General
-
Target
128b2350b0baa25e5fedd60a8aede36e07c63b3bb0c1f472d04edc83ec3d7fcd.bin
-
Size
1.9MB
-
Sample
240807-1zc1ksvdpl
-
MD5
9d5be76629c627bdf7170d933605c1b1
-
SHA1
edf87418fe5bb358d1380036c3a75b6afb8cffd2
-
SHA256
128b2350b0baa25e5fedd60a8aede36e07c63b3bb0c1f472d04edc83ec3d7fcd
-
SHA512
6fdd3eeb8bc16cbb48c67882ed195fc4148bfac0e54c69fdbe181c700ff91f67ef07af7f6f897673b6cb4056978abf6f75a8264d86d4c79c1a19046f5287cf0a
-
SSDEEP
49152:SY6+wC4xSUkLGlOwc5OeS/saRrkVuNUpeOX:SY8IUkLGlO1efgumX
Malware Config
Extracted
eventbot
http://rob.jmitchelldayton.com/gate_cb8a5aea1ab302f0_c
http://rob.alanrmarble.com/gate_cb8a5aea1ab302f0_c
Targets
-
-
Target
128b2350b0baa25e5fedd60a8aede36e07c63b3bb0c1f472d04edc83ec3d7fcd.bin
-
Size
1.9MB
-
MD5
9d5be76629c627bdf7170d933605c1b1
-
SHA1
edf87418fe5bb358d1380036c3a75b6afb8cffd2
-
SHA256
128b2350b0baa25e5fedd60a8aede36e07c63b3bb0c1f472d04edc83ec3d7fcd
-
SHA512
6fdd3eeb8bc16cbb48c67882ed195fc4148bfac0e54c69fdbe181c700ff91f67ef07af7f6f897673b6cb4056978abf6f75a8264d86d4c79c1a19046f5287cf0a
-
SSDEEP
49152:SY6+wC4xSUkLGlOwc5OeS/saRrkVuNUpeOX:SY8IUkLGlO1efgumX
Score10/10-
EventBot
A new Android banking trojan started to appear in March 2020.
-
Removes its main activity from the application launcher
-
Loads dropped Dex/Jar
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
-
Reads the contacts stored on the device.
-
Acquires the wake lock
-
Queries the mobile country code (MCC)
-
Requests disabling of battery optimizations (often used to enable hiding in the background).
-
Requests enabling of the accessibility settings.
-