andrmonitor | 90d315e1f02685be8a04b7a89da79968d6ad3275261b55d3c2877c3612400684

Analysis

max time kernel
136s
max time network
145s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
01-04-2024 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90d315e1f02685be8a04b7a89da79968d6ad3275261b55d3c2877c3612400684.apk
Size

20.5MB
MD5

5ecc15afe2f4f3499403c04ae8fa20a2
SHA1

7546d3959a7069eeb58f12dbd426b1de3b61cfe2
SHA256

90d315e1f02685be8a04b7a89da79968d6ad3275261b55d3c2877c3612400684
SHA512

e70ed0dd452d6ed9c9c396f9da2a96b8423bdfab097a29f5623678ed6e56d60de6b25dec7aff8544964ee45baf83efd7d7e998c970285b55140a7648c693c6f2
SSDEEP

393216:3v9/9sJA35z7A79L+bm91mbgafiubccZ3bbT9i/zVN2I+TXYRiKpPbNiRSKcsuJM:f8JA35z7c5jLmbBffc+3hi/zVN2Iko4f

Score

10^/10

andrmonitor banker collection discovery evasion infostealer persistence spyware stealth trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs

banker discovery

Security Software Discovery

T1418.001

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	xczlh.vkmonoh

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4205	xczlh.vkmonoh
4205	xczlh.vkmonoh

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
Anonymous-DexFile@0xd1940000-0xd1bd1104	4205	xczlh.vkmonoh
Anonymous-DexFile@0xd14d5000-0xd15ff958	4205	xczlh.vkmonoh

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	xczlh.vkmonoh

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	xczlh.vkmonoh

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	xczlh.vkmonoh

xczlh.vkmonoh
1⤵
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Requests cell location
PID:4205

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/xczlh.vkmonoh/databases/SettingsDB

Filesize
124KB

MD5
4c0ccabb25100a908b9db06434a6af8b

SHA1
555d9ecfa42e17aec483e1c05be0fc1362db9e66

SHA256
79aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304

SHA512
b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb

Download Submit
/data/data/xczlh.vkmonoh/databases/SettingsDB

Filesize
96KB

MD5
b487a3ffdde59d30cc0a6b36e214d76d

SHA1
aa267eaac8ba060d99e0f2b13aa9e9d934a6e2dd

SHA256
05220ff4289025809e6fafbf4c87ea6cbc704541e41a8557296b0d70abb6b324

SHA512
1768d5a9869d7357c86c4f69b502a0d0b6e285abe6c70bc0bd11a364bb741ce2fd5d40afad899dfcc9e45ca11e488ea39a8ca91b78cddf4fe91123896c00b06d

Download Submit
/data/data/xczlh.vkmonoh/databases/SettingsDB

Filesize
96KB

MD5
3b59ddb7cc8cbcf7ba674c9f7aba253c

SHA1
415547c401d10de2fca28e1cf1f72226daa130a3

SHA256
689d6313abb249d2753f841e5dea9e8756bd60db27b9489906f64aa90e844506

SHA512
2b17f75416352edb4915f21122f6013976ed93c3a205092a5773467cb107492cf5a52ce0894cd11e1f164d66308ae64725353cbbbcc78f5f0249c34e13da1092

Download Submit
/data/data/xczlh.vkmonoh/databases/SettingsDB

Filesize
52KB

MD5
b6815b344f6926d458cea05acd052cdd

SHA1
88f524aff1d4c5fee979a203dd952427871a7097

SHA256
028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

SHA512
0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

Download Submit
/data/data/xczlh.vkmonoh/databases/SettingsDB

Filesize
96KB

MD5
c8d3ac8e525686e66df1baffdafb6758

SHA1
dcbe6ce2f5b74b361e441327c54f90f9edf18c96

SHA256
737f95ef7c9f9fd096f57def74cdf63b6a6d03098014b9cbf0fccfe6c9d33665

SHA512
d05f74775d2762d914b974e1b03ea06a9c743dab7787a2cf66540a96f73a0ab698c31034ef0abf3398e92ec235959bb4cf4b1a8e231c110e72eac96de06069cd

Download Submit
/data/data/xczlh.vkmonoh/databases/SettingsDB

Filesize
144KB

MD5
f6556d10c7173e244582271dd02f3890

SHA1
4d0d750e2e3fbeea914190fe4f4fe86bb5401940

SHA256
d3b010742c566aa44ce9dc989d7f4340f0bb9f2e0794f967bf9a318a26eac56f

SHA512
f1a3b6306a25ee00e675a0a9516872012797fee798c137570236326a0aeab25f8851248796b104e83c868c1b7f7addcae5a185472293d44611aa9e45815b8319

Download Submit
/data/data/xczlh.vkmonoh/databases/SettingsDB-journal

Filesize
512B

MD5
4dcb5fba45aa4b6237364714d0a44df5

SHA1
47d27402265cb8fc2661e0cea1ca7df06b8bbd33

SHA256
486ab5c76a1fd71b8f0648514072506035ee6c7f542c39e06c56033af94aad18

SHA512
254845331faa575748225098336a9f20d7d686bc767f76cfe565549541628ab5684b352afde16013464d8e91680c83d65cb740a5a64a02562b4837225c84e230

Download Submit
/data/data/xczlh.vkmonoh/databases/SettingsDB-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/xczlh.vkmonoh/databases/SettingsDB-wal

Filesize
414KB

MD5
128366c1d3158b5d5f3c7e4241fdef7d

SHA1
22a507fd49bb3d6864989e74b8b0d61357264687

SHA256
638754e8a5201f8dc6b1620087ef4dfea532e0911e8903758117529c414f6ac4

SHA512
2619d648086404b2432ec717144d005d9b6173cd1033516aa2cd453482794560fa8ad6fee80bc96c6e15afe73dc9e2fd4a66a0399afdd5ed0fbedc9c1db226bf

Download Submit
/data/data/xczlh.vkmonoh/databases/SettingsDB-wal

Filesize
8KB

MD5
45a9779bb29fd983403465276eee5168

SHA1
5d97d350814c207488c2b9f074e3445d758def3c

SHA256
be7891cb54a68851eef534905931ad2ff26dd750740d11f0f2c40debfeb91e36

SHA512
b9ba511c327467f5e5a84b1c444a8c7fbf20d380e7fe0bbf1fb24405ab5518ad34838974aa85b9fa4a2db8646b11707674c7a9b3a8db986874e97fe210b08a7d

Download Submit
/data/data/xczlh.vkmonoh/databases/SettingsDB-wal

Filesize
8KB

MD5
3e0fb77bd223d6783fb7daef792192b2

SHA1
f6b8764919305a11a315701b29224d0ed49b7ca4

SHA256
d456356ff6a6c3562405faed398a1bfafed8a6867c5bbeecc166b7b1fc45c5c1

SHA512
90ae3dbcafe2c99a87e4b201553860f80143ec8badb583f1ca56f6bb9c5d0833c52f05d3cc8466c241f1b6dbeb9f5bc4e912dcde4201159a910d17b60dd96963

Download Submit
/data/data/xczlh.vkmonoh/databases/SettingsDB-wal

Filesize
4KB

MD5
db1ba8a86efd8d702d832ecce3bff3a2

SHA1
396244454b9a5a2ce442156002a4c1a2abb4b1d2

SHA256
3d0a90e1983b896f3ce7d8c6d19081f74bb3db5f542e012a1216a2ad467cfa55

SHA512
ddd08e154b4286e7f0f125040a879945973257ab425dd1547c0662b00d8fb1807af7264c9c049fac0502fd343523dd1d43b2f9e3f05b7ccec53ed1007cd035d5

Download Submit
/data/data/xczlh.vkmonoh/databases/SettingsDB-wal

Filesize
8KB

MD5
2a6c42bfa3f5b30068dd346b0eef75f4

SHA1
b87a1c5738b31466d30dad3886eb33bec50b5bf6

SHA256
e8073997bf83a1267074d6adcaedbbfa18f86624de6179e551cb942c918d9f36

SHA512
a43fd14fe0027032ad3906dffee5a7a1f8b0c361d463214857f4ccaa50f5f1002b807d4997b38be8d1e8369ce0723cd9394c1de683aae009532432596d03a625

Download Submit
/data/data/xczlh.vkmonoh/databases/SettingsDB-wal

Filesize
418KB

MD5
96f034cccdc395f88107829fbd03d119

SHA1
59802eb78389122d8bd11fc874c57ece72dbe5cf

SHA256
26135905e4ea0426845177468e7ca429219cf90343fb4d5ca95f3a3a1b0e42f7

SHA512
64226c169666a55fe325ca76c2eaab16b3ba1a127d03f3713937143fe84853acf414282634e2a6d64835aaa398b866929ce364235e0050b6ee7f06cbbf4b997d

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.6MB

MD5
93dfaf8a6249e08800f04d10ccc26cf3

SHA1
f2d11964b1afdb90f61d37de3af84a86ff6a6562

SHA256
c4bc17560748f4ba96f543b5c203ba51331686db2cc347547d277fc10181640d

SHA512
c36d5bbee0911c06a96205c42e4fe52fffd65d75ed1d8968b2c2bcabe2b9ccc0b3228dc58f3481b9523e33010bb440eb62e90132ff5787ddb918c6ec49276e73

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
c74275c6f8cebd2e1510f9ed4a68258b

SHA1
5de002cb456a33b2e54f43a009680770d079dea5

SHA256
22dc2fb27037413dc9aab2fef27ed052776bcd68a740d96c997aa31dd8f1632a

SHA512
ded1c0604d1c6439cf569149d0e9f30d05d1ae8d7dbee2b0539c90027fe45046ae2ee6f582131055341a442aa7f8be4da73f948de88c2e5e6d1bb764f00f70e9

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
170B

MD5
3829b675285e646f6de2100356d588c4

SHA1
451561be6f6dc0104b69da4e6ebf569ac582589b

SHA256
f7568f84a89acfdec97393d6ecd43e65d71737a45d19c8a7b2615a0614eab03d

SHA512
4f9e90d2118d96f6aca02aed3b7fdf888b2399fcba82bee231220f5f1dfd2a50b5a2388b3ae5b05a51634dcafc6a5bd6328b889b927f8bef6b623fc69e97d2d9

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
149B

MD5
91e62d284a6653413d78f2637e814405

SHA1
a5bf192cabebcf05a88c85419996b2a7d0010013

SHA256
02bda8d0430604804c144613144e81132e9521f290e608fb559a4989398ba62d

SHA512
2adae83557098d6971fbe8f2ea751f7079ef26f57db4bdd8fac8df5fbeed8923bdea0c21c6b291442a5e3daf05d5f7ade5a253ef54dc363bb04f53232a59d93a

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
3KB

MD5
e0430d78fd0a49e9eb6e8d97286c7936

SHA1
498593b7f41c52e4576d400c757d72f272a2e8bc

SHA256
a04ce1ce124ae431ffb71be8f6011cc96a5d37dcf60d6892901664d5db40f463

SHA512
291b7997df43e56135e45277996ef78aab8d26090069b165addf5d4b009d8167e3acf957c5530d7bae29b4e9b7c81dfcb14cde4e3788141fb288b26c9542838a

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
61B

MD5
861d06ed680a1879787ac4b51045138b

SHA1
7282e1735655748d67f062742a2ad4f6c08d2fc8

SHA256
251158949cd6dc946a227ad08fa28628ddc46b4785afbf124b59797bfc03f662

SHA512
06b4d62b9f5801cdc6225c956a3bafbf56d194d1b0a6c98f15fa38bad8319d4ddf6ef2b1b24e72dfa050fc0e8980216f806200bfd0614baf4c1a015bd149e3a7

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
69B

MD5
d9286384278399197609dcdc926e89d4

SHA1
0f125be58cb6a91c4b53373b8d2f998399fcd69c

SHA256
465f5eeb59ec28a2da1c811e2d4c3cf2e30f08d33fbd2c801aa926f62ae2396a

SHA512
de32cd7946cc6973d122813de709017c0fb396548b985606e89caab3dcc77ca202ccc5aed2fc34d363c549a5caa5af8772baac9ec1e7ae49346f90383e9230a8

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
152B

MD5
0c5e578ba1edcd70d1e54e2fb20cf91a

SHA1
19cc6cbf0a007fdf7ba78fbe852bd3959a12d380

SHA256
2d8fd7b1c5c0a77f9cb53625ccc14d82030bb62b604ebd57fd753c20c42393f2

SHA512
b6cbe3ccb60745afc3c8ca92f1f6d85cb70c297404a1d20ee75034c21ce42eff231939a926c46fbf52ec57277cfe0a82067cd484adfc8812e13712f9270267d4

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
127B

MD5
da3e21d26e9a220dc012b0284a3d52d7

SHA1
0f611bcbc20e84367960e89d8c521d26729eb0e4

SHA256
2208f6eb321316e8f1f067b6911c08c49db0762e912130b86b56fbb5735bdc3b

SHA512
424f04a6f3ac676218e713e1ff75ad27cc521b6772b0486c236dbdef3364c60b0dca7e9b7b9869b544da1db392b81133bae807d401232830d770150628ed140a

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
27KB

MD5
cd08eadf3c7cdb2e906981f233bdb564

SHA1
4646fc43052b6099ca51b2618fb308def3b87580

SHA256
7dc11bd8eaa2f638646529a56d7af5d3f9fd5ea956da09ae298fe86c6a01ec0e

SHA512
e9a4dd3c607cb1678ceef1da6b6163d51c48c756518f89a477fd73e985c792862a3ca4064cee750a87d762f3b9cf311160a37619ffe0d9901c5a44d526343f46

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
6KB

MD5
bac2d44f61000debc0d65bcf4003c0fe

SHA1
d0fab991410fd649e13c1178a8ad17256c66c241

SHA256
0311b9b2f31eb61671ca4fd38f6fa338ee135994d50051488302c953301a7a1c

SHA512
68c96ef0379eea404bc82d3a1dc36bb2850bafb95d25faf5ee563e3e52b664e90471268ad1dc2515bb11952603f622d0f0804d2ca8517011ac2017f2a8f99603

Download Submit
/storage/emulated/0/.am/log_1711937796899.txt.zip

Filesize
217B

MD5
c2b1616c0c8cb9fc31ccf0408336696c

SHA1
3d2f1f94a76cf1f25e825e5bf80b94306e85b51f

SHA256
b84f542ef4990bce384bae9c89696683dae53866049aaecdceec6d072e5e3343

SHA512
9d7c4f38ff7824a79e60f56d6f1d8644f70958d947aa96f501d0071ad0ab9166d66b40eed87c85ded562a9d5c3497fa66df237d77730479cf2ff8abb31e3bf3b

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
69B

MD5
8109caaec1c987d124782a4ddbe619df

SHA1
b5c835321cafa2a04b2ea5b3f4a0fef86d8fcb71

SHA256
389f919e7836648cbf50d2ae3e2ec610fe8a2a8a722541ed21a270e30c84dd3e

SHA512
7ad14d65c73bf32fbb53113d77e00ae34485e256c8840f77c0453daf41ccdbe65092685937d134f5891787d50551c24e48c7e4c1dd9ba2350a8d774029bd60db

Download Submit
/storage/emulated/0/Android/data/xczlh.vkmonoh/files/Download/mch.apk (deleted)

Filesize
64KB

MD5
13684d2547f64dabfe299d1c6553a05f

SHA1
b000477d2cb51e917f2ebce3a8c53745ba7e0fd0

SHA256
3cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0

SHA512
e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217

Download Submit
Anonymous-DexFile@0xd14d5000-0xd15ff958

Filesize
1.2MB

MD5
205a360b4d45a6e4688aec7a7265dc0a

SHA1
53f493d19040d517bf0b4a842d5f7e8865a443cd

SHA256
a78f1f6aa2fb421d336ac32befa711c6702050014dad9d07074528e8ee4598ff

SHA512
3c515d0d30b65fe025629a9a2da0b7c83a95d27ce87bb54739e15b719b99dbeb11e9db0f8bce1855fdc60c872eede02327c15a6bd8f57a7de2d22edcb972febd

Download Submit
Anonymous-DexFile@0xd1940000-0xd1bd1104

Filesize
2.6MB

MD5
21156a8f064b75118f6255cc65bb4a85

SHA1
d3fcc248dc5f08df8aaeaeb1e59f37708ecd19de

SHA256
63f3015685196675f8d47ede3a2ca91d5937ae5b0b0d1b11eadcb5d74a1434c8

SHA512
c80a8f286792f07ff28c6d4aafc43375dfee92c24026285628e79a9471318e89fbdc15b4ec012ed5c92f8a4662dafc47c07c0af8a378f77a8ca9daad890c7964

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads