tanglebot | 9ec5918e18def876799f3e73f0bb9b2058a66614e46a0bdf7a04a681131efd4f

Analysis

max time kernel
8s
max time network
36s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
16-12-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ec5918e18def876799f3e73f0bb9b2058a66614e46a0bdf7a04a681131efd4f.apk
Size

9.7MB
MD5

5f47d032af394ca8ae319f5239bcb694
SHA1

19ab3183ed91e7048a75b2ce1f2599bff2966f1f
SHA256

9ec5918e18def876799f3e73f0bb9b2058a66614e46a0bdf7a04a681131efd4f
SHA512

c108bf407f983cdd3e094812d0be0ba0cca5e88af1adb3a865da982a24cdfe78d88fd26935e0f3b54de025bb281ac38fc4043c0b3641a36845492879c9080cc5
SSDEEP

196608:OqhyRy9WVVfHC4dMlf5OaPNTcl8OQVbsCZfRC9uQuWLWvS:rhzAVfHC99FcyOQZZEBu8f

Score

10^/10

tanglebot evasion infostealer spyware trojan

Malware Config

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral1/memory/4268-0.dex	family_tanglebot3

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.size.clown/app_high/FU.json	4268	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.size.clown/app_high/FU.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.size.clown/app_high/oat/x86/FU.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.size.clown/app_high/FU.json	4242	com.size.clown

com.size.clown
1⤵
- Loads dropped Dex/Jar
PID:4242
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.size.clown/app_high/FU.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.size.clown/app_high/oat/x86/FU.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4268

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.size.clown/app_high/FU.json

Filesize
1.8MB

MD5
10d1c217f31e8490e604eda322960f8c

SHA1
8e05459c0a824eb9e062eb20570bcd55ca016246

SHA256
9a56033a22c270b38dd0e93c872bfb4112bc92f33f87e146e950e2c2c5ebc09e

SHA512
d51d96870b5e1cf55bdb40fc423bded47ed0e700eea5871d2803a6f736508565fcd46163f5057ea139055691b26500ab4701af07d8bd1c6378f3021be43ff254

Download Submit
/data/data/com.size.clown/app_high/FU.json

Filesize
1.8MB

MD5
6566f8a37cd58ef321f3d013edbfe9f2

SHA1
86d515d95745b5f607eda8691cf4410935d76d0d

SHA256
f3bc69e0ad54816d80e775d804aec4577122a1eeab7429909599955594b2a948

SHA512
65bd509abd4707eb06a6b47e5f0cc17435bb71cab34818b0daa3f127a2a217755eedececd80bcb7b375937e6f7ae063e05757f31449d3cce2f72279b3f8451e4

Download Submit
/data/user/0/com.size.clown/app_high/FU.json

Filesize
4.4MB

MD5
035bc4614a3b07aae687669703229f6e

SHA1
f85c5422d6bda42709c9041ec3980553cae22ad0

SHA256
057b83ff2c56f6f00dddefad765478be710d34babf2af46996c1f0f09076df81

SHA512
f9e3ad104b7055d335f7f5d2cf72b1d97997479133b17d2c53a282ad6d5b96c0af4257360df31d93afd727a5dcd8e3eb4a55e01b0aaf64222803f13bc6d91dac

Download Submit
/data/user/0/com.size.clown/app_high/FU.json

Filesize
4.4MB

MD5
06047b6394b3a224df6ed7ef727a9cc4

SHA1
66e22a91df6cda254eae5d19aa316f4b547d3831

SHA256
f9af5133796ae82edfd7a007af15397ba6c73965d6031eec51773c4581d68de5

SHA512
955b1bf8b369ddf1e0fcde5ac97fb4972128692ca9b63ca53b24855324d7cfa50f263ecf4d897b3ed4cdb3e62028a9dfa05a1ccac11ac6a45f80baee4096c173

Download Submit