Malware Analysis Report

2025-01-19 05:34

Sample ID 241009-1ylakazbjg
Target 4e0a69bf232a9c12ec915bac7dd6789adb2116927b51f10e4bd996cbde854682.bin
SHA256 4e0a69bf232a9c12ec915bac7dd6789adb2116927b51f10e4bd996cbde854682
Tags
vultur banker discovery evasion impact infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e0a69bf232a9c12ec915bac7dd6789adb2116927b51f10e4bd996cbde854682

Threat Level: Known bad

The file 4e0a69bf232a9c12ec915bac7dd6789adb2116927b51f10e4bd996cbde854682.bin was found to be: Known bad.

Malicious Activity Summary

vultur banker discovery evasion impact infostealer trojan

Vultur payload

Vultur family

Vultur

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Queries information about active data network

Declares services with permission to bind to the system

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 22:03

Signatures

Vultur family

vultur

Vultur payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 22:03

Reported

2024-10-09 22:08

Platform

android-x86-arm-20240624-en

Max time kernel

21s

Max time network

145s

Command Line

com.rest.tymkos

Signatures

Vultur

infostealer trojan banker vultur

Vultur payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.rest.tymkos/files/xzglduvrykldjpdk.dex N/A N/A
N/A /data/user/0/com.rest.tymkos/files/xzglduvrykldjpdk.dex N/A N/A
N/A /data/user/0/com.rest.tymkos/files/xzglduvrykldjpdk.dex N/A N/A
N/A /data/user/0/com.rest.tymkos/files/zcwitmneqqgwpvmm.dex N/A N/A
N/A /data/user/0/com.rest.tymkos/files/zcwitmneqqgwpvmm.dex N/A N/A
N/A /data/user/0/com.rest.tymkos/files/zcwitmneqqgwpvmm.dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.rest.tymkos

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.rest.tymkos/files/xzglduvrykldjpdk.dex --output-vdex-fd=71 --oat-fd=76 --oat-location=/data/user/0/com.rest.tymkos/files/oat/x86/xzglduvrykldjpdk.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.rest.tymkos/files/zcwitmneqqgwpvmm.dex --output-vdex-fd=71 --oat-fd=76 --oat-location=/data/user/0/com.rest.tymkos/files/oat/x86/zcwitmneqqgwpvmm.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 freshposters.online udp

Files

/data/data/com.rest.tymkos/databases/com.google.android.datatransport.events-journal

MD5 ca02e20e7b789b484b6280ad96c43c76
SHA1 692020ecfc73b2f63f977272e99ef395acf739ed
SHA256 3456ca40917e6845fe29d80c5203f6298823e50897d8e8fcdeb6d14c32e5df17
SHA512 24fb208e1ae6c97f0de4631cdb8da5200c94b2afb629b95ffbfe82666cc2bdc680dc7712e9c4c28819fd8557904d74177853559aad402599889218660d8a20ae

/data/data/com.rest.tymkos/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.rest.tymkos/no_backup/androidx.work.workdb-journal

MD5 bdc6cb2c8fd693ba2609610e55c10952
SHA1 5ad96adc48366def0f91bf5d2e71eaa274ed9e55
SHA256 c72ce3b39dfc743b75e32e280ce8877e58a83e79ce7c3da7aed4643d24b15ee0
SHA512 b95fc947b34a10af144bd59846f30b0ca0618e8c8e004da900a2b71a8727743cd2ed472f45571201b13ee00d1c921c62d9ebdd2c2d8da96480666d30828bf77c

/data/data/com.rest.tymkos/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.rest.tymkos/databases/com.google.android.datatransport.events-wal

MD5 897a8156f1f69c0e833e80e54c9eee59
SHA1 f10ff49fcdfb639d31e6b896ac84827a58737836
SHA256 aae98b0e4d49778417a5ada00b6cb76609c398e5fa19849a936390ee9e8186b5
SHA512 adea1a292ff8968ef817abda61121a47e2dee725a5f71699221d1570d1d87c051793bf30328441ac0d5b142d3adec410111b1b18a6f9e056334050df6b0c51af

/data/data/com.rest.tymkos/no_backup/androidx.work.workdb-wal

MD5 20cbea708588b893c66e69f3dd51379f
SHA1 b5f838da59a36ffec9422bf5ddf9a0e9f7ae6fd5
SHA256 e18ec3bf71f802dec52a3de428d94b9b1fed1f98f2136d43c50f203b5cc931a6
SHA512 0908641724ea91ecbae2fa59b11a687211c4a081a781cbf7d4909d1265858d8832423c2bf6ed5d35268519f0e25032782a7a6861866078f7103f2a8ffcc71935

/data/data/com.rest.tymkos/files/PersistedInstallation2311316275418884182tmp

MD5 a56ce8e3a587da1d2c3357292ed5d883
SHA1 b6acba91e236e5e1de96bd893274a9b3ee760dd9
SHA256 c22b006c97ba8d06463aebdf055c5fe4dd97e60ea7abd1efec45656317824ae7
SHA512 c6d34ec41cb54927781ee1ad5272ba7ee44a6d90fb2f83195a47cb2075c9ce2c3e4053f6ab47dd6d314626119566c45c3f25b6cd30b8ac40ece2d9405579a619

/data/data/com.rest.tymkos/no_backup/androidx.work.workdb-wal

MD5 5b51538112be950a1b3718cb46882806
SHA1 5e17bec52a424c19d3d3bc23a6605b4edd0e7e8d
SHA256 4a7e3a3eb8097ea374c25038fd8283621a58cdcba7932fc6044abfac5471745f
SHA512 938bd7504642a042b801b61923468a770a9f792b1b643cd0b7d2069ced24962d586c24a34405082b901f154ae0688996ef6c7f8b114f9b4ac75e215e00c80290

/data/data/com.rest.tymkos/files/PersistedInstallation2529705967758682292tmp

MD5 aadd558eb812eb24d2d1b4ec9b63a5e9
SHA1 f14798b7ef4cc37425a424308bce81089462d5e6
SHA256 c25e2ad3bca9b3321daab3957ad2658a0598fd7c54ccb29a36a0ff09a41a5f81
SHA512 3a1fea564cbde567fed86d8bee257d838734ec3b4dfa975f2d128c07ee73898f41b599b2074e6a78c8e7202fb63dd526cd3ff51848484d9d4b7ce32ad2f02a7f

/data/data/com.rest.tymkos/cache/pvxkizsnsmgodens

MD5 b516bebc401371e22aeedaf0b19ef16e
SHA1 6e64dd90f4194a6037f2291d1d117a7224ecd33f
SHA256 f78be45c469404aea570357c4902554849f0896021f76bffb975dc588f22b756
SHA512 e6473227f221e465f6150292a8581ccde4343ccb7b1ecb93f9373358fc5bb97a6e635053ca308a27e0df6d97ca5ba23375d7e2f1363a63404256810a6d51a511

/data/data/com.rest.tymkos/cache/brvleuxqgacrqvrr

MD5 b1e7f71ed55daefdb2a5055d30a64e44
SHA1 62c994b54fcac063accb892aa543d21a1a2b003a
SHA256 e395f3b91edbcc6534d4d753511fdd1eeaadfc7203ed3054679666586c794ec9
SHA512 40491e3fa3b982ecf393eecac7f03d41381deee030de470704f10a5fd97c5f95c969ad5946678789d42eb401efa6f03fe7987b34c116f4781bdb7dd1af126608

/data/data/com.rest.tymkos/files/xzglduvrykldjpdk.dex

MD5 38ee35ba278a7af791ac8844f99aec13
SHA1 8f7fc117a35c2cec91034da33b8c2930e5d1acdb
SHA256 f889246491a0f9c0e745df52bb7b59ee29e2f65c107c194a5f9e59d2b2f52bb3
SHA512 39e8e453a7aac150372c0ff18a1f71c69139829763addafad542ac9b661f9542a74073682f97869f873d8eff7e0233ca337b66bf4032f403cea1ecd73ea6e5dc

/data/user/0/com.rest.tymkos/files/xzglduvrykldjpdk.dex

MD5 c50bd4622f29490811d75a4a09ebbd7a
SHA1 ebc4c9a3fe7db8900988eb59d9027cf0c40b221c
SHA256 9d3ca39a86ea43fe253f0b79b9cae00f45fe0fc3c65239d40c2ffdaa04a6a7db
SHA512 57bb8fd4b61ccea6477ed4121526f7627ea5d8311a9017853e7e5a54bc242f4e604aa0843d0851892b96a5c6223ff6cfb74041a5bfb12cd537c062d8acb8318a