tanglebot | 3a78c03342da8226dbda1a372402a83fcbc350426b14e4ecd4ff69149b14c595

Analysis

max time kernel
7s
max time network
36s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
01-12-2024 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a78c03342da8226dbda1a372402a83fcbc350426b14e4ecd4ff69149b14c595.apk
Size

9.4MB
MD5

0f0b187f5fcdfc74ecea183b306db7e5
SHA1

96de75bfb888dac59e35f2949f40dec3f7d860c7
SHA256

3a78c03342da8226dbda1a372402a83fcbc350426b14e4ecd4ff69149b14c595
SHA512

68112e38b0d9adfc7e807e2714d45b5f7b2b69b5e09d429e8c04edd04a96dfe28388f3212dcf0746fdf936b31081a9610ebe4033d25a039957d349137cbb249a
SSDEEP

196608:E1AVKU5GcOMQ4B2Yb9AzpSreL5jir3brH8YIl4eaY3XMxhCGUHNa:EBU5UMD25VLRirHLIl4MLg

Score

10^/10

tanglebot evasion infostealer spyware trojan

Malware Config

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral1/memory/4298-0.dex	family_tanglebot3

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.series.scrap/app_token/pNxukPD.json	4298	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.series.scrap/app_token/pNxukPD.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.series.scrap/app_token/oat/x86/pNxukPD.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.series.scrap/app_token/pNxukPD.json	4273	com.series.scrap

com.series.scrap
1⤵
- Loads dropped Dex/Jar
PID:4273
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.series.scrap/app_token/pNxukPD.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.series.scrap/app_token/oat/x86/pNxukPD.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4298

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.series.scrap/app_token/pNxukPD.json

Filesize
1.8MB

MD5
23bede63d706b2ba842927606c5ba709

SHA1
accfb95e59320d71c9f3bd0d37c707e82bc83da0

SHA256
4bfc9becf8c2bfc7f7265d20948ab7ba8377489bfe3e6fa125074f3bd0e4dd49

SHA512
17bd3143561b4bab16778f37379bfbc29ed11fb8630b88a48576d2b5554dccc3450e5fe2297c29936ca4aef3a26b392757d4620ff8bf27e812a50f0c62873a29

Download Submit
/data/data/com.series.scrap/app_token/pNxukPD.json

Filesize
1.8MB

MD5
49be4b94c06c5f082d1d63eae65fb28d

SHA1
23813ae1dcc58febdf4a522b42433edd1ad52d8d

SHA256
e3068016a96950d80cee09e7ce816ddb0461fd2c9014643ec5939197c6b6d87f

SHA512
bd33f87c0db57da2b28e3affa8a75377a7dfa8802a0195967cf5b8043ed8b05f4a208a0c99e935126c20620902aee4575235ef728e462fc33be35c0f799ff59c

Download Submit
/data/user/0/com.series.scrap/app_token/pNxukPD.json

Filesize
4.4MB

MD5
617e62675cda1f82a81b4d3090c9e778

SHA1
1ff90c87cbcd763e8390d0e0e66301eee665a631

SHA256
656597aee17d72708ac0e80510b333a2133c39d170ae3056d40b3bca208d055c

SHA512
d07e3a87e43d6947acb2cd8bfda2b619d31e9164825a3df0f0761046628679a5fec9fe0ca1ef59d7bc59fb73a4aa990b1f93446719aacfa54656cab5081504b4

Download Submit
/data/user/0/com.series.scrap/app_token/pNxukPD.json

Filesize
4.4MB

MD5
f4c32f4113b8d66ca8b11ebc6b1e5d30

SHA1
ffb703ba0ac177dc0a05338d5178698097fb3535

SHA256
416946f6dbc836fc9fa9cc0e05ab346bfd10166882e0f719bdc8bbd7e3a090cb

SHA512
ee5f2ba4054523eda7b37c8b6727b003370de849a4b181f4614092e24171796e6ad73114510fddd66bf6ec8733b196b776e59264dd3d9a2b182a02e40e0e224a

Download Submit