Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

d118bae3c4...f0.apk

android-9-x86

10

d118bae3c4...f0.apk

android-10-x64

10

d118bae3c4...f0.apk

android-11-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    151s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    23/12/2024, 22:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d118bae3c4d5a0d3d1740b75d40e334d0c6114984420b5598797c4ef9f08c4f0.apk

  • Size

    4.2MB

  • MD5

    554de25b8124f49564919a1847818c8d

  • SHA1

    c8896951f7c10330e65e2232fcf51f92b675b1e0

  • SHA256

    d118bae3c4d5a0d3d1740b75d40e334d0c6114984420b5598797c4ef9f08c4f0

  • SHA512

    063181a436c0ce3ac2b38d723539bc0fdfa383ccef3d02a130de061a5d1f556f2e59fe53396c12a85317b5a7872fd6a38624d5f156b7fbf6dc2afd97ea619e9c

  • SSDEEP

    98304:JtPzEX/O8N+ee/e/6rN0LFuz6NIkd9WYGUZhKn4BjDUwu:7U28NZr2CFxIWkD4Bn4

Score
10/10
tanglebotbankercollectioncredential_accessdiscoveryevasionimpactinfostealerspywaretrojan

Malware Config

Extracted

Family

tanglebot

C2

https://icq.im/AoLH58pXY8ejJTQiWg8

https://t.me/pempeppepepep

https://t.me/xpembeppep2p2

Signatures

Processes

  • snapshot.termux.testpen
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Checks CPU information
    • Checks memory information
    PID:4839

Network

  • flag-us
    DNS
    www.youtube.com
    Remote address:
    1.1.1.1:53
    Request
    www.youtube.com
    IN A
    Response
    www.youtube.com
    IN CNAME
    youtube-ui.l.google.com
    youtube-ui.l.google.com
    IN A
    142.250.187.206
    youtube-ui.l.google.com
    IN A
    216.58.213.14
    youtube-ui.l.google.com
    IN A
    216.58.201.110
    youtube-ui.l.google.com
    IN A
    142.250.179.238
    youtube-ui.l.google.com
    IN A
    172.217.169.46
    youtube-ui.l.google.com
    IN A
    142.250.187.238
    youtube-ui.l.google.com
    IN A
    142.250.200.14
    youtube-ui.l.google.com
    IN A
    216.58.204.78
    youtube-ui.l.google.com
    IN A
    142.250.200.46
    youtube-ui.l.google.com
    IN A
    216.58.212.206
    youtube-ui.l.google.com
    IN A
    172.217.169.14
    youtube-ui.l.google.com
    IN A
    142.250.178.14
    youtube-ui.l.google.com
    IN A
    142.250.180.14
    youtube-ui.l.google.com
    IN A
    172.217.16.238
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.187.206
  • flag-us
    DNS
    cdn-icons-png.flaticon.com
    Remote address:
    1.1.1.1:53
    Request
    cdn-icons-png.flaticon.com
    IN A
    Response
    cdn-icons-png.flaticon.com
    IN CNAME
    flaticon.com.edgesuite.net
    flaticon.com.edgesuite.net
    IN CNAME
    a1990.dscd.akamai.net
    a1990.dscd.akamai.net
    IN A
    23.56.238.83
    a1990.dscd.akamai.net
    IN A
    23.56.238.64
  • flag-gb
    GET
    https://cdn-icons-png.flaticon.com/512/220/220603.png
    Remote address:
    23.56.238.83:443
    Request
    GET /512/220/220603.png HTTP/2.0
    host: cdn-icons-png.flaticon.com
    user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
    accept: image/webp,image/apng,image/*,*/*;q=0.8
    x-requested-with: snapshot.termux.testpen
    sec-fetch-site: cross-site
    sec-fetch-mode: no-cors
    sec-fetch-dest: image
    accept-encoding: gzip, deflate
    accept-language: en-US,en;q=0.9
    Response
    HTTP/2.0 200
    last-modified: Tue, 19 Sep 2023 00:50:21 GMT
    etag: "dee07b81185c74aba4d4861005df358e"
    x-goog-generation: 1695084621699420
    x-goog-metageneration: 1
    x-goog-stored-content-encoding: identity
    x-goog-stored-content-length: 34207
    x-amz-meta-goog-reserved-file-mtime: 1474280878
    x-amz-meta-x-goog-reserved-source-generation: 1634216453227194
    content-type: image/png
    x-amz-checksum-crc32c: uLmc1Q==
    accept-ranges: bytes
    content-length: 34207
    expires: Mon, 23 Dec 2024 22:10:03 GMT
    date: Mon, 23 Dec 2024 22:10:03 GMT
    vary: Accept-Encoding
    access-control-allow-origin: *
    pragma: public
    cache-control: public, max-age=31536000
    x-default-rule: YES
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    172.217.169.8
  • flag-us
    DNS
    t.me
    Remote address:
    1.1.1.1:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-nl
    GET
    https://t.me/pempeppepepep
    Remote address:
    149.154.167.99:443
    Request
    GET /pempeppepepep HTTP/2.0
    host: t.me
    accept-encoding: gzip
    user-agent: okhttp/4.10.0
    Response
    HTTP/2.0 200
    server: nginx/1.18.0
    date: Mon, 23 Dec 2024 22:10:12 GMT
    content-type: text/html; charset=utf-8
    content-length: 4445
    set-cookie: stel_ssid=48693a5fb8ae865108_8023176698258441767; expires=Tue, 24 Dec 2024 22:10:12 GMT; path=/; samesite=None; secure; HttpOnly
    pragma: no-cache
    cache-control: no-store
    x-frame-options: ALLOW-FROM https://web.telegram.org
    content-security-policy: frame-ancestors https://web.telegram.org
    content-encoding: gzip
    strict-transport-security: max-age=35768000
  • flag-us
    DNS
    nabbealss.top
    Remote address:
    1.1.1.1:53
    Request
    nabbealss.top
    IN A
    Response
    nabbealss.top
    IN A
    172.67.169.232
    nabbealss.top
    IN A
    104.21.87.148
  • flag-us
    GET
    https://nabbealss.top/sk
    Remote address:
    172.67.169.232:443
    Request
    GET /sk HTTP/1.1
    Upgrade: websocket
    Connection: Upgrade
    Sec-WebSocket-Key: k7oNHRLhUCV1MjQPdTHjvw==
    Sec-WebSocket-Version: 13
    Sec-WebSocket-Extensions: permessage-deflate
    Host: nabbealss.top
    Accept-Encoding: gzip
    User-Agent: okhttp/4.10.0
    Response
    HTTP/1.1 101 Switching Protocols
    Date: Mon, 23 Dec 2024 22:10:13 GMT
    Connection: upgrade
    upgrade: websocket
    sec-websocket-accept: X9zKaxpI6vui9Rrp8rBE0I1EaOU=
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9uPn%2Fgp4As%2ByF%2BAfTcGZNMrInH8Gm6IxH9lmOh%2FbbbZRE2sNTFwUAQa8Xysudb2qUWD5K4j%2FgY6O%2FPMYiN2P2Gh%2FOY8kauRo2B%2FAEz6TxNBhziqZ8Tf7kT2dw5gq9724"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8f6bae2fa8ae633d-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=29443&min_rtt=29225&rtt_var=8411&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3120&recv_bytes=853&delivery_rate=138019&cwnd=252&unsent_bytes=0&cid=119d5a57fa455235&ts=172&x=0"
  • 142.250.187.206:443
    www.youtube.com
    tls
    2.1kB
     8.3kB
     18
    15
  • 142.250.187.206:443
    www.youtube.com
    tls, https
    1.4kB
     40 B
     1
    1
  • 142.250.187.206:443
    android.apis.google.com
    tls
    2.6kB
     6.0kB
     13
    11
  • 142.250.187.206:443
    android.apis.google.com
    tls
    2.6kB
     6.1kB
     12
    11
  • 216.239.32.223:443
    tls, https
    128 B
     40 B
     2
    1
  • 23.56.238.83:443
    https://cdn-icons-png.flaticon.com/512/220/220603.png
    tls, http2
    3.1kB
     40.4kB
     39
    41

    HTTP Request

    GET https://cdn-icons-png.flaticon.com/512/220/220603.png

    HTTP Response

    200
  • 172.217.169.8:443
    ssl.google-analytics.com
    tls
    1.4kB
     6.3kB
     10
    9
  • 149.154.167.99:443
    https://t.me/pempeppepepep
    tls, http2
    1.7kB
     12.1kB
     17
    18

    HTTP Request

    GET https://t.me/pempeppepepep

    HTTP Response

    200
  • 172.67.169.232:443
    https://nabbealss.top/sk
    tls, http
    4.2kB
     7.2kB
     28
    29

    HTTP Request

    GET https://nabbealss.top/sk

    HTTP Response

    101
  • 172.217.16.238:443
    www.youtube.com
    tls
    135 B
     40 B
     2
    1
  • 142.250.187.225:443
    tls
    135 B
     40 B
     2
    1
  • 216.239.32.223:443
    tls, https
    128 B
     40 B
     2
    1
  • 142.250.178.1:443
    tls
    135 B
     40 B
     2
    1
  • 216.239.32.223:443
    tls, https
    128 B
     40 B
     2
    1
  • 224.0.0.251:5353
    3.9kB
     13
  • 1.1.1.1:53
    www.youtube.com
    dns
    61 B
     319 B
     1
    1

    DNS Request

    www.youtube.com

    DNS Response

    142.250.187.206
    216.58.213.14
    216.58.201.110
    142.250.179.238
    172.217.169.46
    142.250.187.238
    142.250.200.14
    216.58.204.78
    142.250.200.46
    216.58.212.206
    172.217.169.14
    142.250.178.14
    142.250.180.14
    172.217.16.238

  • 142.250.187.206:443
    www.youtube.com
    https
    1.4kB
     54 B
     1
    1
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.187.206

  • 1.1.1.1:53
    cdn-icons-png.flaticon.com
    dns
    72 B
     176 B
     1
    1

    DNS Request

    cdn-icons-png.flaticon.com

    DNS Response

    23.56.238.83
    23.56.238.64

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    172.217.169.8

  • 1.1.1.1:53
    t.me
    dns
    50 B
     66 B
     1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 1.1.1.1:53
    nabbealss.top
    dns
    59 B
     91 B
     1
    1

    DNS Request

    nabbealss.top

    DNS Response

    172.67.169.232
    104.21.87.148

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/snapshot.termux.testpen/code_cache/secondary-dexes/tmp-base.apk.classes8147437771685919381.zip
    Filesize

    455KB

    MD5

    20870f226232b3b9225132eacf238e1a

    SHA1

    da54895f98182fee8f4d1edc27baf3b005c692c8

    SHA256

    6b5273583bef5856ad487e6af842efd7b632b2dce7382753b0be10a09e331f31

    SHA512

    3d754bdbd9ef574bea3692bcb96ff9451d34f41f75194f32cff519727575f419ed25a05e28a9d36d45a954ea5f07ffdbb2aba1d8d716d5e5cd60d7c471aafd1e

    Download Submit

  • /data/user/0/snapshot.termux.testpen/code_cache/secondary-dexes/base.apk.classes1.zip
    Filesize

    949KB

    MD5

    88102547b7156f463282084ee8a682b2

    SHA1

    b8568851c1de0b9bc48846504b356761751df632

    SHA256

    3ac8042731096a2c7ab08e5b6e1683a24efa7a43aa495a0d838a0c2fd6587ee1

    SHA512

    81f2e21e9cc1f73cc6da8161418db9ed7b27032d7aaaa9cdc2060930d074c33257976f8db71ad478e197407dfc04f00856fa4065af4aa588017517014d0e5e5b

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.