tanglebot | 5d784e42feb9a6eaf95a50cff924d1f6aee9d61db23548af45160aad52f6c45c

Analysis

max time kernel
8s
max time network
38s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
16-12-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d784e42feb9a6eaf95a50cff924d1f6aee9d61db23548af45160aad52f6c45c.apk
Size

9.7MB
MD5

3c8edc09b6670b1134f50f35ab6531b9
SHA1

98c24c59514bd49770d6d4acdd13dcb892e6c443
SHA256

5d784e42feb9a6eaf95a50cff924d1f6aee9d61db23548af45160aad52f6c45c
SHA512

3d8fad8d1295d7787215021447568681e2fa235c38caf454bca6047004a085cdcf430729ccbfc9e932e518834e1798c4d916c6498c96638aa393131d25379477
SSDEEP

196608:S0edPOXgX65O2PwQpOOctega3COvDFVZIeUJCsnMrExvXNDF+TdGs1M+YMG:beRd2Z3p5ct4ZIeSMKdq5m+Y

Score

10^/10

tanglebot evasion infostealer spyware trojan

Malware Config

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral1/memory/4290-0.dex	family_tanglebot3

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.heart.stomach/app_repeat/RDXBC.json	4290	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.heart.stomach/app_repeat/RDXBC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.heart.stomach/app_repeat/oat/x86/RDXBC.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.heart.stomach/app_repeat/RDXBC.json	4265	com.heart.stomach

com.heart.stomach
1⤵
- Loads dropped Dex/Jar
PID:4265
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.heart.stomach/app_repeat/RDXBC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.heart.stomach/app_repeat/oat/x86/RDXBC.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4290

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.heart.stomach/app_repeat/RDXBC.json

Filesize
1.8MB

MD5
52d02a160ec20cf9fd21931fc0009668

SHA1
aafffa36dc6300dc3c9b86daf329cc4457c4b955

SHA256
302e86bdc9defaf9b487d91d495a2c8ab712e20e409a5f4a595cb855b2c05db3

SHA512
0f22601fc266e078545b0a6fca6419ff79aa91c86dca3d78e6231de23296e39d59b1530cb7747c825e44c25778d68499ced7c0a24ce9fcc6a51123737c2f0321

Download Submit
/data/data/com.heart.stomach/app_repeat/RDXBC.json

Filesize
1.8MB

MD5
2b4ad47045a819eb380ea670dfc173c6

SHA1
202dc59a506694816906bbb06a7b9125889b8e36

SHA256
b5f870b221bd6d7d04ab241817cf5f33ebacb8f6c20d2dd145b7f20a0b210738

SHA512
99bcc0b256777dd3da6988d1e2edd9fb16e4b11b4917b8f8433f1eef1b145c84c9ad19e936871950028b65d649c992b6080f18a7e287d4367f107b24ad81225c

Download Submit
/data/user/0/com.heart.stomach/app_repeat/RDXBC.json

Filesize
4.4MB

MD5
216a33b3920500b426b408c7907855b6

SHA1
ec88d10babfbc516c989c24186284596016d38a2

SHA256
2f2f712d39ff161343c6004c76ab8e1d5835efedfaf56a603fa3c84f018831a5

SHA512
caeb648385647117c8beda006ca2537107d8efc0740f29dcd75305ff5fed65b7abebddb9648d92b103048fb0fcdb70be2f391224c62e688fc422236c3bdbdf58

Download Submit
/data/user/0/com.heart.stomach/app_repeat/RDXBC.json

Filesize
4.4MB

MD5
09d1d3d0c279b8743af185f4d04f5c0f

SHA1
efb8799dbec891b678896513c7f5246b5b3d6ed4

SHA256
cb7953fe71926fd400ac0def4465316c79e586bfaa18f7782f9409cb01c89a5e

SHA512
df04ddf875882dbcabfb5eb539116a22acd1bbfdd56056a09961887afbd8a4a88ba1ff64e88597189db648bc23d452e001ab93f72d837c9e0a3650f0138a7d6b

Download Submit