Overview

overview

10

Static

static

6

c1642ac3f7...f2.apk

android-10-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    53s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    20/02/2025, 10:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1642ac3f729701223043b16ac2c6c5f64adc7080f474c181067b0f1335218f2.apk

  • Size

    8.0MB

  • MD5

    3f48894f35ac3b44b690ef0409c7cfdf

  • SHA1

    3e32f45f51991acfd84fb05cc7552efd5de9168d

  • SHA256

    c1642ac3f729701223043b16ac2c6c5f64adc7080f474c181067b0f1335218f2

  • SHA512

    76c044b38fa3278461334e38a89cb0f40d616d3a96991ab1b401f5403af1efa4c0f8ca77ff76c34991c93d8810430d5cc5d0332f05bb8a962fcd175309bfbf2c

  • SSDEEP

    196608:xRb8dUE211BgkvytX2NoYEn7TWPjv5yNPohG4I3FfQRg/sgJZ/M2j9nMO:X/19UGSYGTAB2P+G4I3ZXsgdBMO

Score
10/10
sovabankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencestealthtrojan

Malware Config

Signatures

  • SOVA_v3 payload 1 IoCs
  • Sova

    Android banker first seen in July 2021.

    bankertrojaninfostealersova
  • Sova family
    sova
  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
    defense_evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Acquires the wake lock 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.nslah.ieg.tzzi.hkb
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4960

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.nslah.ieg.tzzi.hkb/tlxgrlmele/cydmjfsqtafelpu/tmp-base.apk.vxldnny8874773447819124128.zpi
    Filesize

    3.9MB

    MD5

    81fc9560af6c3c2db3795265242da4f2

    SHA1

    dad907b19c86f645ffc924acdc18bcb81c2e2d19

    SHA256

    d692cb0d0fb1a7eb7efd572242523049141bdc9ec8191b61aca407af4af548d3

    SHA512

    174bf386163200e566b875a3708e7ed4331fbd59057124461d4563c24bf2a566404f5b9ded7a2cb6093f4ba279adcacd2c677cde221634d457dc7c9136880084

    Download Submit

  • /data/user/0/com.nslah.ieg.tzzi.hkb/tlxgrlmele/cydmjfsqtafelpu/base.apk.vxldnny1.zpi
    Filesize

    10.3MB

    MD5

    9a48561b2f454026003254b3e3596c58

    SHA1

    81fbf9abddbc5c724d8aa023df9b6595bfde5d7b

    SHA256

    f1666d38a629aad571a9d93429d276845f4d2d524d70b2d9e526156def2ab319

    SHA512

    8dab4127e7693ed8012bd08bbeaea440508fd62f10b25643a722eb74f9527a772c5d142efaa7d772c765bea79303a91e51babdc0d91c653c29016272dc08669a

    Download Submit