Overview

overview

10

Static

static

6

8d98fe4bd1...b1.apk

android-9-x86

10

8d98fe4bd1...b1.apk

android-10-x64

10

8d98fe4bd1...b1.apk

android-11-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    158s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    23/03/2025, 22:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d98fe4bd1c89baee1e11071a479aa939b2ef2c1fb680c61f44dbcc4abe4aeb1.apk

  • Size

    4.2MB

  • MD5

    925a0321513d7b315c83ef0c879af940

  • SHA1

    cac3aa34bf00fc08fc0435c8fa64aa2c2ae87c73

  • SHA256

    8d98fe4bd1c89baee1e11071a479aa939b2ef2c1fb680c61f44dbcc4abe4aeb1

  • SHA512

    e5a327036ac01a5f32542b3d7e3bc97e8396a5bb18f65da7585535c702fde006171e05ad4bf11bf6ec1b29ebc3b6a22927c2ecb53858af99550544e24c966394

  • SSDEEP

    98304:u38ZqvYrO/TcvKPjae6gTHLak9K8Zo6tKdkTMaTj2bzsOg1Ie:e8ZqvogqQa/gT2kAwtK2TMMj2XsOgSe

Score
10/10
tanglebotbankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencespywaretrojan

Malware Config

Extracted

Family

tanglebot

C2

https://icq.im/AoLH58pXY8ejJTQiWg8

https://t.me/pempeppepepep

https://t.me/xpembeppep2p2

Signatures

  • TangleBot

    TangleBot is an Android SMS malware first seen in September 2021.

    trojaninfostealerspywaretanglebot
  • TangleBot payload 2 IoCs
  • Tanglebot family
    tanglebot
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • vzilx.posjx.lzsj
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4412
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/vzilx.posjx.lzsj/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/vzilx.posjx.lzsj/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4441

Network

  • flag-au
    DNS
    cdn.tailwindcss.com
    Remote address:
    1.1.1.1:53
    Request
    cdn.tailwindcss.com
    IN A
    Response
    cdn.tailwindcss.com
    IN A
    172.67.41.16
    cdn.tailwindcss.com
    IN A
    104.22.20.144
    cdn.tailwindcss.com
    IN A
    104.22.21.144
  • flag-au
    DNS
    cdnjs.cloudflare.com
    Remote address:
    1.1.1.1:53
    Request
    cdnjs.cloudflare.com
    IN A
    Response
    cdnjs.cloudflare.com
    IN A
    104.17.24.14
    cdnjs.cloudflare.com
    IN A
    104.17.25.14
  • flag-au
    DNS
    gazete.firat.edu.tr
    Remote address:
    1.1.1.1:53
    Request
    gazete.firat.edu.tr
    IN A
    Response
    gazete.firat.edu.tr
    IN CNAME
    phpnew.firat.edu.tr
    phpnew.firat.edu.tr
    IN A
    193.255.124.32
  • flag-au
    DNS
    upload.wikimedia.org
    Remote address:
    1.1.1.1:53
    Request
    upload.wikimedia.org
    IN A
    Response
    upload.wikimedia.org
    IN A
    185.15.59.240
  • flag-au
    DNS
    encrypted-tbn0.gstatic.com
    Remote address:
    1.1.1.1:53
    Request
    encrypted-tbn0.gstatic.com
    IN A
    Response
    encrypted-tbn0.gstatic.com
    IN A
    172.217.169.46
  • flag-au
    DNS
    www.lequipe.fr
    Remote address:
    1.1.1.1:53
    Request
    www.lequipe.fr
    IN A
    Response
    www.lequipe.fr
    IN CNAME
    2-01-273c-004f.cdx.cedexis.net
    2-01-273c-004f.cdx.cedexis.net
    IN CNAME
    www.lequipe.fr.edgekey.net
    www.lequipe.fr.edgekey.net
    IN CNAME
    e7130.g.akamaiedge.net
    e7130.g.akamaiedge.net
    IN A
    23.49.173.221
  • flag-au
    DNS
    media04.ligtv.com.tr
    Remote address:
    1.1.1.1:53
    Request
    media04.ligtv.com.tr
    IN A
    Response
    media04.ligtv.com.tr
    IN CNAME
    cf-media.ligtv.com.tr
    cf-media.ligtv.com.tr
    IN CNAME
    dmf6mn1yywp9h.cloudfront.net
    dmf6mn1yywp9h.cloudfront.net
    IN A
    18.165.227.100
    dmf6mn1yywp9h.cloudfront.net
    IN A
    18.165.227.9
    dmf6mn1yywp9h.cloudfront.net
    IN A
    18.165.227.61
    dmf6mn1yywp9h.cloudfront.net
    IN A
    18.165.227.35
  • flag-au
    DNS
    foto.haberler.com
    Remote address:
    1.1.1.1:53
    Request
    foto.haberler.com
    IN A
    Response
    foto.haberler.com
    IN CNAME
    cwm4zs9flqcu.merlincdn.net
    cwm4zs9flqcu.merlincdn.net
    IN CNAME
    eu-gb-lon-dp.merlincdn.net
    eu-gb-lon-dp.merlincdn.net
    IN A
    195.181.165.181
    eu-gb-lon-dp.merlincdn.net
    IN A
    195.181.165.140
  • flag-au
    DNS
    t.me
    Remote address:
    1.1.1.1:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-au
    DNS
    t.me
    Remote address:
    1.1.1.1:53
    Request
    t.me
    IN A
  • flag-au
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.42
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
  • flag-nl
    GET
    https://t.me/pempeppepepep
    Remote address:
    149.154.167.99:443
    Request
    GET /pempeppepepep HTTP/2.0
    host: t.me
    accept-encoding: gzip
    user-agent: okhttp/4.10.0
    Response
    HTTP/2.0 200
    server: nginx/1.18.0
    date: Sun, 23 Mar 2025 22:03:35 GMT
    content-type: text/html; charset=utf-8
    content-length: 4445
    set-cookie: stel_ssid=05b48a0e68f4ffb919_12969031239647025245; expires=Mon, 24 Mar 2025 22:03:35 GMT; path=/; samesite=None; secure; HttpOnly
    pragma: no-cache
    cache-control: no-store
    x-frame-options: ALLOW-FROM https://web.telegram.org
    content-security-policy: frame-ancestors https://web.telegram.org
    content-encoding: gzip
    strict-transport-security: max-age=35768000
  • flag-au
    DNS
    dadaznazju.top
    Remote address:
    1.1.1.1:53
    Request
    dadaznazju.top
    IN A
    Response
    dadaznazju.top
    IN A
    172.67.164.147
    dadaznazju.top
    IN A
    104.21.89.198
  • flag-us
    GET
    https://dadaznazju.top/sk
    Remote address:
    172.67.164.147:443
    Request
    GET /sk HTTP/1.1
    Upgrade: websocket
    Connection: Upgrade
    Sec-WebSocket-Key: Mtulu2/kr1vQ0RfJJx7iYA==
    Sec-WebSocket-Version: 13
    Sec-WebSocket-Extensions: permessage-deflate
    Host: dadaznazju.top
    Accept-Encoding: gzip
    User-Agent: okhttp/4.10.0
    Response
    HTTP/1.1 101 Switching Protocols
    Date: Sun, 23 Mar 2025 22:03:35 GMT
    Connection: upgrade
    upgrade: websocket
    sec-websocket-accept: JqPS8oaMDXk2hTv95h4RDeRx0kw=
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BGKmAo0oO6ZJ94muGCIuyLzN6NuvxRZN%2Bej4l5zMsWwGww9iPfDk6%2B7%2BwCyouvmcVSvHWHFq7zuk2rPk%2ForxZxX6gcdeIcDEwrb7lyjSPKuPcWR9lsoLpdDx%2Bseyb%2Fs1UQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 92513839cd6a7193-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=22496&min_rtt=22233&rtt_var=3857&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3306&recv_bytes=549&delivery_rate=174690&cwnd=253&unsent_bytes=0&cid=525bfe71ccd92b18&ts=118&x=0"
  • flag-au
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.200.14
  • 172.67.41.16:443
    cdn.tailwindcss.com
    tls
    4.6kB
     133.4kB
     72
    91
  • 104.17.24.14:443
    cdnjs.cloudflare.com
    tls
    4.3kB
     199.2kB
     60
    144
  • 185.15.59.240:443
    upload.wikimedia.org
    tls
    4.4kB
     157.2kB
     69
    120
  • 193.255.124.32:443
    gazete.firat.edu.tr
    tls
    1.8kB
     26.0kB
     20
    23
  • 172.217.169.46:443
    encrypted-tbn0.gstatic.com
    tls
    1.6kB
     5.6kB
     16
    16
  • 23.49.173.221:443
    www.lequipe.fr
    tls
    1.9kB
     32.7kB
     22
    33
  • 18.165.227.100:443
    media04.ligtv.com.tr
    tls
    1.7kB
     31.9kB
     17
    27
  • 195.181.165.181:443
    foto.haberler.com
    tls
    2.0kB
     28.8kB
     24
    31
  • 149.154.167.99:443
    https://t.me/pempeppepepep
    tls, http2
    1.1kB
     11.6kB
     12
    16

    HTTP Request

    GET https://t.me/pempeppepepep

    HTTP Response

    200
  • 172.67.164.147:443
    https://dadaznazju.top/sk
    tls, http
    5.6kB
     8.2kB
     32
    32

    HTTP Request

    GET https://dadaznazju.top/sk

    HTTP Response

    101
  • 172.217.16.238:443
    468 B
     9
  • 172.217.16.238:443
    52 B
     1
  • 216.58.212.238:443
    tls, https
    689 B
     40 B
     1
    1
  • 142.250.200.14:443
    android.apis.google.com
    tls
    3.5kB
     7.8kB
     14
    19
  • 172.217.16.234:443
    semanticlocation-pa.googleapis.com
    tls, https
    1.2kB
     40 B
     1
    1
  • 172.217.169.74:443
    semanticlocation-pa.googleapis.com
    tls, https
    2.3kB
     40 B
     1
    1
  • 224.0.0.251:5353
    3.8kB
     12
  • 1.1.1.1:53
    cdn.tailwindcss.com
    dns
    65 B
     113 B
     1
    1

    DNS Request

    cdn.tailwindcss.com

    DNS Response

    172.67.41.16
    104.22.20.144
    104.22.21.144

  • 1.1.1.1:53
    cdnjs.cloudflare.com
    dns
    66 B
     98 B
     1
    1

    DNS Request

    cdnjs.cloudflare.com

    DNS Response

    104.17.24.14
    104.17.25.14

  • 1.1.1.1:53
    gazete.firat.edu.tr
    dns
    65 B
     102 B
     1
    1

    DNS Request

    gazete.firat.edu.tr

    DNS Response

    193.255.124.32

  • 1.1.1.1:53
    upload.wikimedia.org
    dns
    66 B
     82 B
     1
    1

    DNS Request

    upload.wikimedia.org

    DNS Response

    185.15.59.240

  • 1.1.1.1:53
    encrypted-tbn0.gstatic.com
    dns
    72 B
     88 B
     1
    1

    DNS Request

    encrypted-tbn0.gstatic.com

    DNS Response

    172.217.169.46

  • 1.1.1.1:53
    www.lequipe.fr
    dns
    60 B
     190 B
     1
    1

    DNS Request

    www.lequipe.fr

    DNS Response

    23.49.173.221

  • 1.1.1.1:53
    media04.ligtv.com.tr
    dns
    66 B
     195 B
     1
    1

    DNS Request

    media04.ligtv.com.tr

    DNS Response

    18.165.227.100
    18.165.227.9
    18.165.227.61
    18.165.227.35

  • 1.1.1.1:53
    foto.haberler.com
    dns
    63 B
     162 B
     1
    1

    DNS Request

    foto.haberler.com

    DNS Response

    195.181.165.181
    195.181.165.140

  • 1.1.1.1:53
    t.me
    dns
    100 B
     66 B
     2
    1

    DNS Request

    t.me

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
     304 B
     1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    142.250.179.234
    142.250.187.202
    142.250.200.42
    142.250.180.10
    172.217.169.42
    216.58.201.106
    142.250.200.10
    172.217.169.10
    216.58.212.234
    142.250.178.10
    172.217.169.74
    172.217.16.234
    216.58.204.74
    142.250.187.234

  • 1.1.1.1:53
    dadaznazju.top
    dns
    60 B
     92 B
     1
    1

    DNS Request

    dadaznazju.top

    DNS Response

    172.67.164.147
    104.21.89.198

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.200.14

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/vzilx.posjx.lzsj/code_cache/secondary-dexes/tmp-base.apk.classes5679472531934230431.zip
    Filesize

    455KB

    MD5

    b3b1db556f71fba4dccaa628ddd376de

    SHA1

    09a30d9e31055eb81e549951d2e25e95be5308a7

    SHA256

    40b02ba99ef1d1d3dd9255253a1b0a26b25df5852bc63fd8dfd7ac7f190ccccc

    SHA512

    92b722f37d3ad3f3ff48ad2142c17d5f8645920b155aced4b641ed33d5b99a69105d1a7552af131382e22f01db9dac47258e3c7d5777da962d06480baa34db40

    Download Submit

  • /data/user/0/vzilx.posjx.lzsj/code_cache/secondary-dexes/base.apk.classes1.zip
    Filesize

    951KB

    MD5

    2fadb1953bdbf54cc1de4b895e2c4594

    SHA1

    7744f1353bce6ea34a9f0ecf350cda8bb9dff7d7

    SHA256

    50da22cb469c098b77c4edc6be23fd910dac747d7a0aae4ddc1d7f44abe247e8

    SHA512

    986fef4a5bfc4e3e93f8ab40ece8a5c5dc8e6946e0552b8064b9a13ac6b97a436ee0bbd1e1503c4a9b588262a7f3ed171fad2cdbd1d79746aad3796219f49156

    Download Submit

  • /data/user/0/vzilx.posjx.lzsj/code_cache/secondary-dexes/base.apk.classes1.zip
    Filesize

    951KB

    MD5

    dcb9c27777d272b40d09e456bd1a360b

    SHA1

    8e697638bf96625fe30e68025de4a2274bcd7139

    SHA256

    80ac5a65eaf7c4bbe553afc99e5fa4ca212f763243b253dafc5d0e3c02441225

    SHA512

    d02e208e8398057ebeb3a43cf6772fe04f4d3e181a1a07e639550fbeeebd552a5220a1fb6e32a59102b444e14b4caaefacf1d348256673881d3baf07b49c9eeb

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.