Malware Analysis Report

2025-01-19 05:34

Sample ID 241204-1yzg7atlfs
Target 10b62488b702d01ac4d68634587190957ae7608fe4cf0d84fd6f6ff59140f61d.bin
SHA256 10b62488b702d01ac4d68634587190957ae7608fe4cf0d84fd6f6ff59140f61d
Tags
vultur banker collection credential_access discovery evasion impact infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10b62488b702d01ac4d68634587190957ae7608fe4cf0d84fd6f6ff59140f61d

Threat Level: Known bad

The file 10b62488b702d01ac4d68634587190957ae7608fe4cf0d84fd6f6ff59140f61d.bin was found to be: Known bad.

Malicious Activity Summary

vultur banker collection credential_access discovery evasion impact infostealer persistence trojan

Vultur

Vultur family

Vultur payload

Checks if the Android device is rooted.

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-04 22:04

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-04 22:04

Reported

2024-12-04 22:06

Platform

android-x86-arm-20240910-en

Max time kernel

142s

Max time network

152s

Command Line

com.trouba.terrasse

Signatures

Vultur

infostealer trojan banker vultur

Vultur family

vultur

Vultur payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.trouba.terrasse/files/foehsvwfxcncybwl.dex N/A N/A
N/A /data/user/0/com.trouba.terrasse/files/foehsvwfxcncybwl.dex N/A N/A
N/A /data/user/0/com.trouba.terrasse/files/sjensoalgqyrktgc.dex N/A N/A
N/A /data/user/0/com.trouba.terrasse/files/sjensoalgqyrktgc.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.trouba.terrasse

/system/bin/sh

stat /sbin/su

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 172.217.169.42:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 freshposters.online udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.204.68:80 tcp
GB 216.58.204.68:443 tcp
GB 142.250.200.35:80 tcp
GB 216.58.201.98:443 tcp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.trouba.terrasse/databases/com.google.android.datatransport.events-journal

MD5 c347b87d70fa92dedf938bd8a990cf6b
SHA1 23e44c81d4f3aa4204172bbfc7c7c382b1f13f45
SHA256 dc8480e96f26ee7ede066b35ce5b22ea38ec6925f143dabb0b0bf8fe2ee7fd40
SHA512 921858d3af7d134e04d653b8492783c7117df1a35eb6fd9cbdbd96a4b52a033ec71db4432a1d1f909eb075272c827005aec3bb1a858d11e114edb5a0d1a597a5

/data/data/com.trouba.terrasse/databases/com.google.android.datatransport.events

MD5 5dd5a22a132ed60f1ee9df85c31ffd16
SHA1 4551b6959023ce395284dbc6972d9e652599dd55
SHA256 150441c5226ee456fdca848adbc33d531df72d5c9c06e13967b9353c34d44c8b
SHA512 13888779f70a473c78cbd25bfe546235dd4e8d2086bcc9a94bca7769a4dc2187ba300b658f53dc3c975379a7d47901d43e7557fe10c136787b7ae89f0c705d25

/data/data/com.trouba.terrasse/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.trouba.terrasse/databases/com.google.android.datatransport.events-wal

MD5 47372f60ca4376141295fa5a10185a1d
SHA1 b16533a7a41f5d18455ce4dd1d50a3bc1e9bc885
SHA256 be480cb5166fb0e7964be7250710e607769a2c2f2402c23815c0758e5a6dd325
SHA512 d0bc37d050d9101488847d003e70d111dfec1ad8fa82794b06330a31e9e597bea00a5beb78e9f95f9be579ed623ea3bdbf8f699334156eb686775ba15d29ffe4

/data/data/com.trouba.terrasse/no_backup/androidx.work.workdb-journal

MD5 ebebb0b1fe46593693367bff01c1ba7d
SHA1 a9941efd2410cdf1df277e8c2aabc1d8d2277873
SHA256 ff690dc5fb0838e40eaf99e2e560af46e8e55224915867d3561da1bbac03ed84
SHA512 8e4e8bd893fbc5d796845a26c9d4814620e27cdd954d6b9a237d580303ae260719ab473bbb100bb5ea37377aa64eb23db483a52895d97a0d9bf3d686af79cd94

/data/data/com.trouba.terrasse/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.trouba.terrasse/no_backup/androidx.work.workdb-wal

MD5 6b6ecd88416c4755a6201fc898ed5a74
SHA1 4a8c997780aab013b14d522b3f4dd0ce41da0976
SHA256 9dbf7fe46151c752bbb97bb1f16568825e06d846a5f946f6fb197e0c985dd0e1
SHA512 f84f53df0cbaf4af2915df280c248fc30201d98275899ffff5b9e06bb15ccbca91c90f5bb454f6ea3e1a18ff0115b458a85dbfd7af776e9464271466e5d38412

/data/data/com.trouba.terrasse/files/PersistedInstallation8161411095032102680tmp

MD5 92f02d91770339fbddd5f909a45a315f
SHA1 976c696cbc2783cf27c154ee17e6a0b2328021ba
SHA256 ac0118d7c10d790747569a66b8bba8456195e9eda9f5ce77d07ae1ebe80dbd50
SHA512 9ecc92f4ad7700f95b956aa531b2affb5710e9cb53f70e38580ecff64ea7a4d10423544cbdb92651aa35175749591dccecd699111e5db6f7380d219b0afc2b88

/data/data/com.trouba.terrasse/no_backup/androidx.work.workdb-wal

MD5 d9ac3f9a43558f0133326248070f066d
SHA1 bd6dd4995eb8508521ae43fa63e0828b012db825
SHA256 939374744432c130931d5310e8be8355bcd3d2f5a68fa51d899cb1cf076855e5
SHA512 af4f958147480a461be76f5af532bfb24d7107209e6ade8664519b7a8c999f4f1c4cb5a66c3fe0755076703aa876474ae608ec9891c89e7f288d0796630caf3d

/data/data/com.trouba.terrasse/files/PersistedInstallation7521341680262325554tmp

MD5 1a44eeaf02ce793adaa7cc12bee35751
SHA1 d9bfc0b58e2da1698c61d82c96bee201cbd71bd3
SHA256 1a5983784363f614eeffa00ed69c241d47a8cf01a300a63992b44a4bf9c50ccd
SHA512 a237edf1db83c03637d16a36cbb72dcbf5fe94d0729c0392979bc45257b5939ae622b6557bd20fee174ba9784e39b02bb9d8c0c49543ebc8969407e224ac34da

/data/data/com.trouba.terrasse/cache/pdopvwuxqvspvygx

MD5 b516bebc401371e22aeedaf0b19ef16e
SHA1 6e64dd90f4194a6037f2291d1d117a7224ecd33f
SHA256 f78be45c469404aea570357c4902554849f0896021f76bffb975dc588f22b756
SHA512 e6473227f221e465f6150292a8581ccde4343ccb7b1ecb93f9373358fc5bb97a6e635053ca308a27e0df6d97ca5ba23375d7e2f1363a63404256810a6d51a511

/data/data/com.trouba.terrasse/cache/cxbgzdnknjqmetqf

MD5 b1e7f71ed55daefdb2a5055d30a64e44
SHA1 62c994b54fcac063accb892aa543d21a1a2b003a
SHA256 e395f3b91edbcc6534d4d753511fdd1eeaadfc7203ed3054679666586c794ec9
SHA512 40491e3fa3b982ecf393eecac7f03d41381deee030de470704f10a5fd97c5f95c969ad5946678789d42eb401efa6f03fe7987b34c116f4781bdb7dd1af126608

/data/data/com.trouba.terrasse/files/foehsvwfxcncybwl.dex

MD5 38ee35ba278a7af791ac8844f99aec13
SHA1 8f7fc117a35c2cec91034da33b8c2930e5d1acdb
SHA256 f889246491a0f9c0e745df52bb7b59ee29e2f65c107c194a5f9e59d2b2f52bb3
SHA512 39e8e453a7aac150372c0ff18a1f71c69139829763addafad542ac9b661f9542a74073682f97869f873d8eff7e0233ca337b66bf4032f403cea1ecd73ea6e5dc

/data/data/com.trouba.terrasse/files/oat/foehsvwfxcncybwl.dex.cur.prof

MD5 259acbe17aa91d65021ee14cc6f881f9
SHA1 5ff801f37be639ca7abf1fadeceba9b3276f2433
SHA256 8cf697d6fd75bc6625925a29d615452eb08fb246468b0bc071757a7c69bd3321
SHA512 ead207607815d398a8723f7a6d61e6c62ebd94fb7cf167ee42fba1ba3815131ca631fe6c53c19a1bdd5cca6216ee45353a5ceff5b3324140a77ef970f437b58c

/data/data/com.trouba.terrasse/files/oat/sjensoalgqyrktgc.dex.cur.prof

MD5 e304df488f00bb83e4e0ca707704048c
SHA1 9a13dd119b11bd43046a663a5fe1a12294534bbe
SHA256 9504ae72aaa6f3a1969d7ab0e0e53a2cbba5b0cc233b226d12dfbe9e272e96b6
SHA512 1d088fda2751e419e17aa100f78e3b3b0db12c952a1cd921289879e118594fbb167376a8ade934377646ad6cc20477d53c8ef5911cb832ae5b291f55f6d0869e