Overview

overview

10

Static

static

6

09018457e7...33.apk

android-13-x64

10

09018457e7...33.apk

android-9-x86

10

risezikixo.apk

android-13-x64

10

risezikixo.apk

android-9-x86

Analysis

  • max time kernel
    23s
  • max time network
    29s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    22/03/2025, 00:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    risezikixo.apk

  • Size

    7.6MB

  • MD5

    4a4754d54b066ec39f69a8c4d5f6684b

  • SHA1

    6f12b8f89943ad99c1a7fd872070b28a44783d6e

  • SHA256

    aba358b9c43696eb01fd4ad64db6d55b2e3bf192a05e8a2b658fc43e0d74c2e1

  • SHA512

    6d17d8ffc9c9a20a73739ae5c967ef4644c1e314f8952ee5234de38cae9495ea7f6d9caebc770ddbf3a86c6179fca69891606ef5cf7709ee89e41cea269ba7b8

  • SSDEEP

    98304:SlO3ZBo9NyKP90roRSIC2zf2xCjtP2pLfqH7k3Gqh3BQJgozGaLBP6xwPC5s4Quq:xmmDC1Lk3GqhxQ6Lt2yaLWZdsa+

Score
10/10
antidotbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencetrojan

Malware Config

Signatures

  • Antidot

    Antidot is an Android banking trojan first seen in May 2024.

    bankertrojaninfostealerantidot
  • Antidot family
    antidot
  • Antidot payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.gedehunu.api
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4517

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.gedehunu.api/app_ostrich/fybWolk.json
    Filesize

    992KB

    MD5

    b175f5ecb37b15cf85ce78ae2f76b53d

    SHA1

    ef53f0a4d879876caf0da52fc97bea85bfe7bf71

    SHA256

    f80c54852aa1737d71d84cb9233690f16000333c1fe19403289a326201d5f78f

    SHA512

    2d62d697054c416bfec677db2946032fa312f3bb9a1fc496bd04f78f923ce5f5e810dd8790421ddb4ad3c79a252a2cf724e6348a31ffb4e0c99242ab6c39181e

    Download Submit

  • /data/data/com.gedehunu.api/app_ostrich/fybWolk.json
    Filesize

    992KB

    MD5

    e972e00ce3aad63780641f50f09ec402

    SHA1

    b036e6b98827378ce90a98bc324fb81d3e5d966d

    SHA256

    dda233ae814e2cbe848a992acb59ce4e8bf2ae9e44885bbae51a67668ab73464

    SHA512

    f36a0a0f033129eebd38be89de5da3961f0a78549719039a0430ded8d86928e41cb9f5b9549a9020695e2c55c142e5bb062cadb1d1d5c07d6b26fcf82fed95f7

    Download Submit

  • /data/data/com.gedehunu.api/files/profileInstalled
    Filesize

    24B

    MD5

    09b8fc794c1ab51a3f50d16fc43c8d0d

    SHA1

    f26310ded319e6194ec52b1414e89405dd0d4891

    SHA256

    e256de28216e435f6bf6a5cca395cc435ed2a4202e5bca0641242af8a8bedffd

    SHA512

    446c0a4c3751e05dc61f3395dc6eb12489a81f5fd7443830da9602bc532d3d8f9784295696b32b38ea386663c77fcea6642c3aa2559f4b31bcd6ba6be93c1c2b

    Download Submit

  • /data/data/com.gedehunu.api/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
    Filesize

    8B

    MD5

    9cf35d02ea1db425280ec5337b377671

    SHA1

    ef8956cf0a0fdd4656f529b79860264375376388

    SHA256

    2567a1f4dccc7f3df17bfceaf126ca5e652cb0804f85dbfa65f8d9bbf44d2e81

    SHA512

    c28f636901e6f81e2c1799ff2c39069c65150f94d54b2cf2cbdae0ed075956c89565bd26801feccd3b03972ae1f20b9e5cab55f570899b1481b720207ff82910

    Download Submit

  • /data/data/com.gedehunu.api/no_backup/androidx.work.workdb
    Filesize

    104KB

    MD5

    08c91ce4f788e7fcbc6040b170384b26

    SHA1

    8e5c30c16e46f45454f3409119637b613cd6d921

    SHA256

    01d3f523cf1d3a1fd17441b7716b17680dbace04d4f74f00c5bb692c903330ad

    SHA512

    42d6d567acc5a306652719f4a177aa1a1532a37f94a54f17a6449998b9d3bc42150bcda2dd7d40ac6714d1acb45162bca0c3c9003aadebd9e8501438625fc23b

    Download Submit

  • /data/data/com.gedehunu.api/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    3cb34b31edeffc2e7ef82761511781f6

    SHA1

    d51ff1a42de9c4938f322bdad340623feab501dc

    SHA256

    6390d15970b50dcd40fd6992adfdd0332917b2e35841ed8f56e065852d5a8adc

    SHA512

    e705111c9a43abbb2fc097940ed4783bbdd0d3535f3175a58be9b06a28d1544f5b62ed66b13e1d2d475e31cb028f8f012e880b63b388b36a0f4586cf173d8001

    Download Submit

  • /data/data/com.gedehunu.api/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.gedehunu.api/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    02e3ff09410b6b5a1152c0fbbce2a23e

    SHA1

    f3bada67d8bf25c78fcf1718fcad6cb394ae6956

    SHA256

    857aa9b55fcb77858e7cd85421f6cbeb7481081981e88359d8b04007825bbee4

    SHA512

    5165b7ef0402ac5059884759372b9d650991148477c72057c6d7a6ff72e1f6682096ab93fe3fd51a26999a364b0bad261fa4b867829a67fbe842fb6538ece44d

    Download Submit

  • /data/data/com.gedehunu.api/no_backup/androidx.work.workdb-wal
    Filesize

    116KB

    MD5

    697c929e4832f92e350816ac28d70450

    SHA1

    f8a4f52c173fc11c730a2fea9fd45111edcf2854

    SHA256

    4e4dafa275b3c35fc5c1cd5ae04eaa1c5f969d07a521289cb331cd0ac3777a00

    SHA512

    95bf8ce59e4f5011047883ee13e99543c79eb4ab08dddf14844b3dab84e5fb8980b9389c7626a7af16bdadb24329305383ddacaf78dc55a1b919c87f79ff544c

    Download Submit

  • /data/data/com.gedehunu.api/no_backup/androidx.work.workdb-wal
    Filesize

    430KB

    MD5

    f39e97400aa4f16e812bc8c1c696ae84

    SHA1

    ad270fc31bb901227499d8d23b8e6312b4146893

    SHA256

    74c42d78f74107de2b5c140d3fc9044f93da71b254ddb274d38fefa53f8b190c

    SHA512

    4759a47750e8751cea1a5c9ce8908b889365abcbb8cdb112f2a2af0def0a7afe4edba540d12a060e1d361c03b232d4c3b2bd7564397382f7065a2d40963af569

    Download Submit

  • /data/misc/profiles/cur/0/com.gedehunu.api/primary.prof
    Filesize

    1KB

    MD5

    d0018b046a48a0a27f975a882c7d26f0

    SHA1

    dc558300ea3cad78a8d573086a4afece99ba9b2f

    SHA256

    fb01f2377296118dd0386c7031d702a17f4a68ccd47dbeb52b1d0b8985caa14d

    SHA512

    189e0a0521d2631c50dcaecd638490d6dc1dd09048207ff3ee85be8114259b6006136d61dbdc40d6009edf10f5bb3f3c93b2f5c0e462e88535bd5ce2ebd252c2

    Download Submit

  • /data/user/0/com.gedehunu.api/app_ostrich/fybWolk.json
    Filesize

    2.3MB

    MD5

    90d90931ce1ba15f44ba378f586b265b

    SHA1

    b3e9b290c80e97ee8ca62c43ece88dff083d5ddd

    SHA256

    88b2778c087efc770f4b6167553dfe9ebe1dcfd63ecf0d6d7e6c501749e4d533

    SHA512

    514a988bd61ade77e206bade2aae61f6b7ff5404ec9788de749c22d8c6524155d0217b2a86187a3ecb74bc8b107b2a541726b62d4d78b13b99c448c374858fa0

    Download Submit