Overview

overview

10

Static

static

6

e4cfd6fc03...8e.apk

android-9-x86

10

e4cfd6fc03...8e.apk

android-10-x64

10

e4cfd6fc03...8e.apk

android-11-x64

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    31/01/2025, 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4cfd6fc03feee2e8b6e687068cc8430f2c2d3f055f4e69a91c6f83605da128e.apk

  • Size

    2.2MB

  • MD5

    dcbb515f5cb46f88305c943bed265fba

  • SHA1

    b65450ef390d23ca3796962da1e2f6c8441395d3

  • SHA256

    e4cfd6fc03feee2e8b6e687068cc8430f2c2d3f055f4e69a91c6f83605da128e

  • SHA512

    57560f2b96e706efc46ffbec4deb552cc8b5df6755de91d2d465196e18e16f6058603efaa8c563f7b64338b703ad1c272e5da73fcfc87afbaf47aac1d497e8d9

  • SSDEEP

    49152:88SFlgBMebdvOy+CSlNaFloWNmY3NNKvGvb8A5R9:88SMBMI2yRSlIFloWN93fz8AF

Score
10/10
teabotbankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencetrojan

Malware Config

Signatures

  • TeaBot

    TeaBot is an android banker first seen in January 2021.

    bankertrojaninfostealerteabot
  • TeaBot payload 1 IoCs
  • Teabot family
    teabot
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Acquires the wake lock 1 IoCs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 7 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • purple.haze.outs
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4968

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/purple.haze.outs/app_apkprotector_dex/classes-v1.bin
    Filesize

    716KB

    MD5

    20b48fc67169ed72dfb374a5362e98a8

    SHA1

    68a79ef09a19ce7814c0773ff0f987aeb435ab4b

    SHA256

    15db7567c747708f3aec8bd08bfec5cda211fdc29c69650a542ee3d211395e5b

    SHA512

    426dc5dc827931604573056bd6736dd06a3470aea96772a5a13e926168d80807e1fd16a67adb29c839a43e2dc5fd487b0f484c69c4dd9e48c0b05c084ee98d59

    Download Submit