tanglebot | 82756f8f6c01472bbf899fe06059fc11f847801f80539e73ba20ed04722f0bea

Analysis

max time kernel
5s
max time network
28s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
21/03/2025, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82756f8f6c01472bbf899fe06059fc11f847801f80539e73ba20ed04722f0bea.apk
Size

6.7MB
MD5

14b46f1edcf05bc4af5727e60b18a3c7
SHA1

5f0b671697616636d167503df11d491725dd7dff
SHA256

82756f8f6c01472bbf899fe06059fc11f847801f80539e73ba20ed04722f0bea
SHA512

9a65bce3d9e585f7c9bfa04ba7d0e095ae2918ad3a71af200b61fcbc82f96fa5794216613af9e9cb6c2b24326252b1eeaff419ada14046e4aa49ca82a32d75b7
SSDEEP

98304:x7d2ZrWkxy8rfyMbAmq22dSu1TCi/OdKOwqunN6vJY66cLqW1JVLCaQkoD46XI2L:mkD22dSCTx/e6na+wTNCacDH7

Score

10^/10

tanglebot evasion infostealer spyware trojan

Malware Config

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral2/memory/4330-0.dex	family_tanglebot3

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.hurry.couple/app_DynamicOptDex/PWQPYXj.json	4330	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hurry.couple/app_DynamicOptDex/PWQPYXj.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.hurry.couple/app_DynamicOptDex/oat/x86/PWQPYXj.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.hurry.couple/app_DynamicOptDex/PWQPYXj.json	4304	com.hurry.couple

com.hurry.couple
1⤵
- Loads dropped Dex/Jar
PID:4304
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hurry.couple/app_DynamicOptDex/PWQPYXj.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.hurry.couple/app_DynamicOptDex/oat/x86/PWQPYXj.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4330

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.hurry.couple/app_DynamicOptDex/PWQPYXj.json

Filesize
1.8MB

MD5
3feb00408bfabecca689a993ca777097

SHA1
f84d7f183f79571214498d8a522bc4b24c98954b

SHA256
5b3442a2183469c25440fe75d04b5ae7b0b6cc7b9bd7beba540f60c458869601

SHA512
9a721b760154a08ed30c7374150ee3f27ba38161d2ff8d3d02ed45ce143560d97096d5c930627b40d884c7148a8259355b730162a048933dec2c0f23229b0d42

Download Submit
/data/data/com.hurry.couple/app_DynamicOptDex/PWQPYXj.json

Filesize
1.8MB

MD5
afeb7b02a3f6fe70301a9b74fa5a7cfd

SHA1
8ac77e1cd0c95573ad5bef1c3a0b5ceb13a9c58a

SHA256
9eaa9d7d7dcd18755c42deb466aacf6160db1d802aa510028aa8cb1aed2cb5a5

SHA512
f0594a13d4b2daaac122f8ad6c3a3350d88043ddf5d992888a39c6c031872a5f61ee23341ed6be71b3b373219a16dd7d5ffde4e9b35d3bf6d738e4144010f56c

Download Submit
/data/user/0/com.hurry.couple/app_DynamicOptDex/PWQPYXj.json

Filesize
4.4MB

MD5
f44c776a321d667e5fd88bb3d2fec909

SHA1
9d93f58a7de02a99402e31ae9e7783fdc692f097

SHA256
246cd9b0b122c604c32d0ab90c4e5c8b2b511e69517e9cee238d0d5d5d56167c

SHA512
201b87cad7afc0052e7c81d1b79db46b3b9929f6e85b3cb2591b8d5356a41a302aede72d2bd5805c395473a5f7941fe014e42162f0bf8f61f908d6bede569137

Download Submit
/data/user/0/com.hurry.couple/app_DynamicOptDex/PWQPYXj.json

Filesize
4.4MB

MD5
dae70994c5e4bebf0cbe276586cad230

SHA1
b294bdba96cda0cc4c65a2a7e6a10d24596d7c7a

SHA256
b98aae5fc5a57910a3a766c407260ed5e45c32973f4f166bbc64128bc2ebc4d3

SHA512
e944073fdf007d467556b45330347814d822fbc7f9510ca0be86933e27d4c48d9c8b2edb2830c6432713d0b1317546a6733f4338c33e1df1fedb0af625d74685

Download Submit