Malware Analysis Report

2025-01-19 05:50

Sample ID 241212-1xm3rs1jfk
Target 74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.bin
SHA256 74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e
Tags
tanglebot banker collection credential_access discovery evasion infostealer persistence spyware trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e

Threat Level: Known bad

The file 74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.bin was found to be: Known bad.

Malicious Activity Summary

tanglebot banker collection credential_access discovery evasion infostealer persistence spyware trojan impact

TangleBot payload

Tanglebot family

TangleBot

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-12 22:01

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-12 22:01

Reported

2024-12-12 22:04

Platform

android-x86-arm-20240910-en

Max time kernel

118s

Max time network

155s

Command Line

updater.anonr.etcapu

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A
N/A /data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

updater.anonr.etcapu

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 bahhsfafd.top udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 104.21.85.109:443 bahhsfafd.top tcp
GB 172.217.16.228:80 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.35:80 clientservices.googleapis.com tcp

Files

/data/data/updater.anonr.etcapu/code_cache/secondary-dexes/tmp-base.apk.classes1724542003028007605.zip

MD5 aec29f79b44932f3443f0729b61e96d8
SHA1 3dad64ad0eee4aa50f7567b44dad36f0a8d2befa
SHA256 930a13445be3dddac1c628fabb14e704bc87aae4f60cbc39f74030a7d0fb02b5
SHA512 c673c35fae60709f95547b55b628b255eece85cb0f6a455be13a74652dc156cc07301990fda9dd793fb3b10b58743e69f3552e284b755bb65df44299196e37c5

/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 346d6949d49f24cdf371097a568f0464
SHA1 ba1e8e2270700bf695dd8820613bdda1e6f31674
SHA256 7332f51cfd178d172cd506dac1fd20618356ac0c72c5157cd37c9a52da2738e1
SHA512 fb624e2fcb4b17693bf7f06fe3d8692a13fc05bb3a699c5bae79f5fb806d1d09350770e03bd41ea7ad97b60c47b8fd006e4f6c6db0e118efd5b099e89e4cfb13

/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 d341e18fd398ef4f73cb9deaca3b582e
SHA1 abca06a99382db054d6c7dbb5ea31e3e7d596200
SHA256 85f699a8b8da6a9bf36efed7314b88b6e9b87cc3dd9af7cc3277f2ba7d5f56a7
SHA512 c60d1c9d951cf67ec81f4677a5793931bd14dba6371d8e5e41997431c3ac43f3fa37ab7b9b0a70c5ee0a7e6a8370a3c7587e08b2754c3478828dbd8f818a036c

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-12 22:01

Reported

2024-12-12 22:04

Platform

android-x64-20240910-en

Max time kernel

118s

Max time network

156s

Command Line

updater.anonr.etcapu

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

updater.anonr.etcapu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 bahhsfafd.top udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
US 104.21.85.109:443 bahhsfafd.top tcp
GB 216.58.204.66:443 tcp

Files

/data/data/updater.anonr.etcapu/code_cache/secondary-dexes/tmp-base.apk.classes7457008802851050530.zip

MD5 aec29f79b44932f3443f0729b61e96d8
SHA1 3dad64ad0eee4aa50f7567b44dad36f0a8d2befa
SHA256 930a13445be3dddac1c628fabb14e704bc87aae4f60cbc39f74030a7d0fb02b5
SHA512 c673c35fae60709f95547b55b628b255eece85cb0f6a455be13a74652dc156cc07301990fda9dd793fb3b10b58743e69f3552e284b755bb65df44299196e37c5

/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 346d6949d49f24cdf371097a568f0464
SHA1 ba1e8e2270700bf695dd8820613bdda1e6f31674
SHA256 7332f51cfd178d172cd506dac1fd20618356ac0c72c5157cd37c9a52da2738e1
SHA512 fb624e2fcb4b17693bf7f06fe3d8692a13fc05bb3a699c5bae79f5fb806d1d09350770e03bd41ea7ad97b60c47b8fd006e4f6c6db0e118efd5b099e89e4cfb13

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-12 22:01

Reported

2024-12-12 22:04

Platform

android-x64-arm64-20240624-en

Max time kernel

117s

Max time network

157s

Command Line

updater.anonr.etcapu

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

updater.anonr.etcapu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 bahhsfafd.top udp
US 104.21.85.109:443 bahhsfafd.top tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/updater.anonr.etcapu/code_cache/secondary-dexes/tmp-base.apk.classes2061298708547673289.zip

MD5 aec29f79b44932f3443f0729b61e96d8
SHA1 3dad64ad0eee4aa50f7567b44dad36f0a8d2befa
SHA256 930a13445be3dddac1c628fabb14e704bc87aae4f60cbc39f74030a7d0fb02b5
SHA512 c673c35fae60709f95547b55b628b255eece85cb0f6a455be13a74652dc156cc07301990fda9dd793fb3b10b58743e69f3552e284b755bb65df44299196e37c5

/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 346d6949d49f24cdf371097a568f0464
SHA1 ba1e8e2270700bf695dd8820613bdda1e6f31674
SHA256 7332f51cfd178d172cd506dac1fd20618356ac0c72c5157cd37c9a52da2738e1
SHA512 fb624e2fcb4b17693bf7f06fe3d8692a13fc05bb3a699c5bae79f5fb806d1d09350770e03bd41ea7ad97b60c47b8fd006e4f6c6db0e118efd5b099e89e4cfb13