Malware Analysis Report

2025-01-19 07:46

Sample ID 241201-12n6mayqhq
Target 0b9d3e86a4f5e2912a50892206d4ec33c0283142e7d2de8f8fab6ec4fab42790.bin
SHA256 0b9d3e86a4f5e2912a50892206d4ec33c0283142e7d2de8f8fab6ec4fab42790
Tags
soumnibot banker discovery evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b9d3e86a4f5e2912a50892206d4ec33c0283142e7d2de8f8fab6ec4fab42790

Threat Level: Known bad

The file 0b9d3e86a4f5e2912a50892206d4ec33c0283142e7d2de8f8fab6ec4fab42790.bin was found to be: Known bad.

Malicious Activity Summary

soumnibot banker discovery evasion infostealer trojan

Android SoumniBot payload

SoumniBot

Soumnibot family

Loads dropped Dex/Jar

Requests dangerous framework permissions

Queries information about active data network

Requests disabling of battery optimizations (often used to enable hiding in the background).

Acquires the wake lock

Attempts to obfuscate APK file format

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-01 22:08

Signatures

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-01 22:08

Reported

2024-12-01 22:11

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

150s

Command Line

rjfk.zlqc.gq

Signatures

Android SoumniBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SoumniBot

trojan infostealer banker soumnibot

Soumnibot family

soumnibot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/rjfk.zlqc.gq/app_dex/classes.dex N/A N/A
N/A /data/user/0/rjfk.zlqc.gq/app_dex/classes.dex N/A N/A
N/A /data/user/0/rjfk.zlqc.gq/app_dex/classes.dex N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

rjfk.zlqc.gq

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/rjfk.zlqc.gq/app_dex/classes.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/rjfk.zlqc.gq/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 graph.org udp
NL 149.154.164.13:443 graph.org tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 telegra.ph udp
NL 149.154.164.13:443 telegra.ph tcp

Files

/data/data/rjfk.zlqc.gq/app_dex/classes.dex

MD5 f24ce658d27b0586bcb096b2deae7538
SHA1 a85fed66d7f18b24d85b0005d839d08eaca1da9e
SHA256 b1377637888c231260b569e5ec270187494a7ee10b0b59c7ff1f7c247f099390
SHA512 9ba43600b738f678124639307bfcd692507d967f6fb3f26a93b1ff8342f067785da899b242604dba352e45eb3a6607521832df8c4d6a012b442e8d200576e1a6

/data/user/0/rjfk.zlqc.gq/app_dex/classes.dex

MD5 a1e5aa629954ba1f8fc2bddf4cb26755
SHA1 7db08ea76bcb958d35edb6321d1e5aa70daa6d1f
SHA256 f1c74b8d04abaec3b3292b5ef4e57ef320aad304f35ceb7b9756338606c72257
SHA512 9506796992fe26b5dd01e2cf433137a8567e4a6e9c9af3b96eda54a1a9a8d57a25fcd100681a596e1647fddee288ace3aff924875c301e4fc35971a3f0c4181a

/data/data/rjfk.zlqc.gq/files/PersistedInstallation7246969340474115072tmp

MD5 ab606e58ec45f4f6dc9ef44b41edd257
SHA1 c1ea6cfc994458d32b6761ec45a788065ce1041d
SHA256 96996b7eb02b6f342c1fd36ad3c674462bbf66b08b110478b30707dab2238f3c
SHA512 ec0ff05c48badfac177744c88f70092df55d15fe9928ccdbc821a56cfea2bc34d7f33255906148430b958866143ad05e1e6f0825c9c8fb69d3a7c712bec3ccb6

/data/data/rjfk.zlqc.gq/no_backup/androidx.work.workdb-journal

MD5 cdbc5f1c57856bb3767eba59904ac5b3
SHA1 e0f5980e4207a1e5d381442bcdfedccc4485cf39
SHA256 2d9b402576aa1fd0f5e266cfb2a7a939e60951da65110b4911bcf21d41c9b11b
SHA512 b93e431705169c458332639144905cd014de25fa5e0c81e0fc3d87787da47d98b0e76c027de0504e83e24a67dc29023f4f60245633366f1b8a49c9984a502310

/data/data/rjfk.zlqc.gq/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/rjfk.zlqc.gq/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/rjfk.zlqc.gq/no_backup/androidx.work.workdb-wal

MD5 b6eb122922ba6dc365ae2e10c61caa5f
SHA1 9970180c0da29bbdc4b679abc97f9b0696030bcb
SHA256 ef2bcddb75b67bd32e325fd7decf0a318edb91915a9f982ed9bb203558018eda
SHA512 44e8595c4a464505ba1111dba669ce1826d29aee30eb9a4beddc7ef38f9f2c3be9f90e5c5b148907232a5e8a21ba7757171c153953b435c7942dbbb81ceb0fc0

/data/data/rjfk.zlqc.gq/files/mmkv/mmkv.default

MD5 620f0b67a91f7f74151bc5be745b7110
SHA1 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d
SHA256 ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
SHA512 2d23913d3759ef01704a86b4bee3ac8a29002313ecc98a7424425a78170f219577822fd77e4ae96313547696ad7d5949b58e12d5063ef2ee063b595740a3a12d

/data/data/rjfk.zlqc.gq/no_backup/androidx.work.workdb-wal

MD5 10ca53fe3676e0ed397e388eb8ef03f8
SHA1 56a1f563e9d84c1045c4dea4cc387f0131379b4c
SHA256 4b00cba239f1c93235efa2022899abbbce87b66bd844a3237514fd50607109cf
SHA512 1d29b696c625865d6968765c6be1f053676307517a3aa484e1a9adc31bb4773554c2307aa3441e1e29b07f039797c972f370a51caf1327985ea9103f024114c3

/data/data/rjfk.zlqc.gq/files/PersistedInstallation2428070283739475478tmp

MD5 c2a5519c298094e7ae706bc8e906b8de
SHA1 bfd1b9add5c648b5f014d1eb84357c099037d7a0
SHA256 29cc17a8238e5acb1bd13d61bb78a31bfba9b1353de0979bc4ab176e85dda538
SHA512 da0b1f3f7bc38fa07900f08f7fd5c143c7d6d6a7761140e3300d595b76ad25d1a3d3bc34264dd1c23c63bed962efd8528c974415f62dbf2cb3e069fde8b27caa

/data/data/rjfk.zlqc.gq/cache/image_manager_disk_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/rjfk.zlqc.gq/no_backup/androidx.work.workdb-wal

MD5 0273bb7f756ed055b025961662027ab3
SHA1 704e211c774f63bf0dafc14387ff18441ca355dd
SHA256 6843061ca46a057d53b68c5dc398ffd64a312616d3b7255ce3765bd3b1f6fb03
SHA512 726f02de267ab6a64c46477dd15c1c7ee4e792a1a0ea93ea61f16980ac4273856bb2ed5375d81fdf7df48a6650e0258978cdc275ffcd0671f1dc825b6b88821f

/data/data/rjfk.zlqc.gq/cache/image_manager_disk_cache/journal

MD5 16a32559ff60385966e73769320fc47a
SHA1 99dc629f36569817bcef80abdea8d21ff876d14b
SHA256 4e2f0a2e3b5baa917d879a17acc900ae1b17d325f2dbab11312daac6ba588e96
SHA512 1b7394581056f3270c09d8e852114608f03d3b135d675b136e686a822fa1c523f3e010c3cfc4348e5c4a68447c65c16e37c44157d2e8572054d56a39f21b64aa

/data/data/rjfk.zlqc.gq/cache/image_manager_disk_cache/88bfcb6bce24319bc05d6aa5fe4b75a5e42802c10bdd3167fc1c87916054b13a.0.tmp

MD5 f75aaa920b08fa0e17bc524bcddc3747
SHA1 08b960b03fc9c3373940da5ed8ba8955f367c8de
SHA256 00af88628626e15db3ddf56bfba14e390b40b299d714998594d26e0714fef657
SHA512 c1811b5eaddd24f114b9b37644006f4751adcfa7b859912fb013fdf44d4866f726d3375fd931781b5070bfb3d92c3dcb053f43b6216648dcfaa71592f273a371