Overview

overview

10

Static

static

6

f5fdc16720...2d.apk

android-9-x86

10

f5fdc16720...2d.apk

android-10-x64

10

f5fdc16720...2d.apk

android-11-x64

10

wibemuse.apk

android-9-x86

10

wibemuse.apk

android-10-x64

10

wibemuse.apk

android-11-x64

10

Resubmissions

24/03/2025, 20:33

250324-zbyfyaypv8 10

21/03/2025, 22:49

250321-2rnmsasvgx 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f5fdc1672088ee29affc4817986e722765c4f03af4dcde8fc603b25544bae62d.bin

  • Size

    9.6MB

  • Sample

    250321-2rnmsasvgx

  • MD5

    e6c96197eb41de926fe43d6721f01aaf

  • SHA1

    15fd15f9803134efe6b7c28c86a00a4f0390c973

  • SHA256

    f5fdc1672088ee29affc4817986e722765c4f03af4dcde8fc603b25544bae62d

  • SHA512

    e36c4a07161d77d98d6e1fb7f30cb42667e9fb997adfdd1e36fd5ac41ef58428c87b0dcc507988614e29a7b9ba93f4f1e42715ac6802916729af51941020e5e2

  • SSDEEP

    196608:B3TfkmoN3qOqH51QWqzQbgk4sAw7kCwDkbe9H/yzL3itOrY0obFF6a1SEfAL:BDfkmoxqUXzS4W7krDkbe9H/yzrrY0oO

Score
10/10
antidotandroidbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencetrojan

Malware Config

Targets

    • Target

      f5fdc1672088ee29affc4817986e722765c4f03af4dcde8fc603b25544bae62d.bin

    • Size

      9.6MB

    • MD5

      e6c96197eb41de926fe43d6721f01aaf

    • SHA1

      15fd15f9803134efe6b7c28c86a00a4f0390c973

    • SHA256

      f5fdc1672088ee29affc4817986e722765c4f03af4dcde8fc603b25544bae62d

    • SHA512

      e36c4a07161d77d98d6e1fb7f30cb42667e9fb997adfdd1e36fd5ac41ef58428c87b0dcc507988614e29a7b9ba93f4f1e42715ac6802916729af51941020e5e2

    • SSDEEP

      196608:B3TfkmoN3qOqH51QWqzQbgk4sAw7kCwDkbe9H/yzL3itOrY0obFF6a1SEfAL:BDfkmoxqUXzS4W7krDkbe9H/yzrrY0oO

    Score
    10/10
    antidotbankerdiscoveryevasionexecutioninfostealerpersistencetrojancollectioncredential_accessdefense_evasionimpact

    • Antidot

      Antidot is an Android banking trojan first seen in May 2024.

      bankertrojaninfostealerantidot

    • Antidot family

      antidot

    • Antidot payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Checks the application is allowed to request package installs through the package installer

      Checks the application is allowed to install additional applications (Might try to install applications from unknown sources).

      defense_evasion

    • Queries the mobile country code (MCC)

      discovery

    • Requests allowing to install additional applications from unknown sources.

      defense_evasion
    behavioral1behavioral2behavioral3

    • Target

      wibemuse

    • Size

      10.4MB

    • MD5

      8e03e90022214eda8f01ce735d8fe972

    • SHA1

      0a5fb8dba68751a01aaa113f92b2db9225dd24a2

    • SHA256

      5acb5ebdd0e4c8fbafb44a88e66e741f1c94a72e3f07f5adc454687010634848

    • SHA512

      40f1415f69ef72ba6ec53745c2192cea7a82e4d1c028cdf0b636af163a0246a3d201d67ddb60f8552733239ebac82673bac179de179cc78656b9d9cef1e2fde8

    • SSDEEP

      196608:mB12mtwTYrqOBcjvLDxLB5WLDDKfYErSssdkpxHaNhJ/Ds:mBxmOBcjvLDxL2DKFrSuVaNbs

    Score
    10/10
    antidotbankerdiscoveryevasionexecutioninfostealerpersistencetrojancollectioncredential_accessdefense_evasionimpact

    • Antidot

      Antidot is an Android banking trojan first seen in May 2024.

      bankertrojaninfostealerantidot

    • Antidot family

      antidot

    • Antidot payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectiondefense_evasioncredential_access

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

      evasion

    • Queries the mobile country code (MCC)

      discovery

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      defense_evasion

    • Requests modifying system settings.

      defense_evasion
    behavioral4behavioral5behavioral6

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Subvert Trust Controls

2
T1632

Code Signing Policy Modification

2
T1632.001

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Tasks