tanglebot | 9ddccad77e4a2349dd1fcc787e35fd3ea523984dc7b1ddbe4ffb7420d7f1dad7

Analysis

max time kernel
5s
max time network
25s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
21/03/2025, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ddccad77e4a2349dd1fcc787e35fd3ea523984dc7b1ddbe4ffb7420d7f1dad7.apk
Size

10.3MB
MD5

6d45d090374e57e0f6705471a6eb336e
SHA1

fc14293dad5f531219edba843c73694f8bd22518
SHA256

9ddccad77e4a2349dd1fcc787e35fd3ea523984dc7b1ddbe4ffb7420d7f1dad7
SHA512

22ed8603c4c5c789e3be662c6aca49b835eec633ec83d23b6a37b8fa1b64e7df85cbb857946f6dfd0e34a0d4d82e17cf2cc66de5dcbb241f988349df660c77f6
SSDEEP

196608:TiGHgbudJvjeM+U+aUt72Lfx/TMh3hGy/Hs05cl3:TfNqMrOCx/ohxGyvL5cl3

Score

10^/10

tanglebot evasion infostealer spyware trojan

Malware Config

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral2/memory/4360-0.dex	family_tanglebot3

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.sock.coyote/app_indicate/dMG.json	4360	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sock.coyote/app_indicate/dMG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.sock.coyote/app_indicate/oat/x86/dMG.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.sock.coyote/app_indicate/dMG.json	4335	com.sock.coyote

com.sock.coyote
1⤵
- Loads dropped Dex/Jar
PID:4335
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sock.coyote/app_indicate/dMG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.sock.coyote/app_indicate/oat/x86/dMG.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4360

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.sock.coyote/app_indicate/dMG.json

Filesize
1.8MB

MD5
da5eeaae8d1219134676f8036c7a02ee

SHA1
089ac3fe8492148cc52a4fdc0710529b783e36e9

SHA256
484ac60a640d47c92bdc92346488e2b4c1a095187cac679b15d38fca239ba139

SHA512
bba42e76ed91975474c979fb24e84587b17f9f98db069bd39043283d5f1aef2ad874c914958169cc57d46d80965aff8e0b84984dd8602b27acb5f3fc48648204

Download Submit
/data/data/com.sock.coyote/app_indicate/dMG.json

Filesize
1.8MB

MD5
25ad7bd96b7dbf087f19ac67ec31d71e

SHA1
c4a5cf93808ad54188801d8b298a8610b6543137

SHA256
a98c4268927b4d1a96bdc82c8c8d41dae40335fa4141023fc0b9c86c83fe7c74

SHA512
fc9e2693dc02269fa4336b0e98ba5eb95926ef838dc7d3182ec4739d75857ca094e78bfaadfaad6c7066b3381561cab50302592d9b586780a102719625713281

Download Submit
/data/user/0/com.sock.coyote/app_indicate/dMG.json

Filesize
4.4MB

MD5
6a1a070c8725bec82ddbaac918216481

SHA1
abad0310b1b321adabe99f159d3f93d7081da445

SHA256
94343f703a7089bd06da5da94704feaf1652c12d64ab7266d3144f5d67e125d5

SHA512
17249b73a23fac9219956dfe22587f4e02ce36260bdd6dbd1dfd69ae068746d909d699238295eff03341c7e804ed5efe1e31a98b6544b096ca90a4c2ee6a2d33

Download Submit
/data/user/0/com.sock.coyote/app_indicate/dMG.json

Filesize
4.4MB

MD5
e67e52868f446723a0dd9dc5b68c7687

SHA1
37253b2b0cc74c3f3dfbcfbed4175fd75eaa5c57

SHA256
1bd7912f4a8991fa302d0730057b31b272edad1a59b0c7ff13bf7f6dff65b75e

SHA512
9ad0b2f4ee2272b9030ed1481208a831b40e3fd11a1f0a03c63d85ed1e144cd8229105cf333342c2d39b993934f03b0fce08de412f9fe2fc5f91a8b33338ac6d

Download Submit