Overview

overview

10

Static

static

6

84b94edbf7...5a.apk

android-9-x86

10

84b94edbf7...5a.apk

android-10-x64

10

84b94edbf7...5a.apk

android-11-x64

10

dixeda.apk

android-9-x86

10

dixeda.apk

android-10-x64

10

dixeda.apk

android-11-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    84b94edbf79d057dbbdc9f8c009d5d175464f0a069bf4c1e9df1b07cc245d15a.apk

  • Size

    9.4MB

  • Sample

    250127-ez63rssjfn

  • MD5

    24f5c73f3b6b11a16b8f3baec8b31cd2

  • SHA1

    b661d37d7b0158496358110f398c9f0b0cfff038

  • SHA256

    84b94edbf79d057dbbdc9f8c009d5d175464f0a069bf4c1e9df1b07cc245d15a

  • SHA512

    a813f7fc59a14cf9cd6b5d03e85b1bc0a892cf4417a8590e581113377aeae94a73bb015d90ed48d488b34f1efac197b56410fdff1514643480076cad438ff0d5

  • SSDEEP

    196608:C4ok0P0wxlIF7TSyxxOHKNx3ajHE9Jig4RQ+KT46a2P:1TL9VOq3nig4R2T4Q

Score
10/10
antidotandroidbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencetrojan

Malware Config

Targets

    • Target

      84b94edbf79d057dbbdc9f8c009d5d175464f0a069bf4c1e9df1b07cc245d15a.apk

    • Size

      9.4MB

    • MD5

      24f5c73f3b6b11a16b8f3baec8b31cd2

    • SHA1

      b661d37d7b0158496358110f398c9f0b0cfff038

    • SHA256

      84b94edbf79d057dbbdc9f8c009d5d175464f0a069bf4c1e9df1b07cc245d15a

    • SHA512

      a813f7fc59a14cf9cd6b5d03e85b1bc0a892cf4417a8590e581113377aeae94a73bb015d90ed48d488b34f1efac197b56410fdff1514643480076cad438ff0d5

    • SSDEEP

      196608:C4ok0P0wxlIF7TSyxxOHKNx3ajHE9Jig4RQ+KT46a2P:1TL9VOq3nig4R2T4Q

    Score
    10/10
    antidotbankerdiscoveryevasionexecutioninfostealerpersistencetrojancollectioncredential_accessdefense_evasionimpact

    • Antidot

      Antidot is an Android banking trojan first seen in May 2024.

      bankertrojaninfostealerantidot

    • Antidot family

      antidot

    • Antidot payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Checks the application is allowed to request package installs through the package installer

      Checks the application is allowed to install additional applications (Might try to install applications from unknown sources).

      defense_evasion

    • Queries the mobile country code (MCC)

      discovery
    behavioral1behavioral2behavioral3

    • Target

      dixeda

    • Size

      10.3MB

    • MD5

      8a9243247c1dfa0b249fae01f49b69a7

    • SHA1

      c54366269d767717029e642081e63d2f1d9c630d

    • SHA256

      c38e6e24e5a311958664492cdf5af99f8eadad21cb8aae07360a27cc044b293c

    • SHA512

      a75c912eedc64c213d9c45a04af13e8c61eb6236616edca7e30c1dfa4dee42f6d405182a2027e0ffa821daf33d517f4693dea2eb349fdef7686f3d0a894c56d1

    • SSDEEP

      196608:u9ecLSEPZI5mKfyGNUc/FXIvQwrKOYErSs2:MtaxfyGNUc/FYvQwrprSR

    Score
    10/10
    antidotbankerdefense_evasiondiscoveryevasionexecutioninfostealerpersistencetrojancollectioncredential_accessimpact

    • Antidot

      Antidot is an Android banking trojan first seen in May 2024.

      bankertrojaninfostealerantidot

    • Antidot family

      antidot

    • Antidot payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectiondefense_evasioncredential_access

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

      bankerdiscovery

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

      evasion

    • Queries information about active data network

      discovery

    • Queries the mobile country code (MCC)

      discovery

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      defense_evasion

    • Requests modifying system settings.

      defense_evasion

    • Requests uninstalling the application.

      defense_evasion
    behavioral4behavioral5behavioral6

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Indicator Removal on Host

1
T1630

Uninstall Malicious Application

1
T1630.001

Input Injection

1
T1516

Subvert Trust Controls

1
T1632

Code Signing Policy Modification

1
T1632.001

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Tasks