antidot | f5fdc1672088ee29affc4817986e722765c4f03af4dcde8fc603b25544bae62d

Resubmissions

24/03/2025, 20:33

250324-zbyfyaypv8 10

21/03/2025, 22:49

250321-2rnmsasvgx 10

Analysis

max time kernel
29s
max time network
32s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
21/03/2025, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wibemuse.apk
Size

10.4MB
MD5

8e03e90022214eda8f01ce735d8fe972
SHA1

0a5fb8dba68751a01aaa113f92b2db9225dd24a2
SHA256

5acb5ebdd0e4c8fbafb44a88e66e741f1c94a72e3f07f5adc454687010634848
SHA512

40f1415f69ef72ba6ec53745c2192cea7a82e4d1c028cdf0b636af163a0246a3d201d67ddb60f8552733239ebac82673bac179de179cc78656b9d9cef1e2fde8
SSDEEP

196608:mB12mtwTYrqOBcjvLDxLB5WLDDKfYErSssdkpxHaNhJ/Ds:mBxmOBcjvLDxL2DKFrSuVaNbs

Score

10^/10

antidot banker discovery evasion execution infostealer persistence trojan

Malware Config

Signatures

Antidot
Antidot is an Android banking trojan first seen in May 2024.
banker trojan infostealer antidot
Antidot family
antidot

Antidot payload 1 IoCs

resource	yara_rule
behavioral4/memory/4363-0.dex	family_antidot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.belasaba.guard/app_sense/LyBDIN.json	4363	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.belasaba.guard/app_sense/LyBDIN.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.belasaba.guard/app_sense/oat/x86/LyBDIN.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.belasaba.guard/app_sense/LyBDIN.json	4336	com.belasaba.guard

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.belasaba.guard

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.belasaba.guard

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.belasaba.guard

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.belasaba.guard

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.belasaba.guard

com.belasaba.guard
1⤵
- Loads dropped Dex/Jar
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4336
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.belasaba.guard/app_sense/LyBDIN.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.belasaba.guard/app_sense/oat/x86/LyBDIN.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4363

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.belasaba.guard/app_sense/LyBDIN.json

Filesize
945KB

MD5
211771a5071821646415d372d9df992b

SHA1
88cc9303bfc9f1c4684d9052a82f6887a9e32d31

SHA256
05b15fb490d264ffb6708d3ca6c95b5eddf1a5cdbbf58c8320dddf549db49cd0

SHA512
9b1b89dc1dfc810b4e3d05d384971c614c4ff0e020cb7d5a85da46efc88655d8592bdb18cc8bd5a91073fd456969c63ec55c5f7d1528737bec000eb67fbd7dd5

Download Submit
/data/data/com.belasaba.guard/app_sense/LyBDIN.json

Filesize
945KB

MD5
6083abc4cd5e5452335f2d97cbdca967

SHA1
1995692c5fe9a01fdb4c9dfef8b4cd4fe8276a90

SHA256
394bfc698a39070118f178e3c11e24d78c0f4ec3e6a3e02f32929402933482c5

SHA512
f067518fa5d5d4ff8a9e253e32e16664d52ba09e4aeeaac5410fc09d5ccd4e2443ce35112e72fd49e900171b43c9d90b8cc696223f76ea6858be4fd547bfc1dc

Download Submit
/data/data/com.belasaba.guard/files/profileInstalled

Filesize
24B

MD5
1ae467b6321541eddc84de880c5e417b

SHA1
0fe3c44322c6db4fe337d4385f7a79675240c524

SHA256
9b4bf8a184bfb22f35c67e7bb4749697660d18ddff31ca671a891be1dd1b1efb

SHA512
0a7d6d3eac6ee05f36ff7c1f14373174490b6677157ad8cdfd760e48401ab61ac9df0235499a3cad2a88f8507ae23854189a4e66da4a1708e844a87be6f0ffd4

Download Submit
/data/data/com.belasaba.guard/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
0ee9b5930b2b5db746f8a8cf15640936

SHA1
313627fab0b26b3aed2c1ebd67151271cd318b50

SHA256
b6258c5097571ede496533e656e58955cb0c2907ed5bb48fce0fc6bb98146379

SHA512
a788578269a620caba96ff4ddbcae5e61b9bbe5783e642621846ea73ffd37107935245d708c954cdd3bc88740d599a0475f229af87747e95d0d97e29bf0b3721

Download Submit
/data/data/com.belasaba.guard/no_backup/androidx.work.workdb

Filesize
104KB

MD5
925c87d1b7ffaff575e255a092962d0f

SHA1
30053aabf296bd3c4abdca464204362d4d374968

SHA256
344eaec86f995a0c45c1d73c82878e74234b53b054657963261b8de0fcf74d54

SHA512
24b6e78c5a1708576c0e97305ea6abc6dcf7b02abd53639e18c7ebababfc350c3ca91c9963b87de464006fe9ba9e3370419397a6435a1bc2883addc16de121ef

Download Submit
/data/data/com.belasaba.guard/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
1e4172fb313865bfb5d501b4638c4417

SHA1
0e92415f6a3fc560bb002896c1a35efe245bb9ec

SHA256
bcdd6c5d145856cfb47c2e14db39ca68d5bffa5a85c125c7804f6dabae4f71fb

SHA512
ffa7885e1b4001433350033eaf6bcf04ce59b4bba35573d3c54253eebedf78ed0b2803c7c61b987c45dacc8078f002348573d6502f00201b55eaa9f6f1bf7beb

Download Submit
/data/data/com.belasaba.guard/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.belasaba.guard/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
6a8940cf0219ef48388bc207a98a539a

SHA1
5786ee877ef863a5686578c577a36fb5161f64bc

SHA256
0ab89141ae6f42c0f0b0768b25d01130a3b2221bf18b48e3e32255b238689746

SHA512
195138bf8f3e6b1b655567a3fd109cca40d63f59414d8d29aca30f68fb8c12894bc5296206bb2287b2ae2c35b51ce96e901768275a5175cd6b15120516a7611a

Download Submit
/data/data/com.belasaba.guard/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
cf3049dd98be622413e4f93990dfbea5

SHA1
f9c68fee94770483a54883f76772415ec41c2101

SHA256
2df2bc567f7beb4ebfd7eaf5b580df07c7ac587678b2007c903a9143c243fb79

SHA512
f33eb3f933054859e1de49ed73b6ed76ee36f06bc7b8165ee37fcd220955f9a7d50955cd1f259c155a409e750f0649c17ad0159180e4100bd6184593ce67e6f8

Download Submit
/data/data/com.belasaba.guard/no_backup/androidx.work.workdb-wal

Filesize
422KB

MD5
0ad017582d0482e475c1f4b9849c5f82

SHA1
cf29003717ad0a2e305984e9c5c9a8e0708093da

SHA256
37ea3796d9c861bc6a10dff963f728c459c5ebedeb3e96c3fab2db99d13f6185

SHA512
23e077aae77e8638f6a3c2d48dc84689f1f7269de3963d9b28a595bc4485b9d3177626d5caea602e12a959d6f079110c63fe3e557d296806388ea4d465529c0c

Download Submit
/data/misc/profiles/cur/0/com.belasaba.guard/primary.prof

Filesize
1KB

MD5
55020e8f639d39ea05fd432ff0e490ec

SHA1
e363b94d622814c2ad9296ef518cf73b9aa0d526

SHA256
34d8f04da6b2a8e397efe6ea01f1f466b716c1c6f14770a86f0493d96226ee5b

SHA512
109ba08189331c1cc172eca777b17b7b51465abb4b5c2bda371b4de11261e8be64321066c459b866c1437d637bd06596f2e860051daecc316995810173f9e593

Download Submit
/data/user/0/com.belasaba.guard/app_sense/LyBDIN.json

Filesize
2.0MB

MD5
3b389af11ab7f5bb56fe0470cfd742ff

SHA1
ee3c2138579471d74ec4c13268a64bd04cc8c6a0

SHA256
d288d74c63ff1543b40bd024d4d56ef7a42c39ca608c2e5866133c542cbb8580

SHA512
1c9805523154fc852fbe59ef78dae53b3b18fe362f775210d2c62eb2de00e2820b55dcb130cb97c512f2f4a2ada374f5f19b191a2741c853eabb5be4fb5b53c8

Download Submit
/data/user/0/com.belasaba.guard/app_sense/LyBDIN.json

Filesize
2.0MB

MD5
14729c3618a03cf849b664361086962b

SHA1
5d2065692e55e6340826b4670e93743fe4ebf49f

SHA256
bdaa4680b58d117f7cb4e4ed89a61119e0cacd5c6bd375af912d2bac4c83fc14

SHA512
0cb89089293565ce3b89476395be51cfc4103f69aa76671e7f3af4e1abc705d437dd4dfcd81d60c94b3ed4ddfe8c3296dfe7a6972267934a7a1109b9d81f4afb

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads