soumnibot | e42d70c5a96497437f2ae074dc718001b2e6f271a43d21a0625d3b2f2ca2907c

Analysis

max time kernel
179s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
27-06-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e42d70c5a96497437f2ae074dc718001b2e6f271a43d21a0625d3b2f2ca2907c.apk
Size

2.9MB
MD5

e551692c1794051b16a9ab54c5637895
SHA1

2e3536913ecb7ddd3d6608d9cc87aa3248ef0b26
SHA256

e42d70c5a96497437f2ae074dc718001b2e6f271a43d21a0625d3b2f2ca2907c
SHA512

d9dbe39698e00a85054bb05ab57ded2ddf79e68b25f7f3652398d8074952f54ded262ea265c8e383ecbb38539912291651fa9dbbe73beca85c04e9e4d0a8092c
SSDEEP

49152:vg8KZxJESMQfvHT2jr5094C+0KDg/afQUsWKIpqVYVwY39T7prdnLzrCgEjiLyXd:OZxJZT2jr50+05lAqbal7VdnnugEjAyN

Score

10^/10

soumnibot banker discovery evasion infostealer trojan

Malware Config

Signatures

Android SoumniBot payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_soumnibot
behavioral1/memory/4254-1.dex	family_soumnibot

SoumniBot
SoumniBot is an Android banking trojan first seen in April 2024.
trojan infostealer banker soumnibot

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/zxg.rvmhxy.mdbh/app_dex/classes.dex	4254	zxg.rvmhxy.mdbh
/data/user/0/zxg.rvmhxy.mdbh/app_dex/classes.dex	4285	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/zxg.rvmhxy.mdbh/app_dex/classes.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/zxg.rvmhxy.mdbh/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/zxg.rvmhxy.mdbh/app_dex/classes.dex	4254	zxg.rvmhxy.mdbh

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	zxg.rvmhxy.mdbh

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	zxg.rvmhxy.mdbh

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	zxg.rvmhxy.mdbh

zxg.rvmhxy.mdbh
1⤵
- Loads dropped Dex/Jar
- Acquires the wake lock
- Queries information about active data network
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4254
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/zxg.rvmhxy.mdbh/app_dex/classes.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/zxg.rvmhxy.mdbh/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4285

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Credential Access

Discovery

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/zxg.rvmhxy.mdbh/app_dex/classes.dex

Filesize
4.1MB

MD5
b804910e98cab06fefee9be91371cb18

SHA1
7e60183d2ad375bad9a03bd236c1912112d9b69c

SHA256
0a71a9c5ad1ad2284d3308e98efaeae4d9e5f9a4b57b2c8325c45a4cfc3f3362

SHA512
9e3000c8fff5681ec110ece2d26f5bdc69829c2ea7e13050f1dec5d8874884759f3a17a817213acb13a85f0caa31ee3c30552de1945a7408ead8ece42b436b7b

Download Submit
/data/data/zxg.rvmhxy.mdbh/databases/com.google.android.datatransport.events

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/zxg.rvmhxy.mdbh/databases/com.google.android.datatransport.events-journal

Filesize
512B

MD5
00a329960f7e5655d2bbb0a7c76a9a8a

SHA1
7d1930ef884204af362824406c1a0509146d2139

SHA256
5edee4178aaa561839411d3e679c4c40b0cc4209c215e8f8b581838899138930

SHA512
0ebdcbc41e4ba6dc27e17c59c9795003683c3df91d7b5c71143d52227f170d9a373fe424fcb190786950448415bb978043a2605044f6fe5deb823e1547e22790

Download Submit
/data/data/zxg.rvmhxy.mdbh/databases/com.google.android.datatransport.events-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/zxg.rvmhxy.mdbh/databases/com.google.android.datatransport.events-wal

Filesize
68KB

MD5
418efe9f5da111c128d6d3ee71009295

SHA1
602ba0ed85d318bc0bd457bd22fa6d6b70c4be9c

SHA256
5261484c647cbdda7898ef356c9c5f273a6f463466ac3834a2dabebf1e4d1bd1

SHA512
7a55694b6e9916c92966fb1b3f08f858daeae4b644aafb4b92a0e81028f4eac6a7eb7b377e4bddf9b6146f347f71f3439f870f5aafea86e849931ee27d1786f4

Download Submit
/data/data/zxg.rvmhxy.mdbh/files/PersistedInstallation3650960175331144204tmp

Filesize
569B

MD5
78fc06b75d8962567bb319c6cb8f60b0

SHA1
7c4bbdddcd5768439073380d377ad960d1d273ad

SHA256
ddbff20aace5955f5bdea8401afe4992c81f616be17a4e4d8945488461b1b273

SHA512
d869e96a7e1c671a49eb7f2570648bd1913b23076e39a801c8807c7aa58e739b61e340f715be0030a02b9d3ed4c744dddee7959c690650d0361d790b985c5e57

Download Submit
/data/data/zxg.rvmhxy.mdbh/files/PersistedInstallation6279701145757159256tmp

Filesize
90B

MD5
c12afcbcbd1f2fc774254ed83acac11a

SHA1
55e960d9c18fbb1dfe4beb1112ffc53a1a08b9b8

SHA256
a3d81a7596803a1faeeca253109def149de0ff214220e3c04ba1cb4f8f5a29fb

SHA512
2d3257126fb8c168f2158276f6e11491e6d0d6c124d24ff51c439a3e0faae9d0f6c3fa0976733108db1e486f32d16e868bab0995a7d0fcbb2f810dcf3bed0e08

Download Submit
/data/data/zxg.rvmhxy.mdbh/files/mmkv/mmkv.default

Filesize
4KB

MD5
620f0b67a91f7f74151bc5be745b7110

SHA1
1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d

SHA256
ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7

SHA512
2d23913d3759ef01704a86b4bee3ac8a29002313ecc98a7424425a78170f219577822fd77e4ae96313547696ad7d5949b58e12d5063ef2ee063b595740a3a12d

Download Submit
/data/data/zxg.rvmhxy.mdbh/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
2135e1d89a08c2f018d178678bd5b483

SHA1
d80de8b3d4f99dce9f0f16de2a3fc29a5443b34d

SHA256
6d0afc92cd4716f9f3e53966ebc46a3d5cf70d9e00890168515a28141c111f5a

SHA512
008e47e3a3c06cb1a51b806e2169077ace681657b1b08fd7775e7759dd227b1bc05d258636d808d33917478e684733b6a1df5e7f98e3e4fb895e4a493d06c9f7

Download Submit
/data/data/zxg.rvmhxy.mdbh/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
37e7ba230ec91ae045ab031714317adb

SHA1
525085b8d70786da7efc8c57f3dc9e40e1b2936f

SHA256
a4176227d29bdc1523c0fdb0f01ba54819a75194168a97ebdedacee673866625

SHA512
af730cc4dd67e67036f1a08a82f9bf9654d9ab31e2ab3b42d54403849ec6fab73978000eb814decc25f728c80673a77754f3cd9c6f444f1fb7f63b0cb744f1c7

Download Submit
/data/data/zxg.rvmhxy.mdbh/no_backup/androidx.work.workdb-wal

Filesize
112KB

MD5
4c8ace47d58e756bdc0ce6148900a7d8

SHA1
a74c86f699b41037044b669d4a0fd64605ee0b8a

SHA256
798b8a2c741debea4f4f7879a2c7ff40f7be038ff7b4e9aa1bd0af5edcd1e05c

SHA512
5955efd24aa4ba51d3a44c8bbcbb4526d1eab381f26d275f8955e9c3209a0008901cc5bc69cc5345a21a4f0dac18705d9501d1a47d8ac885dc5534c4f87cc7b4

Download Submit
/data/data/zxg.rvmhxy.mdbh/no_backup/androidx.work.workdb-wal

Filesize
120KB

MD5
00543ccd935bc32d7fbe97f753ccd92a

SHA1
e49db0e6d6661c38b0e17fb10b8b6ec852d17570

SHA256
18d213e965f84209342da56738e3e16189f3fc8ae9131dc6f3e3e6952efba9a4

SHA512
6dbba5ba79af30a2f4707cc59004a3027297f1ae7bdb1d5baa642137d70ad426543004a936583cf36f1cccd01dfcb86ddec2d452d22c1916b898496c0d758f8f

Download Submit
/data/user/0/zxg.rvmhxy.mdbh/app_dex/classes.dex

Filesize
4.1MB

MD5
0ddc003e58627771cde8aa97e9778164

SHA1
ee0a829a5d48a885b8f61b12fa4aca8d58d57f40

SHA256
5314ca3ed5da001c1f6da71503522f52ffe4066542b0a5a56c630c441a4f3fa8

SHA512
96b19969f3ccdee1004a877730d034624677785a03a11b9cf15987f50b9da0a4bda538dab64343b65ec587e6b0657e2795eee63cb07acd840ae2333572b7dbe9

Download Submit