andrmonitor | 4b4c1064e3994b59904749fb706c8dfdcc6a50c203694bb45a6d1b4ce11795b3

Resubmissions

13/03/2025, 18:19

250313-wx6snayzdz 10

13/03/2025, 16:23

250313-tvv72azm18 10

Analysis

max time kernel
33s
max time network
151s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
13/03/2025, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.apk
Size

20.8MB
MD5

459697ba8c760c82c9d2c84e2ebedd8a
SHA1

e7f531016d07ca6c8332e9a4071725a21837be40
SHA256

4b4c1064e3994b59904749fb706c8dfdcc6a50c203694bb45a6d1b4ce11795b3
SHA512

6ef8e8b9c60d6f801ef7035d87f540833ece3ada82613f63957a9a792b85ef29ebe41a40b4594fcf8257cb23784cd07ad6e392d2db9a9637e712f288c8ce4ddc
SSDEEP

393216:3xMU8OOsJA35z7A79L+eA31mbgafiubcEZrbRT9i/zVN2I+TXOlyKpPbNiRSKcsQ:32oJA35z7c54FmbBffcGrLi/zVN2Ik+j

Score

10^/10

andrmonitor banker collection defense_evasion discovery evasion execution infostealer persistence spyware trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor
Andrmonitor family
andrmonitor

Checks if the Android device is rooted. 1 TTPs 3 IoCs

defense_evasion

System Information Discovery

T1426

ioc	Process
/system/bin/su	gzsiseqw.llrlhdvhbe
/system/app/Superuser.apk	gzsiseqw.llrlhdvhbe
/sbin/su	gzsiseqw.llrlhdvhbe

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/gzsiseqw.llrlhdvhbe/[email protected]	4503	gzsiseqw.llrlhdvhbe
/data/user/0/gzsiseqw.llrlhdvhbe/[email protected]	4503	gzsiseqw.llrlhdvhbe
/data/user/0/gzsiseqw.llrlhdvhbe/[email protected]	4503	gzsiseqw.llrlhdvhbe

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	gzsiseqw.llrlhdvhbe

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	gzsiseqw.llrlhdvhbe

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 5 IoCs

flow	ioc
13	prog-money.com
14	prog-money.com
17	anmon.name
18	anmon.name
19	andmon.name

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	gzsiseqw.llrlhdvhbe

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	gzsiseqw.llrlhdvhbe

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	gzsiseqw.llrlhdvhbe

gzsiseqw.llrlhdvhbe
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4503

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Location Tracking

T1430

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/gzsiseqw.llrlhdvhbe/[email protected]

Filesize
1.2MB

MD5
4768956e02a41b7e2032707b7c65a52a

SHA1
eb730a2e6f2b0497ee9731c488b02f0e68105942

SHA256
c50c0434ac58766df76b0ffb3fdd9489a6d8ea7b8789f0bfbb3fb78299a00060

SHA512
afae3c09e482e6577f4e79013b6d2dc1ce89a00a2ef5571074931da9bc91aceb53a01298dd3072325034ecd1ea0ec92dda630c06433dcd458ba7ac574778848c

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/[email protected]

Filesize
2.7MB

MD5
5907bdc6596cfe0108c63176fefd23c4

SHA1
c4d71fe62de457f85bf8e084b0ed76090c92fca6

SHA256
398a1da4927ee13b67fda9f440b013bedd7169db36925ef057ae06ec1dd64094

SHA512
bbd04701e9652928ebf45468b027c211470c4cccc9333e644f42f27e97e4df2ebb4dd9301e35a7d4d744f570b9ad11951ba871f9812fcd6f85472c6f9dc42a44

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
128KB

MD5
f2ce9c95a8b8921a66ab95c76d10e742

SHA1
fd335c8a71b7402d10093d8014e2c92a667affdc

SHA256
8141d144aa9d7d88e19762424cfb404f33fa02a80c7421136b79849da77621c1

SHA512
aa9517ab1a5bc603260ee5506beebe83b754fe76baea323c3fb3f68c06cc50ebf8777f98e084089774bbe956e31a5d56d6984b02b812cd842dea920ca2f003f6

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
100KB

MD5
eb499c920beb582d8f419f534a848089

SHA1
cd14ad25038cab95e5658091d10a60bece0c6ffb

SHA256
819efd3b8af57e5d9e77996cdc0c268bc607ea779f491a02ad6d58bcef9def48

SHA512
ac506e4486f819cc67f5c9277919c570bf0ef182e0d3a1bf955dce2d75ae47ebc0b602a615984c72f414bc8688147ffa9a87d44e572f69743caa5eabede5cdcd

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
100KB

MD5
71afa144b6ceaa2f3db926fa7e8f8b64

SHA1
d9e43d54e15649dba2867f47b37304d6c799de94

SHA256
81746baa45630482143c3e6d46b9094fb3bff9eee9e2e99e61ff2f2581d4ddd8

SHA512
3d988709bd0940962542db7aa16b552966add74b4247d7fc0b8035a469c06cd4ee414564530899b59d49224a4868ef2550698b25448f296e1cbecca2cb3b7ab7

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
100KB

MD5
67b6929cfa72d439822ec466ec282a2f

SHA1
a89dea2999e714b91d282d197da4081b1206a72c

SHA256
4bfe133af720d8e8e5372ec525e70d3c2b18db8eeab368bafd2b64852bc9c64c

SHA512
1705a1774a70b3ca2f91b700c8c3439c255a0f754d214f23e2df91a92f055f6cacfe5170de439a2ac36baa84db05586aca4e2d3b789ca53f21f22c382b58404d

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
60KB

MD5
7c14b7e770515a311dfb479ff4bbe363

SHA1
a2e949c829f375b29dfad6ccedec5bb0335572dc

SHA256
649626af8221045ed2cfb824511088d761d2241d8b658f95e060fa639e00d5fa

SHA512
1c9f5ce143b0a6740f5ec8af57e1e073a0c10835f78c6502ff449f737b3775c2e002be51cc5ce0f88d4fd4cb0b423201113716116015759618e225f173aefcd2

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
176KB

MD5
6d32c45de6d60b14a32b8736fcae6b35

SHA1
00d99ad23e18cdec17b0793e9569cc0cfa534763

SHA256
b5768376ca7f095d6a21cf37ca2b1a9872f17b6c5ff58851360fd7d0e7737bf2

SHA512
c6a4b30165b6739f948187407dbb1cbb4241e8aff333497dfd308bdce5fa781423c1a4819188d7a4b0f31da8832a757154bbba8d1a165a953707a50c87d7c50b

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
512B

MD5
5ce42ee9ab21e1dcb340ed8721b91c3f

SHA1
d884cd7f857b60157a8ad077dc8d5545a65f02d4

SHA256
df7a8c825f25860cb174528cf2b34c6013751a4cd6ec34cc343812feaec5f625

SHA512
3d48037ecc25804c14b8310e8b25d77b6a6c48a25fd4ba96bafd8f5214da03b1c911d3f0c66e39cdab2f76b0a8e97e99d16c84617c14e46450c80f302d36f367

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
8KB

MD5
5b5777da9d199f14eff980d4470106a0

SHA1
87c8f21606429e6bb026d9d7352a75ae7bfa07c9

SHA256
bca878996fb03d7bedcf4b7acba4e3fa771643184a45851cdb909f390ff21f00

SHA512
0a06f2a2bdf3ed32e429993f5f55f90f29c4b4fd31b2336de162b228fd9339e3b63e6e24a19dbabe1b2d41eac56e909ec63028ac38cc3126f5cd48ed1017151b

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
4KB

MD5
c9b3b9bf4ba6682b67803d97c6ad00d2

SHA1
38477240b0df29cd3d7fd27b278a73bebb3598c6

SHA256
d98bcc95f5ca3bcf651c5f2a1f9a863f3f1e7ad7c60fe8c8ee97ecd4ed4066e2

SHA512
2d4869991a5820263253aaf5fb6d4570f9fe28f231b19da2f14882062dff8c7b24cc9a2bda8b7656227a3f133427ef54c6a7684a35110e28c66fe9232a3ae9e9

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
8KB

MD5
e54d77ef8e25fbf61e8d679c308d4474

SHA1
9c754281edf07b19e7052a487339da415bdd007d

SHA256
9202ced5c0c28a6adff2d53346fe25fe9d95f894737acfb5f9e5cbadf3b30ded

SHA512
69109c12abcef35cf14aa557b0aa9645a586ae984a39dacff56feb358e0e3f9e7a6bfbfd8292ee287b46abfbd8fe7591dcc750d2fdfa0e22c506c50b3a116b89

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
12KB

MD5
c5da5c4a33a264f85681aa41c5258049

SHA1
2ef4ea939a9240d27c7015706ad1a9e4f088b98a

SHA256
9ade9dc6c0d9e56d662379767dc8056b61c53921ebd36fec6ad2f3b22e6b78af

SHA512
13df794303217dd2c6a41f2fca1bf9331d25d6c7a060d15e84aa2ccb0bac1e88059a9512b990d862da5c8f6722475b4a06c2a3d6d949d3807fb933a723a8af26

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
24KB

MD5
a80d20f2cdb8554d214c79262b73aed2

SHA1
804d5add521365a015e924718bd6af66dc360aa0

SHA256
fecb4d9022fa66208de0b5fea22a91142e2a44f9ee0301ac83add6235649a1ce

SHA512
dbd5594bb7d3323bf831971331ebd00b0e8acaf7619a4369b1fd6d6e4bddf56774cc2e38739443bc755fb61040445dad2c01cd84aff732f3e664743b8ff13959

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.7MB

MD5
3b8f44aab76b03f9ce67c3cf47025583

SHA1
600f55c2e141b15934f0cec78188911ca30c50b5

SHA256
a9306e582190a99b965bacce7a58f74442c59a6ba2ef33c29ef5202afc6a99f4

SHA512
a908c09a2215ff5b6ef4abe9ddf82a7631a011bf6657b7767e5d41178b333314b9c124d70a5c91a7a8ea7cf83d38ad8608ce21d8ff2cc82cd7717340f9a57d61

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
c81c51456766e174d6b23e17e56b3151

SHA1
2b8f21a13af6efdfe1bfa00c011ba6a1bc5d6f20

SHA256
79ceb49440a30e4e0b9ab83015384650cc535a1f54d457cf4a0873f9621c0822

SHA512
a88c8290d5804d10cbbe811eb3b041d122c66cb75b44c5095f3e03ebf90e8f39d58d6d7e20066df046e9999b3341337094336b35c987ed6af34852c8a049a13b

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
134B

MD5
e26fa91c7e9b1c1f2747daee78e9450a

SHA1
6c385e9bfcdce8171fb2e6c9b8dab4bc69c07df7

SHA256
9384b924d0f1c16df2ca064a47b2278607cbf1b5416fca1a86d5f7fe48fa4202

SHA512
5183c9180b6ae755f77049063634177500d08e5324705d02bf926fdf4bc76944957c7e2df0ed6a97884f52348b24af3587c6fafd928986e6997383b44c8d43d3

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
171B

MD5
2221283af63902f12180398035ac2d0b

SHA1
e04a164fe236683fe0cd2dcf936b89f41471bc30

SHA256
20a9280e97d3ddcd9e35ed1691b248bd2491c3c01e14dba70a9f192412252e48

SHA512
ff9714f75bf7938f5586ae86dc2dd6d086cf1a288c68e87bbf6721fce1190ee6927eac1a3cf84c23259e829689ef2686b2f79465693e9fbe9fc0de0e6d45876e

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
4KB

MD5
f4924739fb38c2459fa3daf654bad8f4

SHA1
9f1d26391da667d5fbee7ff053b6ac4edf9ded42

SHA256
c5e2cc4dbdaa2a7cd2c024fd9e2ab1431170f4005688de9a99b92a6db2ba5ae1

SHA512
bc93525563ab64eafaee521dadfd7ceaaf175d501b33eda063a1f9bbe0b26cc202cdb3a2082c7d47b98f4036561e7acb97c79366d7356a4f38fa1310d7b810b3

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
62B

MD5
c779a32692314e3d862b7806ab2df36b

SHA1
e574f8b7693e78a99e61bb4416b7115cd8343b82

SHA256
09ca8b4b95ecdd655286865b878e9cefd531541cf73bd00ed25957f849946f3c

SHA512
8d083f06bfeca1e226a84942b04c8d036615a40e45a3afd180f8ab4f85fadfd7c9b12c3ce22c4145f896eab2bd097f96ea9443ff6dca055327fb60113d0ee552

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
70B

MD5
5775b2fe4ee3f2148dcfbfa54d8fd981

SHA1
5f9cb0b74157ac8c1f9b53b9456fe1897b796014

SHA256
b1d595df05118c67145315606dd1d898ca1823e8c0c6cf1f7d402f400a10c05a

SHA512
d31159a5a633a9e384bda7497365f02d93ce3f2b6b82409a4d94404e9a7c5a3bf8317c86c03d9a636784784ed6c45aca36761f92672d6b1e76b1a8d0cdaa90d7

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
59B

MD5
83063f20e5f711bc43d63ed5fec9ef22

SHA1
d84c7282c013f7de4aca47f87a75dbf0daec658a

SHA256
53cf8c013f78554484c0eb52cd6b13a0148c4f73c8292168097baa48c1f17a04

SHA512
386ecb2017ae21bdbc0173be333973a22176d49646d382b422d2ba8482c4f58f362f153e8b6c8a456a63e7731fcaa34179bcbc4713584efacae48c072523c2fa

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
195B

MD5
4ad0b8d0d0953d7e506e902aca68ef35

SHA1
4342d0b8af907e9f7ff1a34ecff61825af44521d

SHA256
942553edeb5aeeea4d74f24d4d2dd2ecd7e59dafeb7ce132b378650c4b56329d

SHA512
dacfd9a31039bc8eb62d7253b8fdfd6cf35b63b33394cbffc20b665a2e382fb9bb5c127dd36ad040df06a1ec6fed2f1370c6784549eb5a4bd4b3251864b357a1

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
39KB

MD5
1f1fd3a9487d2625a44d86e0d3df2137

SHA1
23c29f863915fa63455370bf13a02a2221065877

SHA256
e813924bb23ce12c5d42d933e8edabff7edca1ad24f5ce0593e05815cd99ec79

SHA512
1cc66a0577257d0072e582d9dc359ec07ee5ff4cfdec568cbc6fdacd5b1f81c8647901cc20f45098bf58534d234eee61eb846b694fe95965d8267499fe67561d

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
8KB

MD5
ed336f045a2acea9954d97ce3b39fb13

SHA1
207d4c9e2d89028e6e3907020fd6204f12857d02

SHA256
d239f3efdce6737fbf2fc0613be03e6b647c49696c8350922725925aee3558d1

SHA512
ba809595e9704a385611eadb479cc62b65ba614e899fd68264682c70ab9eb509f29e83bfc3bb97fd863f086754cf335d2692973287290b166c1fd98edce539de

Download Submit
/storage/emulated/0/.am/log_1741883008715.txt.zip

Filesize
218B

MD5
8f40e30936202b4ea24e5e70137874c0

SHA1
049e0c30f37b9a366bc11f9e7c2046beaf66feaf

SHA256
41c919da156a51d37f4edbcc2daf75b669c6bb479ba1b2f3f34daccf02426e5d

SHA512
1a33f824f619be233e2b248650d078908a6677cfd28f84bca4d432a80a538b2e2efd7159f40b9872cdc9fc815a0860ca4a216ee89b936ea8ac14d06186a5e32e

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
96B

MD5
9a7b2f3009638ea69bdc6a039140c59d

SHA1
7538e55dbfa9a4abff83e69ed179eedb9ffb8fa6

SHA256
e43c028722f303535f437e3e707dd68d2b1f312ea171dd10c5a72383d1e80227

SHA512
3e31af0f2de1d5c76b2cbc93cd0c2fa971f09c641b65c48e153c4ad8a096687706a44d3e8d18f412117699d102a3f642407dbf34146203bf2d496d9b44b0ff11

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
94B

MD5
9ce04389dadce7e24c45bd0f7f251293

SHA1
d4496348f5648eb78b755d0eb4dca409f40d95da

SHA256
efd3040779dd20bec6946d2c0ad66ffcf7ed7a95c1c7787c1321f43d4a39404b

SHA512
c280ab057e73993c0cbcf46b106c63110dfcf65e4f44365a56e233a4642dc3037ca693ce33a3cb50af6f31c0dfdb2b10f85ff756e50f71afe899c105f9c33c5d

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads