Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
47s -
max time network
141s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
10/01/2025, 03:54 UTC
Behavioral task
behavioral1
Sample
be512e871fc1871314794ea0e83f70ebe6cd9e537883aca6ca41440b3032dbfc.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
be512e871fc1871314794ea0e83f70ebe6cd9e537883aca6ca41440b3032dbfc.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
be512e871fc1871314794ea0e83f70ebe6cd9e537883aca6ca41440b3032dbfc.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
be512e871fc1871314794ea0e83f70ebe6cd9e537883aca6ca41440b3032dbfc.apk
-
Size
2.1MB
-
MD5
546f45d13c9fec7c6f868758f698de38
-
SHA1
8e7667971fd60f3973713f14ad12d809dbeb718f
-
SHA256
be512e871fc1871314794ea0e83f70ebe6cd9e537883aca6ca41440b3032dbfc
-
SHA512
1df39b5a44e7ba8f4c3adf75c399752d9d4e533d3d1dac7039b45bd48230c39f4e1024d4b356e1b05d8b901467690adb10582b740e7821eaad49b51bbeb480d9
-
SSDEEP
49152:HVcdmzfrsVxjjx1Il4UwIfoCW6Zg28g00AD3Lt5nTKE0C:HJzfrsfjDUwIvW6l0tbtjl
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText la.lasecurity.trbanking Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId la.lasecurity.trbanking Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId la.lasecurity.trbanking -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener la.lasecurity.trbanking -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction la.lasecurity.trbanking -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS la.lasecurity.trbanking -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo la.lasecurity.trbanking -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo la.lasecurity.trbanking
Processes
-
la.lasecurity.trbanking1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Checks CPU information
- Checks memory information
PID:4626
Network
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A142.250.187.206
-
Remote address:1.1.1.1:53Requestssl.google-analytics.comIN AResponsessl.google-analytics.comIN A216.58.213.8
-
Remote address:1.1.1.1:53Requestssl.google-analytics.comIN A
-
Remote address:1.1.1.1:53Requestt.meIN AResponset.meIN A149.154.167.99
-
Remote address:149.154.167.99:443RequestGET /anbsh26 HTTP/2.0
host: t.me
accept-encoding: gzip
user-agent: okhttp/4.10.0
ResponseHTTP/2.0 200
date: Fri, 10 Jan 2025 03:55:04 GMT
content-type: text/html; charset=utf-8
content-length: 4463
set-cookie: stel_ssid=31c0ef8e6d74cc490d_11370631715155154397; expires=Sat, 11 Jan 2025 03:55:04 GMT; path=/; samesite=None; secure; HttpOnly
pragma: no-cache
cache-control: no-store
x-frame-options: ALLOW-FROM https://web.telegram.org
content-security-policy: frame-ancestors https://web.telegram.org
content-encoding: gzip
strict-transport-security: max-age=35768000
-
Remote address:1.1.1.1:53Requesttonymayisayininfilancagunu.infoIN AResponsetonymayisayininfilancagunu.infoIN A172.67.138.198tonymayisayininfilancagunu.infoIN A104.21.70.187
-
Remote address:172.67.138.198:443RequestGET /sk HTTP/1.1
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: 4TNfnDvqp4pYhxGTjkUZmg==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: permessage-deflate
Host: tonymayisayininfilancagunu.info
Accept-Encoding: gzip
User-Agent: okhttp/4.10.0
ResponseHTTP/1.1 101 Switching Protocols
Connection: upgrade
upgrade: websocket
sec-websocket-accept: MPG5jnDOzXyNxjdzC1I+8i9IcnU=
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kOHLmYsUza2RUFuSIgl2RfqNZYK9gpDWknG2c1PnObDwnRhnmhBMrvbWqgw1IU%2Fo9P3atFYTNBqd94Shn5tP6zvZEV1Do57MQgHmyIFYOm2DaZ0M4bVphvMvWarhwv8n6waafkuwFFJSHap8MLrScBiS"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ff9babe3f1fecfd-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47517&min_rtt=47397&rtt_var=13541&sent=6&recv=6&lost=0&retrans=0&sent_bytes=3170&recv_bytes=871&delivery_rate=84171&cwnd=252&unsent_bytes=0&cid=5789a6f9f8261c7b&ts=242&x=0"
-
1.5kB 40 B 1 1
-
1.5kB 40 B 1 1
-
4.9kB 8.1kB 22 20
-
1.5kB 6.9kB 11 9
-
1.8kB 12.2kB 17 19
HTTP Request
GET https://t.me/anbsh26HTTP Response
200 -
4.2kB 7.1kB 28 28
HTTP Request
GET https://tonymayisayininfilancagunu.info/skHTTP Response
101 -
937 B 40 B 3 1
-
13.8kB 12.1kB 30 34
-
3.7kB 11
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
142.250.187.206
-
140 B 86 B 2 1
DNS Request
ssl.google-analytics.com
DNS Request
ssl.google-analytics.com
DNS Response
216.58.213.8
-
50 B 66 B 1 1
DNS Request
t.me
DNS Response
149.154.167.99
-
77 B 109 B 1 1
DNS Request
tonymayisayininfilancagunu.info
DNS Response
172.67.138.198104.21.70.187
MITRE ATT&CK Mobile v15
Defense Evasion
Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
1