tanglebot | 7255f0daaab1f15601b9a7408d6c2616a5330e8c7a2b9aec328f789b4fdb8c3c

General

Target

7255f0daaab1f15601b9a7408d6c2616a5330e8c7a2b9aec328f789b4fdb8c3c.apk
Size

4.2MB
MD5

13c16929533cb710e3b531986973077d
SHA1

5d4ece344453fd5e09b9db6e471421ab37e0b784
SHA256

7255f0daaab1f15601b9a7408d6c2616a5330e8c7a2b9aec328f789b4fdb8c3c
SHA512

93a845b6d22704ee854ed8bb9088f0c654ff059044dcaae99ff41bf7eb9d410a662f2f4391d550da1dfbe7209b98ea1fd51f06e994f16b4a392037c0c4356269
SSDEEP

98304:u38ZqvYrO/TcvKPjae6gTHLak9K8Zo6tKdkTMaTj2bzsOg1II:e8ZqvogqQa/gT2kAwtK2TMMj2XsOgSI

Score

10^/10

tanglebot banker collection credential_access defense_evasion discovery evasion impact infostealer persistence spyware trojan

Malware Config

Extracted

Family

tanglebot

C2

https://icq.im/AoLH58pXY8ejJTQiWg8

https://t.me/pempeppepepep

https://t.me/xpembeppep2p2

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral2/memory/5157-0.dex	family_tanglebot2

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/vzilx.posjx.lzsj/code_cache/secondary-dexes/base.apk.classes1.zip	5157	vzilx.posjx.lzsj

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	vzilx.posjx.lzsj

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	vzilx.posjx.lzsj

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	vzilx.posjx.lzsj

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	vzilx.posjx.lzsj

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	vzilx.posjx.lzsj

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	vzilx.posjx.lzsj

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	vzilx.posjx.lzsj

vzilx.posjx.lzsj
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5157

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/vzilx.posjx.lzsj/code_cache/secondary-dexes/tmp-base.apk.classes5216231625578415614.zip

Filesize
455KB

MD5
b3b1db556f71fba4dccaa628ddd376de

SHA1
09a30d9e31055eb81e549951d2e25e95be5308a7

SHA256
40b02ba99ef1d1d3dd9255253a1b0a26b25df5852bc63fd8dfd7ac7f190ccccc

SHA512
92b722f37d3ad3f3ff48ad2142c17d5f8645920b155aced4b641ed33d5b99a69105d1a7552af131382e22f01db9dac47258e3c7d5777da962d06480baa34db40

Download Submit
/data/user/0/vzilx.posjx.lzsj/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
951KB

MD5
dcb9c27777d272b40d09e456bd1a360b

SHA1
8e697638bf96625fe30e68025de4a2274bcd7139

SHA256
80ac5a65eaf7c4bbe553afc99e5fa4ca212f763243b253dafc5d0e3c02441225

SHA512
d02e208e8398057ebeb3a43cf6772fe04f4d3e181a1a07e639550fbeeebd552a5220a1fb6e32a59102b444e14b4caaefacf1d348256673881d3baf07b49c9eeb

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads