tanglebot | c6036ac9e9c3ede37eb86938dc0a69e04a7b54a8585fc4859a7b25b28bc842c0

Analysis

max time kernel
5s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
21/03/2025, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6036ac9e9c3ede37eb86938dc0a69e04a7b54a8585fc4859a7b25b28bc842c0.apk
Size

10.3MB
MD5

660a7c32b2f4552aea850efcdd89401e
SHA1

0917f84c43281ef77ef3e2e6bd08aeeb31ce30d7
SHA256

c6036ac9e9c3ede37eb86938dc0a69e04a7b54a8585fc4859a7b25b28bc842c0
SHA512

f94f24a6a45246e56436a24766e74369a5a966427e539bdcc5f7e6e55761b717883134f977bdacde44ea19a48e8eaec38587091318f632aef057510bb9556c69
SSDEEP

196608:GW+j/Mp0fgojgAccs2ZP2+OcYwzMUtklcPZ1hDRgpOiLPSNQgIsG/bX0C0LQz0r6:uwaz82hJY6MGhDqcCPSqga/LV0L7r6

Score

10^/10

tanglebot evasion infostealer spyware trojan

Malware Config

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral1/memory/4360-0.dex	family_tanglebot3

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.stay.save/app_unhappy/YBrKP.json	4360	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.stay.save/app_unhappy/YBrKP.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.stay.save/app_unhappy/oat/x86/YBrKP.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.stay.save/app_unhappy/YBrKP.json	4335	com.stay.save

com.stay.save
1⤵
- Loads dropped Dex/Jar
PID:4335
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.stay.save/app_unhappy/YBrKP.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.stay.save/app_unhappy/oat/x86/YBrKP.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4360

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.stay.save/app_unhappy/YBrKP.json

Filesize
1.8MB

MD5
f3b2d6d9378755eac83d58be019e8783

SHA1
1747d3faca90e524e731a04a55895c335bde0b41

SHA256
afc6f0c5a78334526b23c95b215bf49b301e9974ef3f2153b9ec5d078198793a

SHA512
4f4170c5cec39d24bafba3cc7dbae53e334acee1174027888f5bed6455190000c98da534fef018ff0884ad217374f495085385320d898fd05e670345f2bde7fc

Download Submit
/data/data/com.stay.save/app_unhappy/YBrKP.json

Filesize
1.8MB

MD5
4382abe93fc40d69a5b8b41d4f6af658

SHA1
8df7c7bc8178e7676e5a00e593a475fbeeb3db4f

SHA256
b341bacf2f855c63628ffd021ea204aa52ad27cc8ce58346c3d2c4b00c487803

SHA512
dfd8c31a88b5dddc939a8ee37a9231a1788f8cd519ff6bd4d2434f252c171f7afce9a32976a0ad1d28753d889d3d27363b213df4c292600a75b53a1eff2ec83c

Download Submit
/data/user/0/com.stay.save/app_unhappy/YBrKP.json

Filesize
4.4MB

MD5
94b92d1baec8b01f643d2e29ed5ea7f7

SHA1
7ae1043b2c24370dfbd2da76b69bec74dc4d4c13

SHA256
244b2c7746ddb073a0a6923d5622a7469df1b3fa8ea70ebc1cebbfb553b9d69b

SHA512
c31fffdd8f5e0f67840f37fe3196bb7b50a03d3d578332dd3dc6c932e6ad9771499fbed0644eb5f8931299736bb9d5e6cd3b4b52d1a9501415fbd5ff146d7edd

Download Submit
/data/user/0/com.stay.save/app_unhappy/YBrKP.json

Filesize
4.4MB

MD5
88dc4cc573cc9d0a4f8b398d6da2aaea

SHA1
a3bd8c8531d2c7444a798c2c7c5522447d10a470

SHA256
b071a132a9dfdb5f0e14f1220bf6f2cf603986c0aee6e1a2b62cea20d8ec8ba2

SHA512
00f10e73bdb171345ae88f2b9daacefd0fbdcb6975dae5caa7b23319f1ee7264370c15b661d9100785917f947fdda99a851a57618aa76ed2d7b2c871699526b2

Download Submit