tanglebot | 6df98f4c4b1a9c147a996854b9624d51828585fdabb6be0b56014d874d9f24d8

Analysis

max time kernel
6s
max time network
30s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
21/03/2025, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6df98f4c4b1a9c147a996854b9624d51828585fdabb6be0b56014d874d9f24d8.apk
Size

6.9MB
MD5

6f60dce97fd9ec8b39dae1e662fc2918
SHA1

3285afaff80673b937235e026492796cc6b36afe
SHA256

6df98f4c4b1a9c147a996854b9624d51828585fdabb6be0b56014d874d9f24d8
SHA512

de0be2b2792ec19f4c68e44435cba426b6a58844fbed9f4b7876f5ba0286359a7ca28dcb7310948346087226b7f267c5b6f21be4d7a8a52cee26ff7339c6780a
SSDEEP

98304:uDd2ZrWHFb3eMkRbAYMl6oUAuxDCWrauCY53h6bnl2C4mbgjFfyZGHsaGsiLQNNt:Q3AR/oUASWY53kaXiLqNkmrt

Score

10^/10

tanglebot evasion infostealer spyware trojan

Malware Config

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral2/memory/4360-0.dex	family_tanglebot3

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.person.bar/app_DynamicOptDex/etr.json	4360	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.person.bar/app_DynamicOptDex/etr.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.person.bar/app_DynamicOptDex/oat/x86/etr.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.person.bar/app_DynamicOptDex/etr.json	4335	com.person.bar

com.person.bar
1⤵
- Loads dropped Dex/Jar
PID:4335
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.person.bar/app_DynamicOptDex/etr.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.person.bar/app_DynamicOptDex/oat/x86/etr.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4360

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.person.bar/app_DynamicOptDex/etr.json

Filesize
1.8MB

MD5
0714d8e43f0895b0e272d7c5fd619917

SHA1
3617c51e66309e59a882c9d4741836e25c4c0ca4

SHA256
931a6b1a7441862f09292edd61f5f8c20c19d2187079680089852c919d467424

SHA512
4abc3b710e5d5c73e96c369344cb02943a440c1a8827c3620f338c3a4175e3682c55022722bcafd5b5e91fc0ada019d0705ca73ce711459002cfe3795f56b6b9

Download Submit
/data/data/com.person.bar/app_DynamicOptDex/etr.json

Filesize
1.8MB

MD5
65c94b8629a9875899398fae8df316cf

SHA1
74753ad794a58982907b8b667ff8581836f9a0f9

SHA256
d4b6e69b6a3185ad41f58fee3f9afd68c48c1c988bb85900c999aee55d80e0b0

SHA512
50105fb08693607ee0e894f8abb5c79c21de88676f80576f5410da1258ab92f241d703501dfc02c37f024e97497918f8a7327e26237fa53ec68f99974ef57436

Download Submit
/data/user/0/com.person.bar/app_DynamicOptDex/etr.json

Filesize
4.4MB

MD5
f44c776a321d667e5fd88bb3d2fec909

SHA1
9d93f58a7de02a99402e31ae9e7783fdc692f097

SHA256
246cd9b0b122c604c32d0ab90c4e5c8b2b511e69517e9cee238d0d5d5d56167c

SHA512
201b87cad7afc0052e7c81d1b79db46b3b9929f6e85b3cb2591b8d5356a41a302aede72d2bd5805c395473a5f7941fe014e42162f0bf8f61f908d6bede569137

Download Submit
/data/user/0/com.person.bar/app_DynamicOptDex/etr.json

Filesize
4.4MB

MD5
dae70994c5e4bebf0cbe276586cad230

SHA1
b294bdba96cda0cc4c65a2a7e6a10d24596d7c7a

SHA256
b98aae5fc5a57910a3a766c407260ed5e45c32973f4f166bbc64128bc2ebc4d3

SHA512
e944073fdf007d467556b45330347814d822fbc7f9510ca0be86933e27d4c48d9c8b2edb2830c6432713d0b1317546a6733f4338c33e1df1fedb0af625d74685

Download Submit