Overview

overview

10

Static

static

6

128b2350b0...cd.apk

android-9-x86

10

128b2350b0...cd.apk

android-10-x64

10

128b2350b0...cd.apk

android-11-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    171s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    07-08-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    128b2350b0baa25e5fedd60a8aede36e07c63b3bb0c1f472d04edc83ec3d7fcd.apk

  • Size

    1.9MB

  • MD5

    9d5be76629c627bdf7170d933605c1b1

  • SHA1

    edf87418fe5bb358d1380036c3a75b6afb8cffd2

  • SHA256

    128b2350b0baa25e5fedd60a8aede36e07c63b3bb0c1f472d04edc83ec3d7fcd

  • SHA512

    6fdd3eeb8bc16cbb48c67882ed195fc4148bfac0e54c69fdbe181c700ff91f67ef07af7f6f897673b6cb4056978abf6f75a8264d86d4c79c1a19046f5287cf0a

  • SSDEEP

    49152:SY6+wC4xSUkLGlOwc5OeS/saRrkVuNUpeOX:SY8IUkLGlO1efgumX

Score
10/10
eventbotbankercollectioncredential_accessdiscoveryevasionimpactinfostealeroverlaypersistencestealthtrojan

Malware Config

Extracted

Family

eventbot

C2

http://rob.jmitchelldayton.com/gate_cb8a5aea1ab302f0_c

http://rob.alanrmarble.com/gate_cb8a5aea1ab302f0_c
RC4_key
RC4_key

Signatures

  • EventBot

    A new Android banking trojan started to appear in March 2020.

    bankertrojaninfostealeroverlayeventbot
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.b874e0455837b6ff88.f50f180dddf77b2b702c.f5edf1afd16e
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Obtains sensitive information copied to the device clipboard
    • Reads the contacts stored on the device.
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4954

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.b874e0455837b6ff88.f50f180dddf77b2b702c.f5edf1afd16e/app_dex/f2d49596a51f0ed43a27f1f7f85117.jar
    Filesize

    47KB

    MD5

    9641964d84e9c692f9f05ec0a933f9a8

    SHA1

    f5b6816ee46727508fe56927dfaecfd4250074e7

    SHA256

    88f86e51fceb33adcdd46f2c29892f5d5525a5a3a63256c7f7aa60a344ea0bc7

    SHA512

    f51cca5dc81344824d94e6811023d2b809b18b3c6e0c086aec786c023060afe023ded66b57550f0b4a0bc97152a6dc6b9be9eb923a0f02306efa823c76f14f60

    Download Submit

  • /data/user/0/com.b874e0455837b6ff88.f50f180dddf77b2b702c.f5edf1afd16e/app_dex/f2d49596a51f0ed43a27f1f7f85117.jar
    Filesize

    114KB

    MD5

    79ff5c973a584f499dfb92eae438d909

    SHA1

    758bf115a2c121099d637ea23a2b4b3c27095fc5

    SHA256

    d552a0579e59a660ec12a3595a11e9fa0a3dc71eb3c22f9cfb86cd0be033bfe1

    SHA512

    c800e8b8720ffbf9e14e680faed7bd5afe1897dc4b8228d40414375c4e0929496295390f150dfaf86c3a8c90b34213c68b4590b20c17a2f1b127d8beb417e8ee

    Download Submit