493e7d70757fdcb60832f50db84ea39da171c0d65a0a801379938
SHA512 fe5bac11d5638ccde32aa9a5eccb455e190621b5243487f0963c35bad6c485c69c91ca5bea29bd3f185e4d3abfcec6a0776a5c6136042cc4b6eb5fb4c4f48422

/data/user/0/quasar.bistrocook/files/Config

MD5 c030b76c879062e3c7e8b2565bdbe20c
SHA1 bfb5930198265af3fbb461c2ed0aa65a330924d9
SHA256 0fd31cd29ee1f00179afda5426e3aacf3baa84cb5bbe0e0ed3fdf8fa96bf486c
SHA512 fd2ab3ea59a555ffca1c4d96c5dc2ee9bb8f9faeca4bdff10cee5741a507e7d35ef37f61fd03f0365747b3bfc0f1d41fd974627cc65dfeca945d46dec479e4a5

/data/user/0/quasar.bistrocook/files/Timer

MD5 a7f8a979589f1e131b8571026d6a340a
SHA1 11a432f767c290554dd1cde94cd2c844a0a9586c
SHA256 6732405dcbd7742db10648bf6a6bbbdb3dc545b4f2a2c8a4034bf0a54d9f6bb6
SHA512 eebe003ea7e7eb5fcc3df871c341cb889ba48fe1a7c169e61f7247a1afb8247382309fcf51f7d241d89dff55bf6dd1b570cf0874b9839f7ebcc09934ee4210b4