Malware Analysis Report

2025-04-03 14:09

Sample ID 250228-xn824avqs3
Target 21540224260.zip
SHA256 700feb6516b2b9070283a3e818abc7c1735e08ca750ff6b522737f2ab3cd77c8
Tags
tgtoxic defense_evasion discovery banker collection credential_access execution impact persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

700feb6516b2b9070283a3e818abc7c1735e08ca750ff6b522737f2ab3cd77c8

Threat Level: Known bad

The file 21540224260.zip was found to be: Known bad.

Malicious Activity Summary

tgtoxic defense_evasion discovery banker collection credential_access execution impact persistence stealer trojan

TgToxic_v2 payload

Tgtoxic family

TgToxic

TgToxic payload

Obtains sensitive information copied to the device clipboard

Checks known Qemu pipes.

Queries information about running processes on the device

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Reads information about phone network operator.

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-28 19:01

Signatures

TgToxic payload

Description Indicator Process Target
N/A N/A N/A N/A

TgToxic_v2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Tgtoxic family

tgtoxic

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-28 19:01

Reported

2025-02-28 19:02

Platform

android-x86-arm-20240910-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-28 19:01

Reported

2025-02-28 19:02

Platform

android-x64-20240910-en

Max time kernel

31s

Max time network

66s

Command Line

com.example.mysoul

Signatures

Checks known Qemu pipes.

defense_evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Processes

com.example.mysoul

Network

Country Destination Domain Proto
GB 142.250.200.10:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.206:443 tcp
GB 216.58.212.206:443 tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
AU 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp

Files

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-journal

MD5 435720b8fa6d8fdd366309f77221f1ad
SHA1 60e755752351ecedb2958312904b358c44663224
SHA256 50392dfe041c2f7acb69e951c2cd96230518384e75bd12c175bbb667efc11538
SHA512 1b49a58b199cc84058665458f47d365067b2c265f5353cf20ea70aa53f546b3f074f1574b915bba352c9124f987175ebfe04fa5bff2b7713e53099b709ee48e3

/data/data/com.example.mysoul/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-wal

MD5 d890af8d51be55faf469f8e4dd2cda77
SHA1 9835fca8831a7d7699cfc30db990db8726d1b839
SHA256 938769d0394042d909b0e83e31acb3aaf807f4ad00532e56ff171e1665563032
SHA512 0d63ebdb7f2e95b6f4b867cc5c67687ce8354db81f4ee220acdd124e6dea6d7bb8c28eb472b17c8e025339c3f89f6d1b7003eafd4680c22fe3029fed5da29861

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-wal

MD5 4e678ff7f51063470ff4e3987f36b154
SHA1 b6c0709127ae2bc5931434cfbd3ab0b173d4e720
SHA256 fa6c7b573c411c66a2b9069a969d0cccec6829ed80221cfb327b48f71a00b964
SHA512 2d223844208a6d32fd9ebefa5d71d3a522c27d9df9f8be28b9d6bdb036631ead5de4b89959bc0ae2a488702a30b1b2e710ebdcfd63a8f97764f0c9361966634c

Analysis: behavioral3

Detonation Overview

Submitted

2025-02-28 19:01

Reported

2025-02-28 19:02

Platform

android-x64-arm64-20240910-en

Max time kernel

5s

Max time network

65s

Command Line

com.example.mysoul

Signatures

TgToxic

stealer trojan banker tgtoxic

Tgtoxic family

tgtoxic

Checks known Qemu pipes.

defense_evasion
Description Indicator Process Target
N/A /dev/qemu_pipe N/A N/A
N/A /dev/socket/qemud N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.mysoul

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
AU 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
GB 216.58.212.206:443 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 216.58.212.238:443 android.apis.google.com tcp
US 216.239.38.223:443 tcp
AU 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp

Files

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-journal

MD5 e67333a73416127061b7bb781d23817a
SHA1 8a1e87df3a56714294862b714985928d3eb84c06
SHA256 077061b742656af10603bc199e15972a773c20ff1a5290f1f65d77968a81ea9e
SHA512 351fba4fa945f2851271117c4737119a61724ee30e609c3dd168c75c25e12f51883258efe8bc4330d188bd8db3dcfa4f56d311d43ec6747ca332a0992b6adc24

/data/data/com.example.mysoul/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-wal

MD5 600395ac4df7e11951cca54a08bb9aff
SHA1 25107e8cefdff5e4a5399511a646657fa5c5dd74
SHA256 8cc001dcae9065d5e0d0eff387071202b55a771a4a13c005cf0032580b368f68
SHA512 9dd943ac0c7761d772cc0526242c9f00becc0f8afa2474b33fbdcc140d343271291d7ec0edd77b02cef80426d35be8fec362befed9850cfe286fa1b34ff3a9c8

/data/data/com.example.mysoul/files/cuucuThfufgu6678ybu

MD5 dd491ddfd0be140cd0953e4b030c6c95
SHA1 685838ada2ba4ba6b490a64b44a3041197b8b2c6
SHA256 28cfa98ba4cfba52967572d746445458001efe4188d8dc597d5af9b34da39429
SHA512 168ff3424b0619c447db15b9e037aab6b8948709167f97dca577a7b8a969a67c821d93ada82c34d0cc5de2089defba5d323be07354298758c5797a83521f59d6

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-wal

MD5 545bd2d0a88dae4e3a8f16f88f0e8a4c
SHA1 6b25b706053facf0b59abe653e8b2274682bea89
SHA256 41ad6cd7763ae55a03e6dc118aeec71ed6ffbfdea86a284f5127fec258f6b7c7
SHA512 5a3f856574ebe0bbaa5c336a3b57e1076b2e6196545478535d35909f34b6eff4bc79149741ac8b9b5f81d6422d90acc7a34c6d59c84c628343a5c5dc5f59136f

/data/data/com.example.mysoul/files/lang/ar.json

MD5 b92cb082787ee39e98a9c080f0790675
SHA1 88b0511c8905f22f5a0c8f7b837a58a43499c682
SHA256 3e1d31391c55982feeb9d58bb92dfe1a2299db3c66b41a25dde77c11e07801d3
SHA512 1b24d92839025b9125dcbc1525c7ada7d51099d342cc5451875a250f23a4c9544df396e83edf812d5f0bdb2485f491f365697bed70899ccd5b82dcf6273233eb

/data/data/com.example.mysoul/files/lang/de.json

MD5 62f964d921a8eb475b0d410a8380265a
SHA1 d2d659b8c8fb865cb4cdb4b9bbfb751cb42fd702
SHA256 a7d9b15d8fa46da6c31578f18d06e6b8c255f34322c667753681223534c650f2
SHA512 11bba79ba7dd816aae16e5c1c73c5077c0d69efcafb559bcea426a56a0cf721c0ea257c4cb283a6050dac0993945ce742e6143bf1e184d7d6f9037d1be93242e

/data/data/com.example.mysoul/files/lang/en.json

MD5 2a991ace4822fc2c2dd65dcb41999c07
SHA1 81a941fec588c65ef6ed1349a74200b605d22427
SHA256 72acb728acc3155e39e3ebb853fc9ce0401a9f081836155e12f2121600e349e5
SHA512 0fff3e6f1a4f719ebed738324cb31d147d003e8b5ef9dd27e25903493e63fd620559d5b9c1ec16b8c5e9f91f2fad29fd4adff6daa07c6d0869fe25e9cf50888c

/data/data/com.example.mysoul/files/lang/es.json

MD5 42dbdc095240f21ca3c049fe994a4000
SHA1 d38b0c8a33c444d52019e50ec1d8a2534cb31086
SHA256 86d8ab8e308fcd32a27fba5999a44a1aa32f24f8c83176e1f8345c219c1ce203
SHA512 83c9b45cb2599e501b978066fe411240c60efbd7ff344d052b6c5248cdae59e553b8cd0139ae5012482962cdc97b7459fc876f2725384ef42c6ef4c0dfedcd9c

/data/data/com.example.mysoul/files/lang/fa.json

MD5 ec193595f567dac48f2d1ce8aff33b46
SHA1 114296eb51f7b743d08dbb2644186cf335d49c27
SHA256 5e801de20bf0084c1f05ae02be41816bd32d1dedb91aaf9a65d3194e80af88f1
SHA512 f5ba55520a3a7c68a3065f5ae60296bc982d3d768b92c08e0964c65b35be2d7d50facee7916975b608f7783025e11ed3b5bb6651a727879432a4da8ca5050ef1

/data/data/com.example.mysoul/files/lang/fil.json

MD5 4eaf47c22fc273db6cac1f9b6d150707
SHA1 0d4e3236a58782003510af3f540c767f08319a0d
SHA256 d76e6714f5a7cf39750c09208fb575b3c27709ac75ba2f6a8600fc29caab5fb3
SHA512 3936c2dd3b13f5bf49a5be13ca9f57655711e19a813f7ef941fdd78431ca28b70649834f90ce1536c30513a4060d6f3829ca13c292299c3ba95396766a079c93

/data/data/com.example.mysoul/files/lang/fr.json

MD5 588e57ced19e5e84cf80b72985dc2cf2
SHA1 43ee1e31d576c9725d4409ddf1fd0d4f1a72822c
SHA256 72036444bec9592d285e306e902a2d11c12a4f3dc938c9b51c7ccd5eaaa0da1f
SHA512 8667a85b446ce795a08b9b3f3b3f2ee6c2ffc5cd486fcfac017b36d55a9c61675ddb96e4c53e7a060f4a6b685692a84c1adac60c4416419360e61f48642efec0

/data/data/com.example.mysoul/files/lang/hi.json

MD5 b6f28e058147852f9dce34b2c610d568
SHA1 f3c2861be24968efd02ec830156e165e33be2752
SHA256 2300b9b9f8b1db6e5c42c9bf9190ad60fdd961cbd918201da8c5f154d75e8fcd
SHA512 3ee839838b1a6a82d000b1e4d609d0b76ad374c22ed79510b6d87df098d19e9498cb299d198112f2e8eba7280a2144c1ec1564fefc4d20ee0f001ca45dd3eab9

/data/data/com.example.mysoul/files/lang/in.json

MD5 9658076786a255940f7487eea9496721
SHA1 a6dca25ea041f5dfc214a99371abe8c9526ae302
SHA256 110cefb38b0fba84186646f841579bacd2dac35219ff61e1824accea23691d68
SHA512 04f73c03e99e482bac48374f4dcec14513484ab387266d1360e8aaaeb7b8242d6b25bf21baba2ca32a46cd2122bcd2cc4fb9f1c1086626d4d9c31a454166a8dc

/data/data/com.example.mysoul/files/lang/it.json

MD5 7b91cd583dfc590481ff01b2bd994353
SHA1 cbd2d3b803fbc7ca608af5f1b6f827b760f35529
SHA256 4a804a97858e2ec416fa25fc33e5deac2b4ebf8fb37b0a9d62dd996090997e3a
SHA512 a84cc358236624759978c1bdf1b287a9c4b2991fba3e720f7d197cadb0edb35f7beb45e8b83b36f2df350d38a2b1cf3743e02028bae7962f0a7377c85f8c7ae0

/data/data/com.example.mysoul/files/lang/iw.json

MD5 3eee20aa4cf758718173ba04f2d1a78a
SHA1 3df0641dfc79ebf2ccf819b003821e6e72760595
SHA256 716b4fb6b93dfd3e64d020f6d491c2fd007788523b5dcbcc38aafa70a6dc5882
SHA512 45df0473c591967f3c5376027787d27f8be92224b4afef2bd72f47553a66d245c5986a0491c732f1f7c371de286c88667677b49adc554a387a7c88bfa92cb95a

/data/data/com.example.mysoul/files/lang/ja.json

MD5 ce26676f8e2fe950d5e2f3fef72dd1e3
SHA1 0cffd0f11c5a64765f8f4b04e54750820b9729da
SHA256 f7c4a5d2def379fba1fe1100f31c6b0982b9d268f6254ebb425706d47a5590be
SHA512 6a0e22d6d9c6955a0223ed3d7bbffb0be69ec1dc09df4d5917a0c04ab89dbd1ac9369b36de2310ad7cbd00746161d3ec57d05eca9c8f0a87a0572edc52ac40ec

/data/data/com.example.mysoul/files/lang/ko.json

MD5 29a422a6fec5edda26d6ea953e0dde77
SHA1 700a5cdd75524645c10fc84ec0707697147b52d6
SHA256 970e79514f9b85cf5180c0d752817a78db199f2773458919c3b4bafd6b922ee4
SHA512 1deb05d6df4e22ac3ca60e525ba3baf3db16b2715eb8ad623acaffaaf9ca2d9597cf224a83a23918f36b0c89cf09d037c37d50da74421f33b64bf5ea28b213c0

/data/data/com.example.mysoul/files/lang/ms.json

MD5 adf5cf796f5f41061c39a81d9e3cfd2c
SHA1 0878cbccae3b71a4895d2e939d87247ceeb8d966
SHA256 ba83066b5e1e5b94d36a48b2c21d2245cf4240fc1080f003fbcb1bda80e3cb47
SHA512 376f4fd428bfcc65ad606256d441c82bdb3348e2cef0653357412d1e532ced986cf3433d4125c35258f20fec5567fc160bce4ad33b8b7bf9ec1f3b91c1b6d5ed

/data/data/com.example.mysoul/files/lang/pt.json

MD5 92a6224e4e0e5adc80dd86f02e4b5dce
SHA1 8d23227909458bb7e62ab7b6420bc0a5cfa96831
SHA256 42669b3b1fabca0de1ac237528fd59386157b598793d3fa45be019c0d4e7ab22
SHA512 f36e01f61959cee71ccb5a8a0b16bf5a62ba613a7b0bf13a44ba5cdf8c083de9d6a67589e2f67609003781c6e8d44ae0e9496ba8de52306b7d6bcd1272f157e1

/data/data/com.example.mysoul/files/lang/ru.json

MD5 77faceda71e4e4ae0ec3c1696dc27cfb
SHA1 ea52adcd42159b75fe988f418f549193c69c67db
SHA256 dafaa4e941539b9bfa24fefc26bc3dbc74e2aa5256544de1b4d292c6a3ea10fb
SHA512 91719bf5f3c85ea2c866455de9e6c74f6ec8cd023192d1da199d3a9b99ac8ab87bea196edca0fd11c4bbefe88da4f8a5132dadccd4fca4acd8920c0ba2ace190

/data/data/com.example.mysoul/files/lang/th.json

MD5 8c4f443d3371cffad317a3ef88693413
SHA1 1069cbe97d9a0a5b137daa8b2a10b0bb922f1283
SHA256 e060c0dd6a96031719b5a36cedf28375b4bded918b707f5530a5102dd9066543
SHA512 c3c865c68820c5863b5a1f937fce40e766e03702f29d7fd131ab552d155ab6ed694e1554228d30bd13a2964aa170716e28355d0074ed8064545185199c2a2508

/data/data/com.example.mysoul/files/lang/tr.json

MD5 8e59c1b565f37c440183e5095b5fd78b
SHA1 3ae91dda0450e6d6332bd5599a560868543a1a22
SHA256 07afa649ce3a2d1b642a40b7d3784172fd7da289c78036b1988a474ecc0a44af
SHA512 d0b25c8445a1668a8e528baf452dbcc7f274c8b591da2190967130fa5617189624e0e55f6b07fd9ba7bff43ac1fba0fff25116b29cd54089ecb30a838a6516fb

/data/data/com.example.mysoul/files/lang/ur.json

MD5 371c51545807950ecc0ec1b364bf1e02
SHA1 a680b0282c69367ec71d939cd2c0de0d76e3bf68
SHA256 ab8169e9b740b213094ff20ffebf7ac3cce49c25a689a9ffe0613acf7b9b4680
SHA512 5b09f51c8d8cbc2c44191869653433544fc5c42102c7336a0730e3191562033815291fd76071880d84751bb2b924e44a3afca78e5233c3871abe33f909350c16

/data/data/com.example.mysoul/files/lang/vi.json

MD5 161f64a16b5597e70b10248b7fdd689d
SHA1 32bb95f1bdc12b137181324b8a461426634946a9
SHA256 d993b1412906d9de741ee5b72aa66caf15da20dd74a8316d03afd8eab223ebbd
SHA512 5051d947c5854da2289c6432ec2b8310815407dfcc1e207d7fd3a71f5b099f64dcfcae04d0dbe146fb0fd6c0db3ad0c56dd7f911611e7effb1ee552b38262a19

/data/data/com.example.mysoul/files/lang/vn.json

MD5 d51a24fd4f4a73e0559be0241048ca1d
SHA1 cf7cd1211a64f09cc8d903f5bc661d9ffa563271
SHA256 383d8c03f7a1153a390b97d9646ddec03f0b7a20bfb3ecef45083757bb27f02f
SHA512 2bfa9a919b0f72ec9106ff6adc8ff66cc52122dc804ad7e42288ff3a2fd8e9eb01cad82e0674a98f6167bbf992a2beb12706e0b939f4f6ddd090b66a7538418e

/data/data/com.example.mysoul/files/lang/zh.json

MD5 bd828af3248901e02f306845943f6c5f
SHA1 ee8bf23d1e9c1aadd4cbdd13cfe8d591e4a9c8e4
SHA256 1281f1f36738923998cf687f4e7fab1ffc031fc6fd832c331233581df8f41205
SHA512 0134679fb92b288b667fecf9d8368fa2ee71077d991c15a55c1557c197463fde8c9502fb9691ce2c8877793518b537134961bf34f97cbaf48ebf7d5d5bcdabf5

/data/data/com.example.mysoul/files/langs.json

MD5 92f4fccd58415db0e92162a51e719449
SHA1 15f497fd30d342607967aa873c78865d9472c5f0
SHA256 0be3961d25c265074fe92a0e0f18bd6b59f7fce478a964b156cfb6573dff3c04
SHA512 606cad27d1ffb6d5e4c03ca5049cded29430665937c94f05f1b755694338639d69715025e55707275278d40ac54cc41ef6765211cf376db6a79427726c9b0aea