Malware Analysis Report

2025-01-19 05:50

Sample ID 241129-17q76syqev
Target cba7c0cc20118c46df308ad6102ae78c3a5a64416a9debb1eaa22a54526cc5af.bin
SHA256 cba7c0cc20118c46df308ad6102ae78c3a5a64416a9debb1eaa22a54526cc5af
Tags
tanglebot banker collection credential_access discovery evasion infostealer persistence spyware trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cba7c0cc20118c46df308ad6102ae78c3a5a64416a9debb1eaa22a54526cc5af

Threat Level: Known bad

The file cba7c0cc20118c46df308ad6102ae78c3a5a64416a9debb1eaa22a54526cc5af.bin was found to be: Known bad.

Malicious Activity Summary

tanglebot banker collection credential_access discovery evasion infostealer persistence spyware trojan impact

Tanglebot family

TangleBot

TangleBot payload

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-29 22:17

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-29 22:17

Reported

2024-11-29 22:20

Platform

android-x86-arm-20240910-en

Max time kernel

21s

Max time network

153s

Command Line

com.hgiadhghmydrghjcsz.cvkahvqytb

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hgiadhghmydrghjcsz.cvkahvqytb/app_DynamicOptDex/OGTb.json N/A N/A
N/A /data/user/0/com.hgiadhghmydrghjcsz.cvkahvqytb/app_DynamicOptDex/OGTb.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.hgiadhghmydrghjcsz.cvkahvqytb

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hgiadhghmydrghjcsz.cvkahvqytb/app_DynamicOptDex/OGTb.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.hgiadhghmydrghjcsz.cvkahvqytb/app_DynamicOptDex/oat/x86/OGTb.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 pempbebebehaziran.top udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 104.21.26.168:443 pempbebebehaziran.top tcp
GB 142.250.187.196:80 tcp
GB 142.250.178.4:443 tcp
GB 142.250.187.195:80 tcp

Files

/data/data/com.hgiadhghmydrghjcsz.cvkahvqytb/app_DynamicOptDex/OGTb.json

MD5 a928aca73498fa91feee832e5f1edb71
SHA1 2333b85dcf78ce9ae49d4cb99a4d5e02ba0c315c
SHA256 29cabc7a34cf85d215a34d6e799fa640fb44ddfdd468a3e60282f1bf2fa5932f
SHA512 20d28e34b1fcb6bf525371dd2cf9793af4ca723e273948daf02cf839d36bcbb8474d0ca8f9ad01ddb6a0d6c8233c723e8e3a44d5de9e6e26997afd70714ffd4f

/data/data/com.hgiadhghmydrghjcsz.cvkahvqytb/app_DynamicOptDex/OGTb.json

MD5 e9e0c9b2b06b52a917251874750f7f0d
SHA1 4f905f90fdb884834e013de366a8a7c9a3912c80
SHA256 37dba9f10146b7603866bf3057db0a68a1638ad88290f14606180b96dd200f9e
SHA512 5fa0d9fd06a68fccd5fd7831806eeb58c577a8a1058a6bfcae32439163598091e3127806b97f1bcc25f9371d7be6ba9293f8004fe64a5138f60dff2a532034ef

/data/user/0/com.hgiadhghmydrghjcsz.cvkahvqytb/app_DynamicOptDex/OGTb.json

MD5 04aede607eda3f0a5f39e2578a6c6a2d
SHA1 412fd6a551ad60ae2b336db63524bd0597751ced
SHA256 36fb5ba4af69a6dd04bc763d818c75c2eda6aa285a0dfd00661061ec7a063559
SHA512 22e00db60a8a53dbe935f409c75f4e3b325448ad04f23162083a179ef55ba8cb57832e9a3721d0319ffaa71a4506a1f51a8dcfd5eaaf640bba2d1120cf1ec093

/data/user/0/com.hgiadhghmydrghjcsz.cvkahvqytb/app_DynamicOptDex/OGTb.json

MD5 1b0d8a98717f7341e07e737efa2b9ae3
SHA1 863e4e10ba9b2a4d284bfde8a740fac884a940e8
SHA256 0b8fa1f04bdc77fd9c6936d283afcc12d7f24e648dd7a3152ede52f1b85116ba
SHA512 cdafeff868512cb1859210e9ae5c3e224c74edd17b355a502776c73690af9b0260c6b71b76587c6ad7e075e9d51ec0e370225f53a60a715956f6e06d345a287b

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-29 22:17

Reported

2024-11-29 22:20

Platform

android-x64-20240910-en

Max time kernel

20s

Max time network

153s

Command Line

com.hgiadhghmydrghjcsz.cvkahvqytb

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hgiadhghmydrghjcsz.cvkahvqytb/app_DynamicOptDex/OGTb.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.hgiadhghmydrghjcsz.cvkahvqytb

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 pempbebebehaziran.top udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
US 172.67.137.100:443 pempbebebehaziran.top tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.200.2:443 tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.212.234:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.hgiadhghmydrghjcsz.cvkahvqytb/app_DynamicOptDex/OGTb.json

MD5 a928aca73498fa91feee832e5f1edb71
SHA1 2333b85dcf78ce9ae49d4cb99a4d5e02ba0c315c
SHA256 29cabc7a34cf85d215a34d6e799fa640fb44ddfdd468a3e60282f1bf2fa5932f
SHA512 20d28e34b1fcb6bf525371dd2cf9793af4ca723e273948daf02cf839d36bcbb8474d0ca8f9ad01ddb6a0d6c8233c723e8e3a44d5de9e6e26997afd70714ffd4f

/data/data/com.hgiadhghmydrghjcsz.cvkahvqytb/app_DynamicOptDex/OGTb.json

MD5 e9e0c9b2b06b52a917251874750f7f0d
SHA1 4f905f90fdb884834e013de366a8a7c9a3912c80
SHA256 37dba9f10146b7603866bf3057db0a68a1638ad88290f14606180b96dd200f9e
SHA512 5fa0d9fd06a68fccd5fd7831806eeb58c577a8a1058a6bfcae32439163598091e3127806b97f1bcc25f9371d7be6ba9293f8004fe64a5138f60dff2a532034ef

/data/user/0/com.hgiadhghmydrghjcsz.cvkahvqytb/app_DynamicOptDex/OGTb.json

MD5 04aede607eda3f0a5f39e2578a6c6a2d
SHA1 412fd6a551ad60ae2b336db63524bd0597751ced
SHA256 36fb5ba4af69a6dd04bc763d818c75c2eda6aa285a0dfd00661061ec7a063559
SHA512 22e00db60a8a53dbe935f409c75f4e3b325448ad04f23162083a179ef55ba8cb57832e9a3721d0319ffaa71a4506a1f51a8dcfd5eaaf640bba2d1120cf1ec093

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-29 22:17

Reported

2024-11-29 22:20

Platform

android-x64-arm64-20240910-en

Max time kernel

45s

Max time network

153s

Command Line

com.hgiadhghmydrghjcsz.cvkahvqytb

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hgiadhghmydrghjcsz.cvkahvqytb/app_DynamicOptDex/OGTb.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.hgiadhghmydrghjcsz.cvkahvqytb

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 216.239.36.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 pempbebebehaziran.top udp
US 172.67.137.100:443 pempbebebehaziran.top tcp
GB 142.250.187.230:443 tcp
GB 142.250.187.193:443 tcp
GB 142.250.187.193:443 tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp

Files

/data/user/0/com.hgiadhghmydrghjcsz.cvkahvqytb/app_DynamicOptDex/OGTb.json

MD5 a928aca73498fa91feee832e5f1edb71
SHA1 2333b85dcf78ce9ae49d4cb99a4d5e02ba0c315c
SHA256 29cabc7a34cf85d215a34d6e799fa640fb44ddfdd468a3e60282f1bf2fa5932f
SHA512 20d28e34b1fcb6bf525371dd2cf9793af4ca723e273948daf02cf839d36bcbb8474d0ca8f9ad01ddb6a0d6c8233c723e8e3a44d5de9e6e26997afd70714ffd4f

/data/user/0/com.hgiadhghmydrghjcsz.cvkahvqytb/app_DynamicOptDex/OGTb.json

MD5 e9e0c9b2b06b52a917251874750f7f0d
SHA1 4f905f90fdb884834e013de366a8a7c9a3912c80
SHA256 37dba9f10146b7603866bf3057db0a68a1638ad88290f14606180b96dd200f9e
SHA512 5fa0d9fd06a68fccd5fd7831806eeb58c577a8a1058a6bfcae32439163598091e3127806b97f1bcc25f9371d7be6ba9293f8004fe64a5138f60dff2a532034ef

/data/user/0/com.hgiadhghmydrghjcsz.cvkahvqytb/app_DynamicOptDex/OGTb.json

MD5 04aede607eda3f0a5f39e2578a6c6a2d
SHA1 412fd6a551ad60ae2b336db63524bd0597751ced
SHA256 36fb5ba4af69a6dd04bc763d818c75c2eda6aa285a0dfd00661061ec7a063559
SHA512 22e00db60a8a53dbe935f409c75f4e3b325448ad04f23162083a179ef55ba8cb57832e9a3721d0319ffaa71a4506a1f51a8dcfd5eaaf640bba2d1120cf1ec093