tanglebot | base[.]apk

General

Target

base.apk
Size

2.1MB
MD5

546f45d13c9fec7c6f868758f698de38
SHA1

8e7667971fd60f3973713f14ad12d809dbeb718f
SHA256

be512e871fc1871314794ea0e83f70ebe6cd9e537883aca6ca41440b3032dbfc
SHA512

1df39b5a44e7ba8f4c3adf75c399752d9d4e533d3d1dac7039b45bd48230c39f4e1024d4b356e1b05d8b901467690adb10582b740e7821eaad49b51bbeb480d9
SSDEEP

49152:HVcdmzfrsVxjjx1Il4UwIfoCW6Zg28g00AD3Lt5nTKE0C:HJzfrsfjDUwIvW6l0tbtjl

Score

10^/10

tanglebot

Malware Config

Extracted

Family

tanglebot

C2

https://t.me/anbsh26

https://t.me/anbshaa

https://t.me/anbshbb

Signatures

TangleBot payload 1 IoCs

resource	yara_rule
sample	family_tanglebot2

Tanglebot family
tanglebot
Attempts to obfuscate APK file format
Applies obfuscation techniques to the APK format in order to hinder analysis

Declares services with permission to bind to the system 1 IoCs

description	ioc
Required by accessibility services to bind with the system. Allows apps to access accessibility features.	android.permission.BIND_ACCESSIBILITY_SERVICE

Requests dangerous framework permissions 5 IoCs

description	ioc
Allows an app to post notifications.	android.permission.POST_NOTIFICATIONS
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device.	android.permission.READ_PHONE_STATE
Allows an application to record audio.	android.permission.RECORD_AUDIO
Required to be able to access the camera device.	android.permission.CAMERA
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps.	android.permission.SYSTEM_ALERT_WINDOW

Files

base.apk
.apk android

la.lasecurity.trbanking

la.lasecurity.trbanking.MainActivity

Activities

la.lasecurity.trbanking.MainActivity

android.intent.action.MAIN

Permissions

android.permission.INTERNET
android.permission.POST_NOTIFICATIONS
android.permission.QUERY_ALL_PACKAGES
android.permission.REQUEST_DELETE_PACKAGES
android.permission.FOREGROUND_SERVICE
android.permission.READ_PHONE_STATE
android.permission.RECORD_AUDIO
android.permission.CAMERA
android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
android.permission.WAKE_LOCK
android.permission.SYSTEM_ALERT_WINDOW

Receivers

la.lasecurity.trbanking.Receiver.ScreenReceiver

android.intent.action.USER_PRESENT
android.intent.action.SCREEN_ON
android.intent.action.SCREEN_OFF

la.lasecurity.trbanking.Service.InstallerRestarterService

restartinstallerservice

Services

la.lasecurity.trbanking.Service.AccessibilityControllerService

android.accessibilityservice.AccessibilityService

Android Permissions

base.apk

Permissions

android.permission.INTERNET

android.permission.POST_NOTIFICATIONS

android.permission.QUERY_ALL_PACKAGES

android.permission.REQUEST_DELETE_PACKAGES

android.permission.FOREGROUND_SERVICE

android.permission.READ_PHONE_STATE

android.permission.RECORD_AUDIO

android.permission.CAMERA

android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS

android.permission.WAKE_LOCK

android.permission.SYSTEM_ALERT_WINDOW

Sharing

General

Malware Config

Extracted

Signatures

Files

la.lasecurity.trbanking

la.lasecurity.trbanking.MainActivity

Activities

la.lasecurity.trbanking.MainActivity

Permissions

Receivers

la.lasecurity.trbanking.Receiver.ScreenReceiver

la.lasecurity.trbanking.Service.InstallerRestarterService

Services

la.lasecurity.trbanking.Service.AccessibilityControllerService

Android Permissions

base.apk