Overview

overview

10

Static

static

6

c1642ac3f7...f2.apk

android-10-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c1642ac3f729701223043b16ac2c6c5f64adc7080f474c181067b0f1335218f2.bin

  • Size

    8.0MB

  • Sample

    250220-mhntvssrdp

  • MD5

    3f48894f35ac3b44b690ef0409c7cfdf

  • SHA1

    3e32f45f51991acfd84fb05cc7552efd5de9168d

  • SHA256

    c1642ac3f729701223043b16ac2c6c5f64adc7080f474c181067b0f1335218f2

  • SHA512

    76c044b38fa3278461334e38a89cb0f40d616d3a96991ab1b401f5403af1efa4c0f8ca77ff76c34991c93d8810430d5cc5d0332f05bb8a962fcd175309bfbf2c

  • SSDEEP

    196608:xRb8dUE211BgkvytX2NoYEn7TWPjv5yNPohG4I3FfQRg/sgJZ/M2j9nMO:X/19UGSYGTAB2P+G4I3ZXsgdBMO

Score
10/10
sovaandroidbankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencestealthtrojan

Malware Config

Targets

    • Target

      c1642ac3f729701223043b16ac2c6c5f64adc7080f474c181067b0f1335218f2.bin

    • Size

      8.0MB

    • MD5

      3f48894f35ac3b44b690ef0409c7cfdf

    • SHA1

      3e32f45f51991acfd84fb05cc7552efd5de9168d

    • SHA256

      c1642ac3f729701223043b16ac2c6c5f64adc7080f474c181067b0f1335218f2

    • SHA512

      76c044b38fa3278461334e38a89cb0f40d616d3a96991ab1b401f5403af1efa4c0f8ca77ff76c34991c93d8810430d5cc5d0332f05bb8a962fcd175309bfbf2c

    • SSDEEP

      196608:xRb8dUE211BgkvytX2NoYEn7TWPjv5yNPohG4I3FfQRg/sgJZ/M2j9nMO:X/19UGSYGTAB2P+G4I3ZXsgdBMO

    Score
    10/10
    sovabankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencestealthtrojan

    • SOVA_v3 payload

    • Sova

      Android banker first seen in July 2021.

      bankertrojaninfostealersova

    • Sova family

      sova

    • Checks if the Android device is rooted.

      defense_evasion

    • Removes its main activity from the application launcher

      stealthtrojanevasion

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectiondefense_evasioncredential_access

    • Acquires the wake lock

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      defense_evasionpersistence

    • Queries information about active data network

      discovery
    behavioral1

MITRE ATT&CK Mobile v15

Tasks