Overview

overview

10

Static

static

6

3a67cd052d...39.apk

android-9-x86

10

3a67cd052d...39.apk

android-10-x64

10

3a67cd052d...39.apk

android-11-x64

10

wilacayuzeti.apk

android-9-x86

wilacayuzeti.apk

android-10-x64

10

wilacayuzeti.apk

android-11-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3a67cd052d4489d80b891515fb628bb1055d1d36f1098f2e1f8d531f37495239

  • Size

    8.1MB

  • Sample

    250322-ajhm1stwcy

  • MD5

    f33f2bb4a55e8e4d1d0d06b4c1d0a9b9

  • SHA1

    237c8a41e0a5b60ac538e5aa14db0d842348f963

  • SHA256

    3a67cd052d4489d80b891515fb628bb1055d1d36f1098f2e1f8d531f37495239

  • SHA512

    88a5ff8cf47289277e423951d85fe50a03afa33e299c5b33f6a71ba67e7905c6c57541624a344af2db41edfdfe3351d024905a60ea6642233ff722d310241325

  • SSDEEP

    196608:cKw334mHj8u4o1S3oR1h7fSbjTucAW7pHbYw1AaUttl+QUbLs:k34ijwo1NR1VfCxh7b1Ajtlrf

Score
10/10
antidotandroidbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencetrojan

Malware Config

Targets

    • Target

      3a67cd052d4489d80b891515fb628bb1055d1d36f1098f2e1f8d531f37495239

    • Size

      8.1MB

    • MD5

      f33f2bb4a55e8e4d1d0d06b4c1d0a9b9

    • SHA1

      237c8a41e0a5b60ac538e5aa14db0d842348f963

    • SHA256

      3a67cd052d4489d80b891515fb628bb1055d1d36f1098f2e1f8d531f37495239

    • SHA512

      88a5ff8cf47289277e423951d85fe50a03afa33e299c5b33f6a71ba67e7905c6c57541624a344af2db41edfdfe3351d024905a60ea6642233ff722d310241325

    • SSDEEP

      196608:cKw334mHj8u4o1S3oR1h7fSbjTucAW7pHbYw1AaUttl+QUbLs:k34ijwo1NR1VfCxh7b1Ajtlrf

    Score
    10/10
    antidotbankerdiscoveryevasionexecutioninfostealerpersistencetrojancollectioncredential_accessdefense_evasionimpact

    • Antidot

      Antidot is an Android banking trojan first seen in May 2024.

      bankertrojaninfostealerantidot

    • Antidot family

      antidot

    • Antidot payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Checks the application is allowed to request package installs through the package installer

      Checks the application is allowed to install additional applications (Might try to install applications from unknown sources).

      defense_evasion

    • Queries the mobile country code (MCC)

      discovery
    behavioral1behavioral2behavioral3

    • Target

      wilacayuzeti

    • Size

      7.6MB

    • MD5

      42bdb83e42a9fada855b991c7cbb1c86

    • SHA1

      d363089380fb259c3fc071ad04cbd2662ffd53a2

    • SHA256

      f5de4bc0a114ad6e47beb3ed90df7071326d87976b9bab6670ecaab6222e6850

    • SHA512

      c1d01c7a393ca2b936da476bad5abe3faea517a4683fa48275e4c70d28814050a00c379c944576651b830028f99c17cf40fc640b0103492ba81c1b1d68ad8cb2

    • SSDEEP

      98304:qo/KrTKdFp/WvLPzQlNmxbi3K2ea76TIyIIiB2ieSyeTgnrSsnrBQaOVTXMyebi8:/dFp/KLPzZBUgIydYErSsrixdwiaLt

    Score
    10/10
    antidotbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencetrojan

    • Antidot

      Antidot is an Android banking trojan first seen in May 2024.

      bankertrojaninfostealerantidot

    • Antidot family

      antidot

    • Antidot payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectiondefense_evasioncredential_access

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

      evasion

    • Queries information about active data network

      discovery

    • Queries the mobile country code (MCC)

      discovery

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      defense_evasion

    • Requests modifying system settings.

      defense_evasion
    behavioral4behavioral5behavioral6

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Subvert Trust Controls

1
T1632

Code Signing Policy Modification

1
T1632.001

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Tasks