tanglebot | 5ba71e64d182319471a8a727af92f473628136682315e430dd5061bbea11d070

Analysis

max time kernel
7s
max time network
36s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
16-12-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ba71e64d182319471a8a727af92f473628136682315e430dd5061bbea11d070.apk
Size

7.5MB
MD5

9b69cee561196cefc709d453a7211e41
SHA1

92889ede639b3b532a96e187880b02bd4ee2b304
SHA256

5ba71e64d182319471a8a727af92f473628136682315e430dd5061bbea11d070
SHA512

f02d45eeb75d3eccd9d849dcf4b744f6a2aef122658a4b426e213f6ad3553da54a1aeddbead277b0de320544cfe10df99db6ba96dd701d04ba04be8fa0c07525
SSDEEP

196608:TYFDACgLMtclqXP9dC9DZDGOSUr6i080blAGe:aDACyfwP9dC9DZCIuLuN

Score

10^/10

tanglebot evasion infostealer spyware trojan

Malware Config

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral1/memory/4283-0.dex	family_tanglebot3

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.sister.push/app_chimney/PPf.json	4283	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sister.push/app_chimney/PPf.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.sister.push/app_chimney/oat/x86/PPf.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.sister.push/app_chimney/PPf.json	4256	com.sister.push

com.sister.push
1⤵
- Loads dropped Dex/Jar
PID:4256
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sister.push/app_chimney/PPf.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.sister.push/app_chimney/oat/x86/PPf.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4283

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.sister.push/app_chimney/PPf.json

Filesize
1.8MB

MD5
1ca3adefca67de7f0912b500c05ecc1f

SHA1
170cc448956e039b72ab6ad5c1fa9b90597b0edd

SHA256
f6955e0a06c022f95d5bcfb0c6aafe94202b2e5e40018e60baf5b69b24fd32b8

SHA512
8aa1a73e28fc88ba27c3776678155d93b5aee78799984d836ae685adddd539acc3d722317b7ad7e8c6b246ed918dcd3ec66c0d2f1f98f53595089ac426b33fe2

Download Submit
/data/data/com.sister.push/app_chimney/PPf.json

Filesize
1.8MB

MD5
011d6b0e98ad43a69e64a1da4f135686

SHA1
ff13b812f29155a06812e1216288f16e8ac8b36a

SHA256
c81d0c3354be3dab9e8ee3b758d586bc5ba337e0d33b6bc7384101b47ab2879f

SHA512
b5ec2f57df3625b4e60ef4581a24396f05344e86bcc713d5efb30160116cb47c958e84267ba888e98c1f541505c8de3a446e67e4266c7d457a1781ebf4070aed

Download Submit
/data/user/0/com.sister.push/app_chimney/PPf.json

Filesize
4.4MB

MD5
9e08173e95f1f29e99c5fc875074ae8d

SHA1
fcc394061a8a4deb9cd7041c38372d01a582cdc4

SHA256
556e30958c24061094214dcec8aab906f7e58abb309026440cd0f8cfe97314f1

SHA512
d3d2e25461f0cee2e98b0cf2270d4bbff0464eddf8713dae5ee40b0db83920881dd995e3455d9b23024fd2aa001507e15fa0da8a766673b982323168ea92f8ed

Download Submit
/data/user/0/com.sister.push/app_chimney/PPf.json

Filesize
4.4MB

MD5
a6f654a73272fa9bcb0c394b2ecd7350

SHA1
01fecdbae12308e86f5e6724092f0e3e6e41c334

SHA256
4b69b731e0ba810faa704e54334dceab23eb9fdc0a2575f0abee20b290a3469e

SHA512
08f35c91b683f19877c5e0456dc9a8130925b5aac25bb222a4d33b1979cbdc6ebb158a51f8499de887fe8ec487ddff4459a5ed773718a4cc7ba16fb815af4df9

Download Submit