Malware Analysis Report

2025-01-19 07:46

Sample ID 241222-1z8r9azrdz
Target b3316495c827454bfd84b00013a336f94a939ef4e0fa589e66e460130347f9aa.bin
SHA256 b3316495c827454bfd84b00013a336f94a939ef4e0fa589e66e460130347f9aa
Tags
soumnibot banker evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b3316495c827454bfd84b00013a336f94a939ef4e0fa589e66e460130347f9aa

Threat Level: Known bad

The file b3316495c827454bfd84b00013a336f94a939ef4e0fa589e66e460130347f9aa.bin was found to be: Known bad.

Malicious Activity Summary

soumnibot banker evasion infostealer trojan

SoumniBot

Soumnibot family

Android SoumniBot payload

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-22 22:06

Signatures

Android SoumniBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Soumnibot family

soumnibot

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-22 22:06

Reported

2024-12-22 22:09

Platform

android-x86-arm-20240624-en

Max time kernel

3s

Max time network

136s

Command Line

com.yxhuiueaon.xnniiaauin

Signatures

Android SoumniBot payload

Description Indicator Process Target
N/A N/A N/A N/A

SoumniBot

trojan infostealer banker soumnibot

Soumnibot family

soumnibot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A Anonymous-DexFile@0xd2cae000-0xd2e7fab8 N/A N/A

Processes

com.yxhuiueaon.xnniiaauin

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp

Files

/data/data/com.yxhuiueaon.xnniiaauin/.jiagu/libjiaguv1.so

MD5 889b8fb63cef543863398ddc7ed1f62f
SHA1 bf1982faae81e36aa1e998ef9ec8ccfcc7b59b17
SHA256 a7cc5386e0cc7dc773aa2090f692b84aa758492b3006f806961ce0ba7a126c48
SHA512 e6c7b8207007e68aa625b1db04aed7c981ef67f6dbf9f8b38963638cb2230aef771adaf42bb1b56c3338e34fce5c4dd34e5e632209c970d28395a87e1928c628

Anonymous-DexFile@0xd2cae000-0xd2e7fab8

MD5 e092e1ee3699367530854c86287464e2
SHA1 54dcaaa192c958da336b0979bcb0c7707fd420cc
SHA256 ba9c3afd70f7f4381991f3e889773bbfbbeb5bc0c287ac3bdac6a7b0e88b938e
SHA512 53909479e45d9f7e69888726d260add7452bf062124b03192a7bd381a9f2df88f8ae179784d863a5e221b3b6c776b9333a51ea6eccb4f7d81eb9fa47a3cd6afe