Malware Analysis Report

2025-04-03 14:15

Sample ID 250227-kfpx2a11fw
Target 1de66d214f6e9b8fbf35b5b6b6ceaa77).apk
SHA256 20f4e7959e383c8fed871769293f3a2b3e629b5e6a380a8329c7fc704c301b57
Tags
bingomod collection credential_access defense_evasion discovery evasion infostealer persistence rat trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20f4e7959e383c8fed871769293f3a2b3e629b5e6a380a8329c7fc704c301b57

Threat Level: Known bad

The file 1de66d214f6e9b8fbf35b5b6b6ceaa77).apk was found to be: Known bad.

Malicious Activity Summary

bingomod collection credential_access defense_evasion discovery evasion infostealer persistence rat trojan impact

Bingomod family

BingoMod

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests modifying system settings.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Requests allowing to install additional applications from unknown sources.

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-27 08:32

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-27 08:32

Reported

2025-02-27 08:36

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

157s

Command Line

p2ee4f5a9.pf820cf11.p03fabf60

Signatures

BingoMod

trojan infostealer rat bingomod

Bingomod family

bingomod

Makes use of the framework's Accessibility service

collection defense_evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests allowing to install additional applications from unknown sources.

defense_evasion
Description Indicator Process Target
Intent action android.settings.MANAGE_UNKNOWN_APP_SOURCES N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

defense_evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

defense_evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

p2ee4f5a9.pf820cf11.p03fabf60

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

/system/bin/ping -c 1 -W 5 104.24.181.7

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
AU 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 23.254.227.242:13500 tcp
NL 23.254.227.242:8055 23.254.227.242 tcp
NL 23.254.227.242:13500 tcp
NL 23.254.227.242:13500 tcp
GB 216.58.201.110:443 tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
NL 23.254.227.242:8055 23.254.227.242 tcp
NL 23.254.227.242:8055 23.254.227.242 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-27 08:32

Reported

2025-02-27 08:36

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

157s

Command Line

p2ee4f5a9.pf820cf11.p03fabf60

Signatures

BingoMod

trojan infostealer rat bingomod

Bingomod family

bingomod

Makes use of the framework's Accessibility service

collection defense_evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

p2ee4f5a9.pf820cf11.p03fabf60

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
AU 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
NL 23.254.227.242:13500 tcp
NL 23.254.227.242:13500 tcp
GB 142.250.179.238:443 tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
AU 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
NL 23.254.227.242:8055 23.254.227.242 tcp
GB 172.217.16.238:443 tcp
GB 216.58.204.66:443 tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
NL 23.254.227.242:8055 23.254.227.242 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-02-27 08:32

Reported

2025-02-27 08:36

Platform

android-x64-arm64-20240624-en

Max time kernel

32s

Max time network

132s

Command Line

p2ee4f5a9.pf820cf11.p03fabf60

Signatures

BingoMod

trojan infostealer rat bingomod

Bingomod family

bingomod

Makes use of the framework's Accessibility service

collection defense_evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests allowing to install additional applications from unknown sources.

defense_evasion
Description Indicator Process Target
Intent action android.settings.MANAGE_UNKNOWN_APP_SOURCES N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

defense_evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

defense_evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

p2ee4f5a9.pf820cf11.p03fabf60

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
AU 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
AU 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
NL 23.254.227.242:8055 23.254.227.242 tcp
NL 23.254.227.242:13500 tcp
NL 23.254.227.242:13500 tcp
NL 23.254.227.242:13500 tcp
NL 23.254.227.242:13500 tcp
NL 23.254.227.242:8055 23.254.227.242 tcp
NL 23.254.227.242:13500 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
NL 23.254.227.242:13500 tcp
NL 23.254.227.242:8055 23.254.227.242 tcp
NL 23.254.227.242:13500 tcp
NL 23.254.227.242:13500 tcp
NL 23.254.227.242:13500 tcp
NL 23.254.227.242:8055 23.254.227.242 tcp
NL 23.254.227.242:13500 tcp
NL 23.254.227.242:13500 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-02-27 08:32

Reported

2025-02-27 08:36

Platform

android-x86-arm-20240910-en

Max time kernel

45s

Max time network

153s

Command Line

com.banco.bnl

Signatures

N/A

Processes

com.banco.bnl

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/misc/profiles/cur/0/com.banco.bnl/primary.prof

MD5 a625c2b0ff12bd941a78835bcda5e8cf
SHA1 c5aeb1c75e01e01a7fe50ee6636551efcbd2889c
SHA256 2ddee360aee66470e067607ffc31b7b704c8db6d3953f6f4f1402b1508f37991
SHA512 a0e48cd608f7545af5493d4b1b3516c5d314b34ac16b2a96621ffe04325f56b5badbbebb71fee3b17f1a17e4b6bd2d0fb9db72ea9ed23154d73d7788fa0dc878

/data/data/com.banco.bnl/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 2b906e5de6d33bf0fa0d8ce792ece963
SHA1 14ac86426a22b6b656845c39195019823ab0302f
SHA256 1277ae95af9ddea8219be04e996462d5ee03a6974fc9bdbcbce4d01e9c14d0a6
SHA512 13030d4abb342331c111377a1cf27b76ca05aca2a6a41be75b2aae84925cba81a07daea334961bac9c75c7b3532a5a533e2fd9d520fa2ae8973ebf76251f9a52

/data/data/com.banco.bnl/files/profileInstalled

MD5 601d0551d175f5cd5b02f10472bfb7b3
SHA1 86903a0963ad4920ac544a880416816d9b9afa8d
SHA256 1eedd64c083a28458df1d60aa70bac4236723e05266612ab99aac0cbdddcdb37
SHA512 ae349ec28e017db081d59044f2c85c3a189c4f3a36d8250592962ce5044c6663e271c448eb7c526d1710bcce26851984cad623dc85f358fe6dd8cffacceb7dc9

/data/misc/profiles/cur/0/com.banco.bnl/primary.prof

MD5 0680489f8561160e7cb307364674ae1e
SHA1 f36d6eb9eab5175a81c09714cbb77bcf3f011a44
SHA256 9bea7216fcccb46f9317d89cf8766d3149ee8fd6c1785c47fee689d60f0ce04f
SHA512 b3101505f8b068fff2a4ae4f66c491b2216f9f3548b1a0a3f3b7580915ebcd2b18644dc8c2a5726699e95e2b7ff7a33a875fc35e33e430e02ab70d65a14a0df7

Analysis: behavioral5

Detonation Overview

Submitted

2025-02-27 08:32

Reported

2025-02-27 08:36

Platform

android-x64-20240910-en

Max time kernel

45s

Max time network

159s

Command Line

com.banco.bnl

Signatures

N/A

Processes

com.banco.bnl

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.234:443 tcp
AU 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp

Files

/data/misc/profiles/cur/0/com.banco.bnl/primary.prof

MD5 a625c2b0ff12bd941a78835bcda5e8cf
SHA1 c5aeb1c75e01e01a7fe50ee6636551efcbd2889c
SHA256 2ddee360aee66470e067607ffc31b7b704c8db6d3953f6f4f1402b1508f37991
SHA512 a0e48cd608f7545af5493d4b1b3516c5d314b34ac16b2a96621ffe04325f56b5badbbebb71fee3b17f1a17e4b6bd2d0fb9db72ea9ed23154d73d7788fa0dc878

/data/data/com.banco.bnl/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 e9573f18085f0520844fe73c673bf317
SHA1 bd3a9ecd1bdbea113817de40857b3cb969d80bac
SHA256 2b14028dac493c53f490f75e27ec1e2126d1a9392f540c6e3d8318f64b001fa1
SHA512 72668e35da387d2bf0ce2d3c66a9771454ff1c331593edc1976298524e84c93cd9b3f2fa2229b367f2916b25eef4650dd38ed8930c008539231d6bf308f9efa5

/data/data/com.banco.bnl/files/profileInstalled

MD5 37d813bca1a922f39ecf2f5b6d3cffe5
SHA1 01d59053478c0921f2e945e70f5a4bff21cc7652
SHA256 562232723ef909bc47ffcd623bb02fff1a092b28dac7d38a5e645c80b67bf40a
SHA512 bf9ff760c7fedaddd56500e2758a81a19934923244668d1ac87daa6ad0fb7394a66ac2c6d7ae635a110c95a7a3f56a089f7899939004c923e0b315349da19f14

/data/misc/profiles/cur/0/com.banco.bnl/primary.prof

MD5 6413aeede860048bbd0920a481610283
SHA1 198f70835dcfc1e350a52ef655809613dd3ea569
SHA256 0ec67b67f864299e1f8c050243aae89048b5935ecf73505cb04ef38b5980a9e3
SHA512 ffcb2cb37aa608c178cff8c30a14264ec110be08e8b6abc33cb309847e5f315d69a7e8083799986e68ad0a5f59c82401050d47b547a5368c8b385790eb34e8d1

Analysis: behavioral6

Detonation Overview

Submitted

2025-02-27 08:32

Reported

2025-02-27 08:36

Platform

android-x64-arm64-20240624-en

Max time kernel

47s

Max time network

132s

Command Line

com.banco.bnl

Signatures

N/A

Processes

com.banco.bnl

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
AU 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
AU 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/misc/profiles/cur/0/com.banco.bnl/primary.prof

MD5 a625c2b0ff12bd941a78835bcda5e8cf
SHA1 c5aeb1c75e01e01a7fe50ee6636551efcbd2889c
SHA256 2ddee360aee66470e067607ffc31b7b704c8db6d3953f6f4f1402b1508f37991
SHA512 a0e48cd608f7545af5493d4b1b3516c5d314b34ac16b2a96621ffe04325f56b5badbbebb71fee3b17f1a17e4b6bd2d0fb9db72ea9ed23154d73d7788fa0dc878

/data/data/com.banco.bnl/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 65d78614bc9aa47cbcfbe75158d726a4
SHA1 33bac1d66b25d077d4c62c0e322de0a44c4463b5
SHA256 e9ce8378cf8f67faba6f9d936ac35b51ba11e989f90fface89f6a3bd209b89eb
SHA512 41ae6c921b6766e159c1cbc93500bc20400ef496ee98fcc0f8279f85f4d96ef1d0c790be7f1d34302129e85ac148208b1ae6890204c9e90117e7b04ddb3151bb

/data/misc/profiles/cur/0/com.banco.bnl/primary.prof

MD5 035b035617899971661dc50f187c5a39
SHA1 094b32131f62c1f9ac28cc960a5056c8e163630f
SHA256 023699ab0fd591c32a054ab3c23edaffa32b88ecd62354124795ab5d89d42ec9
SHA512 4864f0b2d1fe19a02ae833610ee23f95f37e8ca815c46ca9067227043c774d09df0e6f27e8ea3af191962c5427ea6017551177d54ccbd2f8e24b44f4aee5ff46