andrmonitor | 4b4c1064e3994b59904749fb706c8dfdcc6a50c203694bb45a6d1b4ce11795b3

Analysis

max time kernel
47s
max time network
155s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
13/03/2025, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.apk
Size

20.8MB
MD5

459697ba8c760c82c9d2c84e2ebedd8a
SHA1

e7f531016d07ca6c8332e9a4071725a21837be40
SHA256

4b4c1064e3994b59904749fb706c8dfdcc6a50c203694bb45a6d1b4ce11795b3
SHA512

6ef8e8b9c60d6f801ef7035d87f540833ece3ada82613f63957a9a792b85ef29ebe41a40b4594fcf8257cb23784cd07ad6e392d2db9a9637e712f288c8ce4ddc
SSDEEP

393216:3xMU8OOsJA35z7A79L+eA31mbgafiubcEZrbRT9i/zVN2I+TXOlyKpPbNiRSKcsQ:32oJA35z7c54FmbBffcGrLi/zVN2Ik+j

Score

10^/10

andrmonitor banker collection defense_evasion discovery evasion execution infostealer persistence spyware trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor
Andrmonitor family
andrmonitor

Checks if the Android device is rooted. 1 TTPs 3 IoCs

defense_evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	gzsiseqw.llrlhdvhbe
/sbin/su	gzsiseqw.llrlhdvhbe
/system/bin/su	gzsiseqw.llrlhdvhbe

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/gzsiseqw.llrlhdvhbe/[email protected]	4513	gzsiseqw.llrlhdvhbe
/data/user/0/gzsiseqw.llrlhdvhbe/[email protected]	4513	gzsiseqw.llrlhdvhbe
/data/user/0/gzsiseqw.llrlhdvhbe/[email protected]	4513	gzsiseqw.llrlhdvhbe

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	gzsiseqw.llrlhdvhbe

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	gzsiseqw.llrlhdvhbe

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 5 IoCs

flow	ioc
16	anmon.name
17	andmon.name
13	prog-money.com
14	prog-money.com
15	anmon.name

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	gzsiseqw.llrlhdvhbe

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	gzsiseqw.llrlhdvhbe

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	gzsiseqw.llrlhdvhbe

gzsiseqw.llrlhdvhbe
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4513

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Location Tracking

T1430

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/gzsiseqw.llrlhdvhbe/[email protected]

Filesize
1.2MB

MD5
4768956e02a41b7e2032707b7c65a52a

SHA1
eb730a2e6f2b0497ee9731c488b02f0e68105942

SHA256
c50c0434ac58766df76b0ffb3fdd9489a6d8ea7b8789f0bfbb3fb78299a00060

SHA512
afae3c09e482e6577f4e79013b6d2dc1ce89a00a2ef5571074931da9bc91aceb53a01298dd3072325034ecd1ea0ec92dda630c06433dcd458ba7ac574778848c

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/[email protected]

Filesize
2.7MB

MD5
5907bdc6596cfe0108c63176fefd23c4

SHA1
c4d71fe62de457f85bf8e084b0ed76090c92fca6

SHA256
398a1da4927ee13b67fda9f440b013bedd7169db36925ef057ae06ec1dd64094

SHA512
bbd04701e9652928ebf45468b027c211470c4cccc9333e644f42f27e97e4df2ebb4dd9301e35a7d4d744f570b9ad11951ba871f9812fcd6f85472c6f9dc42a44

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
128KB

MD5
f2ce9c95a8b8921a66ab95c76d10e742

SHA1
fd335c8a71b7402d10093d8014e2c92a667affdc

SHA256
8141d144aa9d7d88e19762424cfb404f33fa02a80c7421136b79849da77621c1

SHA512
aa9517ab1a5bc603260ee5506beebe83b754fe76baea323c3fb3f68c06cc50ebf8777f98e084089774bbe956e31a5d56d6984b02b812cd842dea920ca2f003f6

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
100KB

MD5
de51088f958ab13365bb91231df5dc0c

SHA1
5afd2f04386f4fe1f45f5a0f7b547e91536d3f9a

SHA256
c6f14155d42442072297d4654389873f5136c4b600811768eb8132898bebd2f1

SHA512
fcf6d3a531156990c22de5a96f068be54a1e7a6341120ad9dbae78204e563823d51cb28118a84a83cbb2e6a8ac74ebb86eb323a83f64eb9314b91ae8f0b84be2

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
60KB

MD5
b2fc263e9bccdddd2c60eb1de7e7c232

SHA1
1b1dc1dcfd01b101a09d291aefd0b2c1af82e9e8

SHA256
72ab04778e734ba53f9758331bf32246eb8b0cd83f6a33df7178d0b97c89a601

SHA512
65bd24f8ff9c9d05900b37c449629b8ef24ad0c83db6e1516992e2e9420603e40fddeb030dffd20e85f97278b3afec08ceb3691f2021be4c63778d0606b7cbc6

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
100KB

MD5
14af9f983bacc8c90a752e661b63f36e

SHA1
82947f901883d63979a4be113892c18b507eb38e

SHA256
4b5171f530ba7be44834cc1e01aea22443b9b006a188a341ddb3bdb8ccf95012

SHA512
313c4347f6d464084c34e457cb71a7c0d8f8b85c2e8a1fd34c8f8fcf6ddb44df367839213076760134d6175bd72970cfc3cb38ca9036dad538a58adbb0395f5c

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
100KB

MD5
a80badbcf53e7b091d0b2b77b7ec63f2

SHA1
00216c0572c8a5d8705d05076e29f1d844c9b267

SHA256
6929f53646022a08cc0f425166fbbd9b3dfbde22a72c8bfa215ba286dd14c2d3

SHA512
9663a26243dd96fa5d6ff6357c3f834293ed6976f71e4ea370a649ca5d43ee8f57b7af9f7ad0055071e94c5b8d41c79e5c3e4512242a0fc918c417099f3c91a8

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
176KB

MD5
768b306f0f26b20dfbc6d3f728219fa0

SHA1
dafe8906badb2b36b0916d9b2f484442f37185bd

SHA256
fa5f0573bb943b2556e9422f51c8c9df301e9d36674edb18c4e7027aa6fe06ba

SHA512
bc726927872c24a9424633b9eba1e839ab7cceabe75f7a32c79e53a534e0dc513d8b0630ab52260ab9e19000e2ecd749c81d00bb19bcbc450e850b56ea5c297d

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
512B

MD5
1fbf1d95d963913418cf8bba05602ee9

SHA1
79cafa4995203058f618cb2f27d69c0494ce3dab

SHA256
cc23bea16951d7f6db2c37a488c541fbc75868483b88625df9efc6c21cfec7aa

SHA512
02bab058265f41bd6274924a79d92b3d614c7fd1fd92a612b9325e9ebb5516147b17d0b2dfd7c960c14cfced458745ae5704a386f24b366c9c84696f72c00101

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
8KB

MD5
e801f44937d31af4c605b7340a7afdf1

SHA1
5342e5f22d19f310ff79afb87bb70e7577b1d95e

SHA256
e2d4e5b6e0f8b3e6d7c7399bd513deb8f86ed574ac192871b302db358972d80e

SHA512
ce8e3fc9bf862c571608aacb20bff562c35dc61cc0e55e5ab628ed57a0e35d4e1248ed5388601a2636798be4c98d3213a556c7efdb09e2d2c6512bc5cc331ba0

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
4KB

MD5
ad5a42b0ddc259b1f578e31d5cead554

SHA1
2432acbee214ac7223ebebb59d967ba9acfd8373

SHA256
cae1bbef53aeb3b959bb607533be8da52042d28a92daa516377753e842dc710b

SHA512
3ef6c1f35c1935ea46c041a960b8da62223377cb682f0cc1dc457f898e481318802f81a2689ee435b879759bf5b573a8ab33da13efe298d585ba37648c8bae3e

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
8KB

MD5
f3864f5792d71cc2e26bbb9d0753d890

SHA1
a7cb9a56fc60168ee9409c22e535b98322d39078

SHA256
f90247cccc035ceb5f750a08519e96019965f29a045a38d8cc09a0bd346f0fbd

SHA512
e1a0883527a178e1786658a7ff5121321e4244bd515356009561014e51524dfb46ebff2607f6cdaf24676d6bb4570760d1cc61a254b3532aa927319cf11d100d

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
12KB

MD5
ade58d4b4c36068d066cda36ff2f285a

SHA1
b802e6cd3758b82bc215526179c252adf7a1880b

SHA256
0f0062b73f4f3f7fd63ab375f74e76c56a7c83af2f1189cf43e1a28720929280

SHA512
869092d4b0e2ad22fe27e6ea3246acc810d19f2577986c0322187833a0d063471653f25c7889feb33a0654114543f287488a95f5638f25d41404175937dbc290

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
24KB

MD5
715c4a9036339288f45a76aba9c6a237

SHA1
5c22ef3713127ffac44652f154b545fcd2751703

SHA256
0a5b337e844c826a5a84c97405ff3a8929535e540cc13dcdc4a2eb7e21fc43a6

SHA512
722253947e2860156e043ced19aae0669c95b6652544b2ac4330d50621c4a865d3310c800ca84e03b6e960a1516951985ee99f72f300373688dc4be73641149c

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.7MB

MD5
3b8f44aab76b03f9ce67c3cf47025583

SHA1
600f55c2e141b15934f0cec78188911ca30c50b5

SHA256
a9306e582190a99b965bacce7a58f74442c59a6ba2ef33c29ef5202afc6a99f4

SHA512
a908c09a2215ff5b6ef4abe9ddf82a7631a011bf6657b7767e5d41178b333314b9c124d70a5c91a7a8ea7cf83d38ad8608ce21d8ff2cc82cd7717340f9a57d61

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
c81c51456766e174d6b23e17e56b3151

SHA1
2b8f21a13af6efdfe1bfa00c011ba6a1bc5d6f20

SHA256
79ceb49440a30e4e0b9ab83015384650cc535a1f54d457cf4a0873f9621c0822

SHA512
a88c8290d5804d10cbbe811eb3b041d122c66cb75b44c5095f3e03ebf90e8f39d58d6d7e20066df046e9999b3341337094336b35c987ed6af34852c8a049a13b

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
134B

MD5
7d51c4f481548085e69bd12b4f92e4b5

SHA1
8482adac24d7545a5a695c585710a96275eecd20

SHA256
d04ae567af0ffae060fb5428c58a718d9c85f949526bb85c48ee90e831dc2e99

SHA512
5521124f191a1f2efaa4c6b2999db2f35f6eace22741a5f747c5f4d99514e18a5f25618e5a9760788fa9c34f1b846d768fcc81a56209a343a1e2e72102c66ff9

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
171B

MD5
6f35f1cc21efb877aa4242642eb66f59

SHA1
2b5841db4699ca18bfdf977f2e54fec705e4ea87

SHA256
6987b91069a10a943dce11e3224a7122b7c5c372d3cea11ad680f149148439ec

SHA512
4fc86cd2f8df2d41ee7078cb625a6eb876d0f8bd334f2e7a05fe3a7b485c93aea7f155de7dbae4215efe71b13870c8e494f06cd1825b4b87adbceb2f20f3acf0

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
4KB

MD5
7364be3a5a4ceb062a554e3c4b82b5ee

SHA1
7ee756cf17ca2232bfb80ebbd16498d024a78029

SHA256
5d301d8ccdcce196d2a77b0ba9e4d76ed985ed03204f81ae6d1d1eed9e8a12fb

SHA512
2dfc895fdb0d7e6edf7bd66c2257902e3d07889e6a6cdf0b7ef5a05414fe410235071a3035136e269f28219c1b9ff3131fcba8e0073498852722c2acb4d5ad28

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
62B

MD5
a5ceb1be82b82316ba1422a4038dd267

SHA1
889e95028e89c9e9c703b70f7ecbc9f6ab05e4c0

SHA256
51c185db0352459b3dc07eacc8984ac1a42b6de9214c9c05d2a068cea345f50e

SHA512
66d1d6bbe9e3e8f8ac0a0e22206a7fe8352ded3dad37ae7655c98140e1761e0fa8b9446ffd28142373fd438b553369a3f8042999841ad5f59137207c4032eac0

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
70B

MD5
1908558910b1f2d6bca78b5cebd4fdcd

SHA1
895ba85fd81416f53c5873eae1f7f9cbeb1a52bf

SHA256
9a4926bd904f380c4464d9cee5bc224ca79ea9c7d075f5cfec85f3bcd56e9abf

SHA512
009ebba170ae0848e271e4b252dd9de043a5dd434fedfd15c6eaae1455c53bd743540436579fc5d010370e26044dac8fa31b4586624fadaf0b271d1d6a9d50c7

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
59B

MD5
6104d79791b19475db532d02327a5d50

SHA1
7edf987deb11868624475b877bb452b539bb27aa

SHA256
87a7370c7df214a705a6af6b377a8b1a73526c435de230faafce65c3169bd6cd

SHA512
5a01b9c478ffb7ee3c1d34656aba7708d6928b323cb3251347c06cc2bc1f1832d5d2401ae84d7fb4671f27a0ca5cf5e6da9d6f9682b58d1d3be618317ffc1ece

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
195B

MD5
f6a0300297ceaaf5fd3f49aab4ee2c22

SHA1
f98e43a08ba1d25419f32a557143e16929cb26f1

SHA256
8f1dfa561b1b520b8ccdbe903d57d0a846a7378e823d2b2df107ff19e26db251

SHA512
0455aaec1123cd0521b02c6e6a36ece9bbd6450e8187d6517c45acfde41a5cd1218f9aa3b6281ce8b5f58d2c8891416b2a592710d7c4ebe05f68042d5c7a7c23

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
39KB

MD5
673353420bd5012532d663aa29bda4bf

SHA1
83f813defcc1f2dc64daeef31629d2b8c9ed6488

SHA256
7fd70bb008802a8cd5ca07e4e4aa964202b745182480e010f31dada54a124b78

SHA512
13a80e9f1ac53e4a22a4e8d042b1803a9f8fcb5fb3d21c506c659450973079a624febfd13631b82d9896eda1f01535c572d1e6c9be4cc6b6531ae838c00e2411

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
9KB

MD5
bb386a7c5e20284290f2e4cdf6354573

SHA1
d485ef78c8e3916758f05e525432cb524fe59b5c

SHA256
b5a95f276cac4bbbcc6006397f2fb27dee738f2ce78dfeefce33b208ca1e189f

SHA512
4b1bd1201948b3c0e2a184df511dadb60194027994dd0ea331619b35fe8282268e6f0cbc6e8098165b70ff8e491bb1d36ae9fc0068918b2c02787aceb3be28ee

Download Submit
/storage/emulated/0/.am/log_1741882721531.txt.zip

Filesize
218B

MD5
792223e52d71450e31b949781a8e2f8c

SHA1
e61e0a45aabbd490b24ab94343c626d705953b7f

SHA256
77d05aa63da6cf13dd4ba1c2a64a6020a4fd1f2cd060675f885c654adaa67eec

SHA512
6f1750c81a761096fe194b11efca823220e28ab02ff4b7d74f839b3d3efb5eaf1803c177f8a92a99dddab3c5dfc1a8e14a1cf8d0733dcfd6e0cd95c29b106ab5

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
96B

MD5
9a7b2f3009638ea69bdc6a039140c59d

SHA1
7538e55dbfa9a4abff83e69ed179eedb9ffb8fa6

SHA256
e43c028722f303535f437e3e707dd68d2b1f312ea171dd10c5a72383d1e80227

SHA512
3e31af0f2de1d5c76b2cbc93cd0c2fa971f09c641b65c48e153c4ad8a096687706a44d3e8d18f412117699d102a3f642407dbf34146203bf2d496d9b44b0ff11

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
94B

MD5
9ce04389dadce7e24c45bd0f7f251293

SHA1
d4496348f5648eb78b755d0eb4dca409f40d95da

SHA256
efd3040779dd20bec6946d2c0ad66ffcf7ed7a95c1c7787c1321f43d4a39404b

SHA512
c280ab057e73993c0cbcf46b106c63110dfcf65e4f44365a56e233a4642dc3037ca693ce33a3cb50af6f31c0dfdb2b10f85ff756e50f71afe899c105f9c33c5d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads