copybara

General

Target

ba54a8e0aa8ccb6482166a5c1ba37792.apk
Size

10.8MB
Sample

250320-k1bwxasqt8
MD5

ba54a8e0aa8ccb6482166a5c1ba37792
SHA1

f629ae473749f74d91c16a40744e8c3e19a52d7d
SHA256

455deaffbfe78c4eb9bfb2289c47e80d093b00830a8d87b1f1dbf81f013371e5
SHA512

fdabb816d49cf7574a8a80f986c07cd1afaa12df2142042e396a0d378d6e6ca5f041d1d3614b42e9564ec56fe3c7ac65c48e026cede4ac3759a9c72c1e602d67
SSDEEP

196608:pFXJ9a/isaGmdMsjym0IIwItorSCWdDDo6pqIswY8p/cswRurFIQBsHKX:bJYaJ3dMsj9rIwICrSrXZrXwyFIUsHKX

Score

10^/10

Malware Config

Targets

- Target
  
  ba54a8e0aa8ccb6482166a5c1ba37792.apk
- Size
  
  10.8MB
- MD5
  
  ba54a8e0aa8ccb6482166a5c1ba37792
- SHA1
  
  f629ae473749f74d91c16a40744e8c3e19a52d7d
- SHA256
  
  455deaffbfe78c4eb9bfb2289c47e80d093b00830a8d87b1f1dbf81f013371e5
- SHA512
  
  fdabb816d49cf7574a8a80f986c07cd1afaa12df2142042e396a0d378d6e6ca5f041d1d3614b42e9564ec56fe3c7ac65c48e026cede4ac3759a9c72c1e602d67
- SSDEEP
  
  196608:pFXJ9a/isaGmdMsjym0IIwItorSCWdDDo6pqIswY8p/cswRurFIQBsHKX:bJYaJ3dMsj9rIwICrSrXZrXwyFIUsHKX
Score

1^/10
behavioral1 behavioral2
- Target
  
  rex.apk
- Size
  
  7.8MB
- MD5
  
  b49453d1752755dc737204a0c173887a
- SHA1
  
  b85cd7d05e1c2100a41c58eeb1dea21d1d20b772
- SHA256
  
  6ac911f1a086a19dae17ecab975b9bff45a9565603280fc9fdfa4c9ff7c491ae
- SHA512
  
  9fb127951838375ab206d91383cbe82d80355ba869cae7a68780665bc21b24b9b83d0a8295dac9acf66127e49f46006941bfaeb110ded977227b9a4454270f35
- SSDEEP
  
  196608:8cNnc/cvcDPpG1cscgA0TIrsE+5zFKKpEC6iOchpWy0G:1Nc0EDhGKFgA0krs7T9CLG
Score

10^/10

copybara banker collection credential_access defense_evasion discovery evasion infostealer persistence trojan impact
- Copybara
  Copybara is an Android banking trojan first seen in November 2021.
  banker trojan infostealer copybara
- Copybara family
  copybara
- Copybara payload
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Obtains sensitive information copied to the device clipboard
  Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
  collection credential_access impact
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries information about the current Wi-Fi connection
  Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
  discovery
- Queries the mobile country code (MCC)
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  defense_evasion
behavioral3 behavioral4