andrmonitor | 4b4c1064e3994b59904749fb706c8dfdcc6a50c203694bb45a6d1b4ce11795b3

Analysis

max time kernel
33s
max time network
151s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
14/03/2025, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b4c1064e3994b59904749fb706c8dfdcc6a50c203694bb45a6d1b4ce11795b3.apk
Size

20.8MB
MD5

459697ba8c760c82c9d2c84e2ebedd8a
SHA1

e7f531016d07ca6c8332e9a4071725a21837be40
SHA256

4b4c1064e3994b59904749fb706c8dfdcc6a50c203694bb45a6d1b4ce11795b3
SHA512

6ef8e8b9c60d6f801ef7035d87f540833ece3ada82613f63957a9a792b85ef29ebe41a40b4594fcf8257cb23784cd07ad6e392d2db9a9637e712f288c8ce4ddc
SSDEEP

393216:3xMU8OOsJA35z7A79L+eA31mbgafiubcEZrbRT9i/zVN2I+TXOlyKpPbNiRSKcsQ:32oJA35z7c54FmbBffcGrLi/zVN2Ik+j

Score

10^/10

andrmonitor banker collection defense_evasion discovery evasion execution infostealer persistence spyware trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor
Andrmonitor family
andrmonitor

Checks if the Android device is rooted. 1 TTPs 3 IoCs

defense_evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	gzsiseqw.llrlhdvhbe
/sbin/su	gzsiseqw.llrlhdvhbe
/system/bin/su	gzsiseqw.llrlhdvhbe

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/gzsiseqw.llrlhdvhbe/[email protected]	4521	gzsiseqw.llrlhdvhbe
/data/user/0/gzsiseqw.llrlhdvhbe/[email protected]	4521	gzsiseqw.llrlhdvhbe
/data/user/0/gzsiseqw.llrlhdvhbe/[email protected]	4521	gzsiseqw.llrlhdvhbe

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	gzsiseqw.llrlhdvhbe

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	gzsiseqw.llrlhdvhbe

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 5 IoCs

flow	ioc
16	anmon.name
17	andmon.name
13	prog-money.com
14	prog-money.com
15	anmon.name

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	gzsiseqw.llrlhdvhbe

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	gzsiseqw.llrlhdvhbe

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	gzsiseqw.llrlhdvhbe

gzsiseqw.llrlhdvhbe
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4521

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Location Tracking

T1430

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/gzsiseqw.llrlhdvhbe/[email protected]

Filesize
1.2MB

MD5
4768956e02a41b7e2032707b7c65a52a

SHA1
eb730a2e6f2b0497ee9731c488b02f0e68105942

SHA256
c50c0434ac58766df76b0ffb3fdd9489a6d8ea7b8789f0bfbb3fb78299a00060

SHA512
afae3c09e482e6577f4e79013b6d2dc1ce89a00a2ef5571074931da9bc91aceb53a01298dd3072325034ecd1ea0ec92dda630c06433dcd458ba7ac574778848c

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/[email protected]

Filesize
2.7MB

MD5
5907bdc6596cfe0108c63176fefd23c4

SHA1
c4d71fe62de457f85bf8e084b0ed76090c92fca6

SHA256
398a1da4927ee13b67fda9f440b013bedd7169db36925ef057ae06ec1dd64094

SHA512
bbd04701e9652928ebf45468b027c211470c4cccc9333e644f42f27e97e4df2ebb4dd9301e35a7d4d744f570b9ad11951ba871f9812fcd6f85472c6f9dc42a44

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
128KB

MD5
f2ce9c95a8b8921a66ab95c76d10e742

SHA1
fd335c8a71b7402d10093d8014e2c92a667affdc

SHA256
8141d144aa9d7d88e19762424cfb404f33fa02a80c7421136b79849da77621c1

SHA512
aa9517ab1a5bc603260ee5506beebe83b754fe76baea323c3fb3f68c06cc50ebf8777f98e084089774bbe956e31a5d56d6984b02b812cd842dea920ca2f003f6

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
100KB

MD5
72d513fccc27aecc1e72c490150c0e59

SHA1
a866629d636c9d0ddae52623a99628e69e280ca1

SHA256
7f05c789dfc3592005118875bb9dd065e55c9a1f99c71a6e9b93583e098efb2c

SHA512
61e67742ffd7390930c87e46327b1462276a20c02daffe178507c1518be5ebedc8143ca6f9a04562f9ac1df508cb947f5fa90a00bb81661e12c5f597a3d96054

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
60KB

MD5
b2fc263e9bccdddd2c60eb1de7e7c232

SHA1
1b1dc1dcfd01b101a09d291aefd0b2c1af82e9e8

SHA256
72ab04778e734ba53f9758331bf32246eb8b0cd83f6a33df7178d0b97c89a601

SHA512
65bd24f8ff9c9d05900b37c449629b8ef24ad0c83db6e1516992e2e9420603e40fddeb030dffd20e85f97278b3afec08ceb3691f2021be4c63778d0606b7cbc6

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
100KB

MD5
a1294c306b52765d211fe7f742696bd2

SHA1
c7e93b6e375028b61a5aa47b6d9d9956cb1684d6

SHA256
76cc700fddf9c63d32b9d332372a3ae95509ae534dbab5b9e13d954267465bdc

SHA512
b9a584448713ba3c163067fe9384397a99c49347baffb7a9f796a814bbccb29043fd88e357f839f9bb4ca6ce219531d6726777f48765896034d62ae3b8289dc9

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
100KB

MD5
58b345a3d40ec37f2aab998ef0988084

SHA1
09ac6b1467bde53b56d4266527c86bfdb7f040ee

SHA256
a1f20f87828e49c52bf366cad6c0d9b7c122f398f2b3ee00fa6f7ca043e44854

SHA512
ab3979665c94876597a38cfb5bf2cfa2794e70f5a71c2023b2e59aac2dfeb2c7436e3c1355d9d1a3a63d0a245b68c8ccffa3ff3614533a2ea2ceea79e9bc1441

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB

Filesize
176KB

MD5
c21a99086e3cd2da8e82380d1f9375eb

SHA1
e61496713111450fe225de0074dd7bdfb188e33c

SHA256
2e45167879f664cebf257802cec773cf1fe7cb0fde8aa20cb9b7f420efb39bc2

SHA512
775293e4efe238f93f79cca1c2dc8b1c474105c309a35af763d7473e78780941c71b46110757eaf01efd24394712ad36a0bcbc6f21c4d9008bec776b7cdad95b

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
512B

MD5
c169c59ec6262cfef44a21835adaa136

SHA1
701ce665df70a02020504715c833f73bd14cfe7e

SHA256
2f7a000320698a8b5f8661f139f5e62e91aef74d3967f11d204d3f9e31d91092

SHA512
b4ee7459896b42c1bccc5abe346ca7cae6f56d080d167a78a3c3e5c0bacdb5aad0aa27a08088398a73641fc3b85484c537c9406aec809d5f7f6e2a954ea23cc3

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
8KB

MD5
1832dd6d216ca3632d004f1f1de20aa2

SHA1
8032af6b5788db6b65258c0ad321b24bb8cfcbc2

SHA256
68f892ddd2b910ede8a42f75dd62ade95538cb9b1f5ac7e8f342ba761c657b83

SHA512
5351f28728a50326ea79d1db726e8a7d34d145780afae4385ad5b24187492079efc5b7cb5c073ecedd605748d07b157db54980758727e35b94e5289e1424916e

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
4KB

MD5
f211bf4be946aebbed96e0c10b8fbe37

SHA1
d3f7fe6e060d19f574596a3adc2a2c15c32dd992

SHA256
18396db362579ae98bd4ddbab337902631dda6286ad77d50ed208288b09cfa54

SHA512
e45923edb7ca97bc5f977d9e094a891bd7c4fce69fd5f7b9cb2330ece4d4339a9302603bf76380a209050b09e17ebbe4406a12511507e11d3cdc9bd6db46c8d4

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
8KB

MD5
76d19180e9041d8ccfb0f8d90e2c92f9

SHA1
6a6749df8f728e6a90ebd3ea79b345f60a15f90d

SHA256
9dfc83cbc3c9acab5f33c9ff6efeca0b523c333c45cd1127bdce617439b44b7e

SHA512
c54ffed50bc79f59f31c94f59eb8791dea2175caabdec9bff5ec09d06ae3f558f546e6f614b62b99db20850ec911f53b17b234ddbc196b47bec2f40f8e54fcca

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
12KB

MD5
b017c8716a73aa9cbd392de98bfb3e37

SHA1
a3d85b4bb0c592297d80d9cb337150d1216ae145

SHA256
10dfc4083d00889927cb481aa8241b6b94c70b888e047d28017fe0927eff041b

SHA512
5e240bfc7b86e4f60640925f1d19949e05b36f4f9040d694bb236df0d8e942beb810133e70ef18c3037bc303bca9ce1437670cee84b793538166441cb4c5688d

Download Submit
/data/user/0/gzsiseqw.llrlhdvhbe/databases/SettingsDB-journal

Filesize
24KB

MD5
ad4cce88701a57bbb76ed32cdc4832d4

SHA1
b707213e0d2f2dfccabeff841cdee7fc47852ee8

SHA256
b4fd34c130d9e99ee4f53e6f415c80737211621bda4b57562743b1e607cf81f7

SHA512
f5116cffe4952a6a9c0c11c1e11869f4872fc6aeaa1a26b8d949e0f695fffa21b0f2f37048b10771babd8ac8f1a430933c4387a24b9e13aae7b365768dd39a7b

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.7MB

MD5
3b8f44aab76b03f9ce67c3cf47025583

SHA1
600f55c2e141b15934f0cec78188911ca30c50b5

SHA256
a9306e582190a99b965bacce7a58f74442c59a6ba2ef33c29ef5202afc6a99f4

SHA512
a908c09a2215ff5b6ef4abe9ddf82a7631a011bf6657b7767e5d41178b333314b9c124d70a5c91a7a8ea7cf83d38ad8608ce21d8ff2cc82cd7717340f9a57d61

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
c81c51456766e174d6b23e17e56b3151

SHA1
2b8f21a13af6efdfe1bfa00c011ba6a1bc5d6f20

SHA256
79ceb49440a30e4e0b9ab83015384650cc535a1f54d457cf4a0873f9621c0822

SHA512
a88c8290d5804d10cbbe811eb3b041d122c66cb75b44c5095f3e03ebf90e8f39d58d6d7e20066df046e9999b3341337094336b35c987ed6af34852c8a049a13b

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
134B

MD5
36ccf7a6c6a4ee3f8936d0bd803c70ef

SHA1
e70bbe1b8f74b732daae9e810a7e1b8a185d12a2

SHA256
6c919e79649c57730386a55a34087da7613a5218644a0abf2b6998c133adc049

SHA512
76ae9116619fc6aee3220a46570828efdddfe19f8f4e46dab35f22f6233b91cc6f228ce3473eb6a99c50cd46353de6ce4850e8a90bd4caa5d9abc3fd958a7529

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
171B

MD5
d3a11ed7000bc55f699feb35318168f6

SHA1
8e62bc1cbacc81b3d71e78c0f2a2ecdc8058d733

SHA256
3ef4814fdc667a082fea0076ca02d52cd268c81afd2e408317922104b0c6c764

SHA512
dd0284855bc7b1f620b329a9ecd3f1cb16154d7c4f2fcae4aea612be26f978fd1f5597286941b75c7b4f5f5afef5c62255921630e1e8b3b5ad839884b0be12e0

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
4KB

MD5
eb6df7706b4981e1957aa2e3f9d55be8

SHA1
87edab17587dc0b18d3efac46c74dc5057289dff

SHA256
b3bff47e42fb73467f2ed141dd3a9db3d129de3a4278becb81700f62bf7ca23b

SHA512
895f53303859e8b582e09c0628d7df207136d7f4287a893bd6ac0eff77efcf3b6040325ef6f4ad0b1ac97b8da2c48af640d231dd7be8c7f985cb6f6af59463c7

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
62B

MD5
3a001236b1a09013c4ee095be01e3784

SHA1
0925c3c33e5fe7c6d9dbbd72bef7e855cb3ba3e0

SHA256
39d8e8988b34e37d92cbf59a629c9aa0020d70ef6bfef6fa2b99b8f1a9730b10

SHA512
1baec0730975976838c8e8957cbfbaa90dd543dc1d5dcef79a260f909997c302b27f9fd78e97a6491c94878a4478ab036d0275236923293f0b2305ed63b92950

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
70B

MD5
9b3e17caa3d33c5552be3d1c9c6f5e3e

SHA1
360fe70ef814be29e76edee52871d114f0d42d9b

SHA256
3c107551acead4cd74967712e3194164aa8077649feeb90ede8caffb1bf97700

SHA512
bed7df2a530306706149fa4d1680cf62daffed6372d738e88d2c82e0904444d1cf6cbd12e55b1e59c45b479c781b660e2605e77f33191a3bfa1a39210eb89c31

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
59B

MD5
a0a6e720f12b12243238f091fbed82f6

SHA1
8b010a8c91c8c0df95b3b273c745edcebfb6acd2

SHA256
7883d72ddb9eb69f2dc82097ff82d51820357ee38102d65e767de83552c689f9

SHA512
c5df8d29afe56607a30c0127007a7b2b43257171a15e67d1f5a1afd954b2811607c0a0427fa2c54638b66139226d5d1cc56ae693cb7da7dcfee07e41236eb5d7

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
195B

MD5
40d0e920c9e8cd736446edba8e092db4

SHA1
889a6828601cef64e792a31a7ab8456b5d0fe4b2

SHA256
2c9fe6d8b85df6a58404c72ecb683b5b8be4e69e23f056f0226c6d03bc11d4a2

SHA512
7c9280037f68a4eb9cf9cba8c44da63dcdae0cbe5e1227286bfe5ca2ec73ddae18b552fd1017d36ed749db5289d8d0423184011dd2ac9fcf193717947e649c06

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
38KB

MD5
6fa3d82def3cdb81fff5b37f85b3cfdc

SHA1
63d2486f5b8c7a81c0b3558a1e0ec63ad40af954

SHA256
7d0cc9c721690c2277f45463dfeb7f2477bde0c59ddde3ff1e37b49bb3e5bf88

SHA512
05d3330c3449338176385891fcee014caf848a8cf0b022967b72fd016ffa5a93b72b5fbde8502d48b3289c5f6fcbc23b8b7cf12a32845e6c5fdeb05f1577ee00

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
8KB

MD5
e380d9a4f5e0edd7fddd89bafecf7904

SHA1
2c6b26c7ed85f90504a346ab905b1de781710fcb

SHA256
6b43c030fb4076aab855cdf8dcb1c881441f3ca34b425af6c99dc8c7b17d42b0

SHA512
52bf49ad43daf59f1cff40e101d1b51ee09a81a690106f6097c1c84a2067fc84139e8c092a708abed2d369a533c2ad1ec4817631b6dab665b4d4b6004f10fecf

Download Submit
/storage/emulated/0/.am/log_1741920407672.txt.zip

Filesize
218B

MD5
393b10fd0ee4d55b98a5a28162672f99

SHA1
d0c0d1b7d4f703526167c60d81910e19985b4933

SHA256
e7a90e6032733c6bebab2828303a89b566435eb7d0e7f06e3cd86b0423cadf3f

SHA512
2c6559433831c3b9526e813f2c8169b5c69529a42645d347b3d7a5cc762f35e61cc06d32214cdbeff7756586c447f873d542a263812aad375de1f217da17867a

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
96B

MD5
9a7b2f3009638ea69bdc6a039140c59d

SHA1
7538e55dbfa9a4abff83e69ed179eedb9ffb8fa6

SHA256
e43c028722f303535f437e3e707dd68d2b1f312ea171dd10c5a72383d1e80227

SHA512
3e31af0f2de1d5c76b2cbc93cd0c2fa971f09c641b65c48e153c4ad8a096687706a44d3e8d18f412117699d102a3f642407dbf34146203bf2d496d9b44b0ff11

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
94B

MD5
9ce04389dadce7e24c45bd0f7f251293

SHA1
d4496348f5648eb78b755d0eb4dca409f40d95da

SHA256
efd3040779dd20bec6946d2c0ad66ffcf7ed7a95c1c7787c1321f43d4a39404b

SHA512
c280ab057e73993c0cbcf46b106c63110dfcf65e4f44365a56e233a4642dc3037ca693ce33a3cb50af6f31c0dfdb2b10f85ff756e50f71afe899c105f9c33c5d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads