Overview

overview

10

Static

static

6

1e3999f77e...41.apk

android-9-x86

10

1e3999f77e...41.apk

android-10-x64

10

1e3999f77e...41.apk

android-11-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    160s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    23/03/2025, 22:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e3999f77e043954cc7638fdb481f07caa777da32bf3d72a80dd67567b82dc41.apk

  • Size

    1.0MB

  • MD5

    0a1f2dabacba4fe6c79443615c600ae4

  • SHA1

    34e3df4bf369f02dfcad167ad0b49d0728eb1a5a

  • SHA256

    1e3999f77e043954cc7638fdb481f07caa777da32bf3d72a80dd67567b82dc41

  • SHA512

    314c606eebf89cd91721d59b2bfbc2782c256940e6023c461e9abf83b58fdf7e4d9669d23a9a700df358e1ba338fad66c1e5c9b0dce51d813de6bb951c15fda7

  • SSDEEP

    24576:ddLTUwqRxcvAX8XcRmEoJzKLh+1z5UsQk:PLT6n8XVJVsQ11UsQk

Score
10/10
tanglebotbankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencespywaretrojan

Malware Config

Extracted

Family

tanglebot

C2

https://icq.im/AoLH58pXY8ejJTQiWg8

https://t.me/pempeppepepep

https://t.me/xpembeppep2p2

Signatures

Processes

  • ewon.nxgx.evilo
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:5248

Network

  • flag-au
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.200.46
  • flag-au
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.179.232
  • flag-au
    DNS
    cdn.tailwindcss.com
    Remote address:
    1.1.1.1:53
    Request
    cdn.tailwindcss.com
    IN A
    Response
    cdn.tailwindcss.com
    IN A
    104.22.20.144
    cdn.tailwindcss.com
    IN A
    172.67.41.16
    cdn.tailwindcss.com
    IN A
    104.22.21.144
  • flag-au
    DNS
    i.hizliresim.com
    Remote address:
    1.1.1.1:53
    Request
    i.hizliresim.com
    IN A
    Response
    i.hizliresim.com
    IN A
    104.21.82.74
    i.hizliresim.com
    IN A
    172.67.154.131
  • flag-au
    DNS
    gazete.firat.edu.tr
    Remote address:
    1.1.1.1:53
    Request
    gazete.firat.edu.tr
    IN A
    Response
    gazete.firat.edu.tr
    IN CNAME
    phpnew.firat.edu.tr
    phpnew.firat.edu.tr
    IN A
    193.255.124.32
  • flag-au
    DNS
    cdnjs.cloudflare.com
    Remote address:
    1.1.1.1:53
    Request
    cdnjs.cloudflare.com
    IN A
    Response
    cdnjs.cloudflare.com
    IN A
    104.17.24.14
    cdnjs.cloudflare.com
    IN A
    104.17.25.14
  • flag-au
    DNS
    foto.haberler.com
    Remote address:
    1.1.1.1:53
    Request
    foto.haberler.com
    IN A
    Response
    foto.haberler.com
    IN CNAME
    cwm4zs9flqcu.merlincdn.net
    cwm4zs9flqcu.merlincdn.net
    IN CNAME
    eu-gb-lon-dp.merlincdn.net
    eu-gb-lon-dp.merlincdn.net
    IN A
    195.181.165.140
    eu-gb-lon-dp.merlincdn.net
    IN A
    195.181.165.181
  • flag-au
    DNS
    encrypted-tbn0.gstatic.com
    Remote address:
    1.1.1.1:53
    Request
    encrypted-tbn0.gstatic.com
    IN A
    Response
    encrypted-tbn0.gstatic.com
    IN A
    216.58.204.78
  • flag-au
    DNS
    upload.wikimedia.org
    Remote address:
    1.1.1.1:53
    Request
    upload.wikimedia.org
    IN A
    Response
    upload.wikimedia.org
    IN A
    185.15.59.240
  • flag-au
    DNS
    media04.ligtv.com.tr
    Remote address:
    1.1.1.1:53
    Request
    media04.ligtv.com.tr
    IN A
    Response
    media04.ligtv.com.tr
    IN CNAME
    cf-media.ligtv.com.tr
    cf-media.ligtv.com.tr
    IN CNAME
    dmf6mn1yywp9h.cloudfront.net
    dmf6mn1yywp9h.cloudfront.net
    IN A
    18.165.227.35
    dmf6mn1yywp9h.cloudfront.net
    IN A
    18.165.227.100
    dmf6mn1yywp9h.cloudfront.net
    IN A
    18.165.227.9
    dmf6mn1yywp9h.cloudfront.net
    IN A
    18.165.227.61
  • flag-au
    DNS
    www.lequipe.fr
    Remote address:
    1.1.1.1:53
    Request
    www.lequipe.fr
    IN A
    Response
    www.lequipe.fr
    IN CNAME
    2-01-273c-004f.cdx.cedexis.net
    2-01-273c-004f.cdx.cedexis.net
    IN CNAME
    www.lequipe.fr.edgekey.net
    www.lequipe.fr.edgekey.net
    IN CNAME
    e7130.g.akamaiedge.net
    e7130.g.akamaiedge.net
    IN A
    2.17.77.44
  • flag-au
    DNS
    t.me
    Remote address:
    1.1.1.1:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-nl
    GET
    https://t.me/pempeppepepep
    Remote address:
    149.154.167.99:443
    Request
    GET /pempeppepepep HTTP/2.0
    host: t.me
    accept-encoding: gzip
    user-agent: okhttp/4.10.0
    Response
    HTTP/2.0 200
    server: nginx/1.18.0
    date: Sun, 23 Mar 2025 22:00:41 GMT
    content-type: text/html; charset=utf-8
    content-length: 4445
    set-cookie: stel_ssid=849dd1cbc0528e5b7b_17963379945960896131; expires=Mon, 24 Mar 2025 22:00:41 GMT; path=/; samesite=None; secure; HttpOnly
    pragma: no-cache
    cache-control: no-store
    x-frame-options: ALLOW-FROM https://web.telegram.org
    content-security-policy: frame-ancestors https://web.telegram.org
    content-encoding: gzip
    strict-transport-security: max-age=35768000
  • flag-au
    DNS
    dadaznazju.top
    Remote address:
    1.1.1.1:53
    Request
    dadaznazju.top
    IN A
    Response
    dadaznazju.top
    IN A
    172.67.164.147
    dadaznazju.top
    IN A
    104.21.89.198
  • flag-au
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.213.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
  • flag-us
    GET
    https://dadaznazju.top/sk
    Remote address:
    172.67.164.147:443
    Request
    GET /sk HTTP/1.1
    Upgrade: websocket
    Connection: Upgrade
    Sec-WebSocket-Key: bsCeFpJzd1lbxmqk8QcsHQ==
    Sec-WebSocket-Version: 13
    Sec-WebSocket-Extensions: permessage-deflate
    Host: dadaznazju.top
    Accept-Encoding: gzip
    User-Agent: okhttp/4.10.0
    Response
    HTTP/1.1 101 Switching Protocols
    Date: Sun, 23 Mar 2025 22:00:42 GMT
    Connection: upgrade
    upgrade: websocket
    sec-websocket-accept: ccHrcgzOwvne75Tkoe5lYDCgTM8=
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zE5HM8%2FZR7Y60JSFzkgUvEyK%2BCx03n4K74P9dSzyFLEH1xy2RJtidha8Oq0tjIPCdL3AFu2dbUOyp7%2FV%2BlRALOXLJhDo2eXXlmAi7wNE7KiYSjVZdmTulHVzu5rq3w5cBw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 925133fe1b073302-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=23270&min_rtt=22742&rtt_var=6829&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3119&recv_bytes=854&delivery_rate=168216&cwnd=252&unsent_bytes=0&cid=d0eac07468891e9d&ts=166&x=0"
  • 142.250.200.46:443
    tls, https
    914 B
     40 B
     1
    1
  • 142.250.200.46:443
    tls, https
    914 B
     40 B
     1
    1
  • 142.250.200.46:443
    android.apis.google.com
    tls
    3.5kB
     7.9kB
     12
    19
  • 142.250.179.232:443
    ssl.google-analytics.com
    tls
    1.3kB
     6.3kB
     9
    9
  • 104.22.20.144:443
    cdn.tailwindcss.com
    tls
    3.4kB
     131.8kB
     46
    70
  • 104.21.82.74:443
    i.hizliresim.com
    tls
    2.1kB
     24.2kB
     21
    24
  • 104.17.24.14:443
    cdnjs.cloudflare.com
    tls
    4.2kB
     190.3kB
     58
    111
  • 193.255.124.32:443
    gazete.firat.edu.tr
    tls
    2.1kB
     26.3kB
     19
    21
  • 193.255.124.32:443
    gazete.firat.edu.tr
    tls
    1.1kB
     6.4kB
     9
    11
  • 216.58.204.78:443
    encrypted-tbn0.gstatic.com
    tls
    1.8kB
     5.9kB
     13
    15
  • 185.15.59.240:443
    upload.wikimedia.org
    tls
    3.7kB
     111.8kB
     52
    88
  • 18.165.227.35:443
    media04.ligtv.com.tr
    tls
    2.2kB
     31.9kB
     22
    26
  • 2.17.77.44:443
    www.lequipe.fr
    tls
    2.5kB
     33.2kB
     27
    33
  • 195.181.165.140:443
    foto.haberler.com
    tls
    2.5kB
     27.9kB
     28
    32
  • 149.154.167.99:443
    https://t.me/pempeppepepep
    tls, http2
    1.5kB
     12.0kB
     14
    16

    HTTP Request

    GET https://t.me/pempeppepepep

    HTTP Response

    200
  • 172.67.164.147:443
    https://dadaznazju.top/sk
    tls, http
    5.5kB
     8.4kB
     30
    33

    HTTP Request

    GET https://dadaznazju.top/sk

    HTTP Response

    101
  • 224.0.0.251:5353
    3.8kB
     12
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.200.46

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.179.232

  • 1.1.1.1:53
    cdn.tailwindcss.com
    dns
    65 B
     113 B
     1
    1

    DNS Request

    cdn.tailwindcss.com

    DNS Response

    104.22.20.144
    172.67.41.16
    104.22.21.144

  • 1.1.1.1:53
    i.hizliresim.com
    dns
    62 B
     94 B
     1
    1

    DNS Request

    i.hizliresim.com

    DNS Response

    104.21.82.74
    172.67.154.131

  • 1.1.1.1:53
    gazete.firat.edu.tr
    dns
    65 B
     102 B
     1
    1

    DNS Request

    gazete.firat.edu.tr

    DNS Response

    193.255.124.32

  • 1.1.1.1:53
    cdnjs.cloudflare.com
    dns
    66 B
     98 B
     1
    1

    DNS Request

    cdnjs.cloudflare.com

    DNS Response

    104.17.24.14
    104.17.25.14

  • 1.1.1.1:53
    foto.haberler.com
    dns
    63 B
     162 B
     1
    1

    DNS Request

    foto.haberler.com

    DNS Response

    195.181.165.140
    195.181.165.181

  • 1.1.1.1:53
    encrypted-tbn0.gstatic.com
    dns
    72 B
     88 B
     1
    1

    DNS Request

    encrypted-tbn0.gstatic.com

    DNS Response

    216.58.204.78

  • 1.1.1.1:53
    upload.wikimedia.org
    dns
    66 B
     82 B
     1
    1

    DNS Request

    upload.wikimedia.org

    DNS Response

    185.15.59.240

  • 1.1.1.1:53
    media04.ligtv.com.tr
    dns
    66 B
     195 B
     1
    1

    DNS Request

    media04.ligtv.com.tr

    DNS Response

    18.165.227.35
    18.165.227.100
    18.165.227.9
    18.165.227.61

  • 1.1.1.1:53
    www.lequipe.fr
    dns
    60 B
     190 B
     1
    1

    DNS Request

    www.lequipe.fr

    DNS Response

    2.17.77.44

  • 1.1.1.1:53
    t.me
    dns
    50 B
     66 B
     1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 1.1.1.1:53
    dadaznazju.top
    dns
    60 B
     92 B
     1
    1

    DNS Request

    dadaznazju.top

    DNS Response

    172.67.164.147
    104.21.89.198

  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
     304 B
     1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    216.58.204.74
    172.217.169.10
    172.217.16.234
    142.250.200.42
    142.250.200.10
    142.250.179.234
    172.217.169.42
    142.250.187.234
    216.58.201.106
    142.250.178.10
    216.58.213.10
    172.217.169.74
    142.250.187.202
    142.250.180.10

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/ewon.nxgx.evilo/code_cache/secondary-dexes/tmp-base.apk.classes3750965014046218122.zip
    Filesize

    455KB

    MD5

    d5ac1612c8c7e31f612065e7577f1725

    SHA1

    62a5dac0628036c8ca6b96414ff78e537be0e992

    SHA256

    f4547817889eba08465d8dbdcc5180b758cf1cb4e6aa3ab7de3f266d6700130e

    SHA512

    11fcd500b7aef2f7f524a95f122cf4cc1fcd8dd89f5a66fda2514d6e66a4c16534d3225cdfc9131725daddbaa0ec5a642ac37ddd600f8a31e3d31cd4104fc9c6

    Download Submit

  • /data/user/0/ewon.nxgx.evilo/code_cache/secondary-dexes/base.apk.classes1.zip
    Filesize

    949KB

    MD5

    d2143ed14a2c66480e0bef1a2801b2cf

    SHA1

    7ec8664e50e73603542c84f3c4bc1629f69226a7

    SHA256

    5c9035e83894a344f493faa5a46fbc9385539736522f648a81a0bd5e23d145e1

    SHA512

    6b41c780e81fcf5e0004c2348562d00d22e971f8e7df130f78feeebb3cfa533f74b2b8a0dd09dac08d4041023aaf08ef69a437a7c453c9862d9e91b5d613a46b

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.