tanglebot | da1a62ea4f0c083c7371b869091e7e095ec071d765a78387e9c2a6cfa6c6fe0c

Analysis

max time kernel
8s
max time network
37s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
16-12-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da1a62ea4f0c083c7371b869091e7e095ec071d765a78387e9c2a6cfa6c6fe0c.apk
Size

5.5MB
MD5

9d4e632af5782358a9d94e77d9fe3950
SHA1

9646b8f6d899b283e6abf1aea3ef70b15e4cfa3c
SHA256

da1a62ea4f0c083c7371b869091e7e095ec071d765a78387e9c2a6cfa6c6fe0c
SHA512

731b757589ebedd1709aef4d7af7eb43aa6a239eb31a3c72cd566b9c449a92373791125f39f5f0960523e23969a3463d65bfc3fe9842adfd3c2ea62578e4ffb0
SSDEEP

98304:/GY2YCUW49Un5vyyKNHJZ/0d2ZrWdb9KH1Gz3fcWIJpct90VrsmUssD4te3x:T2Y9WyUn5yE9KkSPct9i/EXx

Score

10^/10

tanglebot evasion infostealer spyware trojan

Malware Config

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral1/memory/4278-0.dex	family_tanglebot3

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.garage.sock/app_pottery/FTbfhwW.json	4278	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.garage.sock/app_pottery/FTbfhwW.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.garage.sock/app_pottery/oat/x86/FTbfhwW.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.garage.sock/app_pottery/FTbfhwW.json	4249	com.garage.sock

com.garage.sock
1⤵
- Loads dropped Dex/Jar
PID:4249
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.garage.sock/app_pottery/FTbfhwW.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.garage.sock/app_pottery/oat/x86/FTbfhwW.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4278

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.garage.sock/app_pottery/FTbfhwW.json

Filesize
1.8MB

MD5
60a2b4e3e8844c23894ba9c87bd8265a

SHA1
d5de4f7f493e24db03c603fee20905f0d5bdab90

SHA256
8155fbb0a20e3d0d8e8350a3d1cbe7d731a823c12e537351730bb45bfc0db931

SHA512
dd105b7f3c3562f00cb80d35d044c25c0b9435f8874101e46133df0f959872db99325bb2e7dbdfa39f54fd5106944ad20ea482101f64a06fbb7bfbbf7d1e3826

Download Submit
/data/data/com.garage.sock/app_pottery/FTbfhwW.json

Filesize
1.8MB

MD5
676f578904deb975238128f8b55c86c7

SHA1
439f1b07d9edb0a48561333c9e66ee8121d95497

SHA256
3c69ac1e30c86b74f4c0f5c9abf5fdc3c152ca28ed0ad9e619d9938e4a3158aa

SHA512
1f862c86035aee1790ae2c3326da19d0d94f452a8a48f2649b52f63ba6befbf665c09fd95ed255a84ee4bed71c0bee6d90fae44368cfa32f5537caa9c920d0fd

Download Submit
/data/user/0/com.garage.sock/app_pottery/FTbfhwW.json

Filesize
4.4MB

MD5
3d2138939be024caed9167e05564d65d

SHA1
c506c5aee0cab5b330d4410f3fb73ec376b253c7

SHA256
aef989e2f9241de732c8304e2833c2d59d23e0cfa43202e20ee276a122a1e920

SHA512
090aee055e32240dafb14649d84226555d69a727208179ed9645326369d3c17b4caa068a84ffd88440e053af5f277181f8c7dc809b6c969424ceb28c2ed08a3d

Download Submit
/data/user/0/com.garage.sock/app_pottery/FTbfhwW.json

Filesize
4.4MB

MD5
622e688b459090d0895490045522e25d

SHA1
c9fe28274308d10a94a56d277b3a52ebb08abf77

SHA256
59e314848003633cf4fb773a5c75538984205ffdf8f96e242069350a744f6bb6

SHA512
a27ed8cba45e60488efc950bc5e3d10a5b282a1a5b864a7caf4c446b805b7e97f0364b6b837e12e4f0b554c211be961309a1f2281409131fff52fb2b3532bca2

Download Submit