soumnibot | 1db62383913af929524cc60e5efc660f2f5a0320ea27d85c96e436e3de33fe42

Analysis

max time kernel
149s
max time network
150s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
11-10-2024 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1db62383913af929524cc60e5efc660f2f5a0320ea27d85c96e436e3de33fe42.apk
Size

4.3MB
MD5

f291a88e1994461726c0cc92c0670193
SHA1

01599aa643b56c9717a026e48aa8bb086d181045
SHA256

1db62383913af929524cc60e5efc660f2f5a0320ea27d85c96e436e3de33fe42
SHA512

e55a3a0123a47cdd7f1de4744ca29512633c3d569042493e02a5b8722c6688c7e3adce2096db3955747e18e7b2dbb897a7f8f7b91c87451aa2118c5d8e6cb7c3
SSDEEP

98304:o9xxQGnx82DAVOCHNO2w7LsDMZabrSHKWRuvtbFqF50Csv51dz:RGx82JCHYzBWSqBbFG52v5z

Score

10^/10

soumnibot banker discovery evasion infostealer trojan

Malware Config

Signatures

Android SoumniBot payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_soumnibot
behavioral1/memory/4327-1.dex	family_soumnibot

SoumniBot
SoumniBot is an Android banking trojan first seen in April 2024.
trojan infostealer banker soumnibot

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/fasrgp.zt.kwzit/app_dex/classes.dex	4327	fasrgp.zt.kwzit
/data/user/0/fasrgp.zt.kwzit/app_dex/classes.dex	4354	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/fasrgp.zt.kwzit/app_dex/classes.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/fasrgp.zt.kwzit/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/fasrgp.zt.kwzit/app_dex/classes.dex	4327	fasrgp.zt.kwzit

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	fasrgp.zt.kwzit

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	fasrgp.zt.kwzit

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	fasrgp.zt.kwzit

fasrgp.zt.kwzit
1⤵
- Loads dropped Dex/Jar
- Acquires the wake lock
- Queries information about active data network
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4327
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/fasrgp.zt.kwzit/app_dex/classes.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/fasrgp.zt.kwzit/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4354

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Credential Access

Discovery

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/fasrgp.zt.kwzit/app_dex/classes.dex

Filesize
6.9MB

MD5
375160011cf90ec7b87bd0d209b2cf7e

SHA1
028b42fd35678ddc3ed5c5926b3015fce1cf5395

SHA256
a51ced343788d26ee758feda67a9c91234396e90ca275cb0b323527bdaa05ec6

SHA512
1b1ce33388b659f4521a867663855208460f5396afd56b240d1613f8a6c85b0b3db7b8c03b781ec9fae19670c2a3a088aa79475eb4243228c7cdde8f585319c3

Download Submit
/data/data/fasrgp.zt.kwzit/cache/image_manager_disk_cache/88bfcb6bce24319bc05d6aa5fe4b75a5e42802c10bdd3167fc1c87916054b13a.0.tmp

Filesize
166KB

MD5
f75aaa920b08fa0e17bc524bcddc3747

SHA1
08b960b03fc9c3373940da5ed8ba8955f367c8de

SHA256
00af88628626e15db3ddf56bfba14e390b40b299d714998594d26e0714fef657

SHA512
c1811b5eaddd24f114b9b37644006f4751adcfa7b859912fb013fdf44d4866f726d3375fd931781b5070bfb3d92c3dcb053f43b6216648dcfaa71592f273a371

Download Submit
/data/data/fasrgp.zt.kwzit/cache/image_manager_disk_cache/journal

Filesize
180B

MD5
16a32559ff60385966e73769320fc47a

SHA1
99dc629f36569817bcef80abdea8d21ff876d14b

SHA256
4e2f0a2e3b5baa917d879a17acc900ae1b17d325f2dbab11312daac6ba588e96

SHA512
1b7394581056f3270c09d8e852114608f03d3b135d675b136e686a822fa1c523f3e010c3cfc4348e5c4a68447c65c16e37c44157d2e8572054d56a39f21b64aa

Download Submit
/data/data/fasrgp.zt.kwzit/cache/image_manager_disk_cache/journal.tmp

Filesize
31B

MD5
8c92de9ce46d41a22f3b20f77404cc1d

SHA1
8671a6dca00edb72be47363a7071be65cf270373

SHA256
68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274

SHA512
30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

Download Submit
/data/data/fasrgp.zt.kwzit/files/PersistedInstallation4271632250091886247tmp

Filesize
569B

MD5
9e660e0d15783684d33fc2f7413ea694

SHA1
163f6d882ff5ee4cf303505821ab62cd7f74dce1

SHA256
e28a2253e4fe6c62de566c64448c6d2d53433d976d9cf0196c112484c54ac198

SHA512
2e10434fc02870251a81215885c470408f0f645b1ff7484c1d1974b38fb7257708d6826b0470dba285e5ac288953705d90f384d0f88a7fa5663c835e7b98f6d8

Download Submit
/data/data/fasrgp.zt.kwzit/files/PersistedInstallation7368974922822104835tmp

Filesize
90B

MD5
4b1a0b423603dce9e57d97f048e330b4

SHA1
1a92de7079b0051fd6cf5a6c80136448aa3cfc0d

SHA256
a83e24e1ccbd24b646652314fb2fc5d638c5bf2940e8a62af692c627a2dd87d3

SHA512
f8577ea43a33107f5d4b35a7a6e17189746c17682302df8ae066b89453199b0dba5fa8a3136fadb1772b109159154def6e5008315ebc8931ba37dd71d3550b2f

Download Submit
/data/data/fasrgp.zt.kwzit/files/mmkv/mmkv.default

Filesize
4KB

MD5
620f0b67a91f7f74151bc5be745b7110

SHA1
1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d

SHA256
ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7

SHA512
2d23913d3759ef01704a86b4bee3ac8a29002313ecc98a7424425a78170f219577822fd77e4ae96313547696ad7d5949b58e12d5063ef2ee063b595740a3a12d

Download Submit
/data/data/fasrgp.zt.kwzit/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/fasrgp.zt.kwzit/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
8cf6de9cfa22e5ec65fd13bd979b3e75

SHA1
fbdc99283898fafe03a81d18c57af6bdd213848d

SHA256
a20a1ac096eadd1f39f0763b47f59f64f7d210c7eaaceaf7c5e2ee789a6575de

SHA512
43c836407c0d3780c67e2e04bab0b98e90df5c007448a4ac262c14da5d5ecc86067d51ca24f1b2052503d1898e41aa2438b4fa23696ff009851610afe4070d58

Download Submit
/data/data/fasrgp.zt.kwzit/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/fasrgp.zt.kwzit/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
f0b7ab0f2ff241da51109671783affbb

SHA1
e2f3bf271379fae1146cf9b45e87227eae2d23d1

SHA256
77abca9624a0950043f229d39d7b177341a05b491a0f80c5e55e4273611ad133

SHA512
c3d87ce898c788ee2be458ecdd84b8f97347b72f3ee85f401234dcca4e647b177822daa62dbd12b4b8c724fda2708b0252bf491c8073442c803d095d06fb7d3a

Download Submit
/data/data/fasrgp.zt.kwzit/no_backup/androidx.work.workdb-wal

Filesize
112KB

MD5
2c73397e031350e51f7434e99b8819a4

SHA1
d24974045519840e627d3191ec4a078f60afd386

SHA256
ef5f61a0c6c55e0cce2dbbe064ae6451f3ed3add5ba43af6ae8bd1cb4b20a82e

SHA512
6a8fb2cc382fbf5f968760a68c5704c6924c1d316ab6376d6cd23d5d6e77461bbafb25d0b60f9c8c6abf41d9ddd0a6cf438d99ead74d168d8e503c2cfc806100

Download Submit
/data/data/fasrgp.zt.kwzit/no_backup/androidx.work.workdb-wal

Filesize
120KB

MD5
20fd79d9c3167807813a66fea6e0dca8

SHA1
c207dd6607584bfa986863674d8584e7a39c8702

SHA256
c891955402909fbcb3431d67a08abfe5f324daa1c72412b8d382b073d4d096d5

SHA512
c93b44295542b5e8759b7f514d8917e1627ddd44e46109902ad24bb758df1feb618c261b81cce87f0f3a7463a31801365deab193f75a9fc459b6178fecceae90

Download Submit
/data/user/0/fasrgp.zt.kwzit/app_dex/classes.dex

Filesize
6.9MB

MD5
663f4d7e61e6af2d3a9c67b801834d56

SHA1
84fe180bd5bf48d4c199b6056bf7383409e32e24

SHA256
e27902adad171370f18ef5230c3ca0cec6cf6f9e5e67c8ee784be90690b5671c

SHA512
b9f90ff7a13c114561e24c5921b1fefe49acff2bc1d52f10ba89c3b93f541493896fb5173942384b7b3f23fe98044595287403b84c3617a7ec89fca0161d02d6

Download Submit