Malware Analysis Report

2025-01-19 05:49

Sample ID 241212-11dy9s1kel
Target 674cc3ce29a739e42e84453cfc5a56131af7729999f89bd695cf144a649caa48.bin
SHA256 674cc3ce29a739e42e84453cfc5a56131af7729999f89bd695cf144a649caa48
Tags
tanglebot banker collection credential_access discovery evasion impact infostealer persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

674cc3ce29a739e42e84453cfc5a56131af7729999f89bd695cf144a649caa48

Threat Level: Known bad

The file 674cc3ce29a739e42e84453cfc5a56131af7729999f89bd695cf144a649caa48.bin was found to be: Known bad.

Malicious Activity Summary

tanglebot banker collection credential_access discovery evasion impact infostealer persistence spyware trojan

TangleBot

TangleBot payload

Tanglebot family

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads information about phone network operator.

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-12 22:06

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-12 22:06

Reported

2024-12-12 22:08

Platform

android-x86-arm-20240910-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-12 22:06

Reported

2024-12-12 22:09

Platform

android-x64-20240910-en

Max time kernel

123s

Max time network

151s

Command Line

hiddentest.roott.apptst

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/hiddentest.roott.apptst/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

hiddentest.roott.apptst

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 1.1.1.1:53 gazete.firat.edu.tr udp
US 1.1.1.1:53 cdn.tailwindcss.com udp
US 1.1.1.1:53 upload.wikimedia.org udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
NL 185.15.59.240:443 upload.wikimedia.org tcp
US 172.67.41.16:443 cdn.tailwindcss.com tcp
US 1.1.1.1:53 foto.haberler.com udp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
US 1.1.1.1:53 www.mxgp.com udp
US 1.1.1.1:53 media04.ligtv.com.tr udp
GB 142.250.187.206:443 encrypted-tbn0.gstatic.com tcp
GB 18.244.124.73:443 media04.ligtv.com.tr tcp
GB 195.181.165.181:443 foto.haberler.com tcp
NL 40.68.44.245:443 www.mxgp.com tcp
TR 193.255.124.32:443 gazete.firat.edu.tr tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 nabbealss.top udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 104.21.87.148:443 nabbealss.top tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.201.98:443 tcp

Files

/data/data/hiddentest.roott.apptst/code_cache/secondary-dexes/tmp-base.apk.classes9191101690849792191.zip

MD5 4a93f71cdd3a5c29874fd7923e2ffd5e
SHA1 26a59d0ce3b4d4709ec28f9163acc0321c825a36
SHA256 516c22c6d5412cfa5e4fdbd9b5330316dcf4850facb173457b36d25e0dc5fe7a
SHA512 08143e63fe57255c2dff703841753b0cc564bd99bc6d1e498ee17936094d6071875cce1622d7b9ad7bf35c7fd061352eb9fc86c84ed992aec620ef3d457eada0

/data/user/0/hiddentest.roott.apptst/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 a2e605d08c47f2381d933eeaa84ee1f9
SHA1 00cd60f5a352821c5e446bcd2409625a0740700e
SHA256 9a61f121838b1a395885f4ea653554c5111f4b656ea8f92048ecc9275dde6342
SHA512 51999b86f297b7d5bc8e9bb25ab6421f1a94598b04d27df8fd5337e481206345622579b519a3d77f078d640c0f8e0a92c739939f057ad0066c5830e0aa4d491c

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-12 22:06

Reported

2024-12-12 22:09

Platform

android-x64-arm64-20240910-en

Max time kernel

114s

Max time network

151s

Command Line

hiddentest.roott.apptst

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/hiddentest.roott.apptst/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

hiddentest.roott.apptst

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
US 216.239.36.223:443 tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 1.1.1.1:53 cdn.tailwindcss.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.22.21.144:443 cdn.tailwindcss.com tcp
US 1.1.1.1:53 upload.wikimedia.org udp
NL 185.15.59.240:443 upload.wikimedia.org tcp
US 1.1.1.1:53 gazete.firat.edu.tr udp
US 1.1.1.1:53 foto.haberler.com udp
NL 185.15.59.240:443 upload.wikimedia.org tcp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
US 1.1.1.1:53 media04.ligtv.com.tr udp
US 1.1.1.1:53 www.mxgp.com udp
GB 195.181.165.140:443 foto.haberler.com tcp
GB 172.217.169.78:443 encrypted-tbn0.gstatic.com tcp
NL 40.68.44.245:443 www.mxgp.com tcp
GB 18.244.124.22:443 media04.ligtv.com.tr tcp
TR 193.255.124.32:443 gazete.firat.edu.tr tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 nabbealss.top udp
US 172.67.169.232:443 nabbealss.top tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.179.225:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.36.223:443 tcp

Files

/data/data/hiddentest.roott.apptst/code_cache/secondary-dexes/tmp-base.apk.classes8621060544657073003.zip

MD5 4a93f71cdd3a5c29874fd7923e2ffd5e
SHA1 26a59d0ce3b4d4709ec28f9163acc0321c825a36
SHA256 516c22c6d5412cfa5e4fdbd9b5330316dcf4850facb173457b36d25e0dc5fe7a
SHA512 08143e63fe57255c2dff703841753b0cc564bd99bc6d1e498ee17936094d6071875cce1622d7b9ad7bf35c7fd061352eb9fc86c84ed992aec620ef3d457eada0

/data/user/0/hiddentest.roott.apptst/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 a2e605d08c47f2381d933eeaa84ee1f9
SHA1 00cd60f5a352821c5e446bcd2409625a0740700e
SHA256 9a61f121838b1a395885f4ea653554c5111f4b656ea8f92048ecc9275dde6342
SHA512 51999b86f297b7d5bc8e9bb25ab6421f1a94598b04d27df8fd5337e481206345622579b519a3d77f078d640c0f8e0a92c739939f057ad0066c5830e0aa4d491c