tanglebot | f660f547593f9fae1ec7c520935f2fc227661f12546ee24fc20fd0a31d0bca09 | Triage

Sharing

General

Target

f660f547593f9fae1ec7c520935f2fc227661f12546ee24fc20fd0a31d0bca09.bin
Size

1.7MB
Sample

241212-1xj14syndy
MD5

651da6e7e8f6765c9ed2d9a5e54a2c8e
SHA1

53f1f242c837a659ded81fb68700772a61e1b970
SHA256

f660f547593f9fae1ec7c520935f2fc227661f12546ee24fc20fd0a31d0bca09
SHA512

9e4fb97dc335c7b86651c52aaabbb23907bc5d28940c1b09708807d24e52cf643f326ea5f568a5ce7b9e062bca0d61f7677973959876a49ed24d813bc302e920
SSDEEP

49152:trLTScWlO8qvWvqjjx1Il4UwKSJp2FIXpyxrqms:tGcGwvWCjDUwH2FIOrqms

Score

10^/10

tanglebot android banker collection credential_access discovery evasion impact persistence

Malware Config

Extracted

Family

tanglebot

C2

https://t.me/+ZJAj-vCkxkE4N2E0

https://t.me/+jz7SONzTmCI0YmM0

https://t.me/+saoiPgiTyD1iZDBk

Targets

- Target
  
  f660f547593f9fae1ec7c520935f2fc227661f12546ee24fc20fd0a31d0bca09.bin
- Size
  
  1.7MB
- MD5
  
  651da6e7e8f6765c9ed2d9a5e54a2c8e
- SHA1
  
  53f1f242c837a659ded81fb68700772a61e1b970
- SHA256
  
  f660f547593f9fae1ec7c520935f2fc227661f12546ee24fc20fd0a31d0bca09
- SHA512
  
  9e4fb97dc335c7b86651c52aaabbb23907bc5d28940c1b09708807d24e52cf643f326ea5f568a5ce7b9e062bca0d61f7677973959876a49ed24d813bc302e920
- SSDEEP
  
  49152:trLTScWlO8qvWvqjjx1Il4UwKSJp2FIXpyxrqms:tGcGwvWCjDUwH2FIOrqms
Score

7^/10

banker collection credential_access discovery evasion persistence impact
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Reads information about phone network operator.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

Broadcast Receivers

Privilege Escalation

Defense Evasion

Impair Defenses

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

System Checks

Credential Access

Clipboard Data

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

System Information Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Clipboard Data

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

Transmitted Data Manipulation

Input Injection

Tasks

static1

behavioral1

bankercollectioncredential_accessdiscoveryevasionpersistence

behavioral2

bankercollectioncredential_accessdiscoveryevasionimpactpersistence