tanglebot | af93d22ba400051acbcd0ca569d310f75cb7885fefa85cb4e9e5fabfdc951028

General

Target

af93d22ba400051acbcd0ca569d310f75cb7885fefa85cb4e9e5fabfdc951028.apk
Size

4.8MB
MD5

dc5fe3621b9d0f1bfee759d3ee776c2e
SHA1

8295d2bdba7f7ff722dcf6570474eac60905b93b
SHA256

af93d22ba400051acbcd0ca569d310f75cb7885fefa85cb4e9e5fabfdc951028
SHA512

0c510b2702de550994fb8c8e6c7ceffb6a7abf10c063b59586ce3ed9712766d99a06d00ffc3e1075f8ef76e7f83513677792208fc5a8b2fe7655c2d5fde1b541
SSDEEP

98304:NGW5N5cOMtxhRf/hdw6JcVadNPH2HjPY13Ab5khsyBL5O:jj5cOMPhRfpdwMawIPY9AbEsMO

Score

10^/10

tanglebot banker collection credential_access defense_evasion discovery evasion impact infostealer persistence spyware trojan

Malware Config

Extracted

Family

tanglebot

C2

https://t.me/+LFAFYjStX6wzZmFk

https://t.me/+s8bf3BX_dUYxMzU0

https://t.me/+sklwiGKlByJhZGM0

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral2/memory/5074-0.dex	family_tanglebot2

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/bzvix.mnziz.minimiz/code_cache/secondary-dexes/base.apk.classes1.zip	5074	bzvix.mnziz.minimiz

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	bzvix.mnziz.minimiz

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	bzvix.mnziz.minimiz

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	bzvix.mnziz.minimiz

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	bzvix.mnziz.minimiz

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	bzvix.mnziz.minimiz

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	bzvix.mnziz.minimiz

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	bzvix.mnziz.minimiz

bzvix.mnziz.minimiz
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5074

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/bzvix.mnziz.minimiz/code_cache/secondary-dexes/tmp-base.apk.classes8337038286000435073.zip

Filesize
455KB

MD5
cb172a4ce8c9b97a8489ced5e204f59c

SHA1
d0e9d07f9476625526a9bfea6ded860db6d77aea

SHA256
ed1ca998ca7a5b7eb8ee90434726a17e8760f44c000161006010fe4386aa0ab2

SHA512
a94c835ed6993af28018fa7bb60e6b5019c516c48e7d94f5a4ddb3241654ad274a567c3aa2355d8bf826172a68474cb95e5ee5c6dc91cdc3706785ef0ba32a9f

Download Submit
/data/user/0/bzvix.mnziz.minimiz/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
951KB

MD5
227cf60b8041a24a237a2d4c41bde035

SHA1
2de3237bed0082cd7d8a4f01d44e4689f909f2fd

SHA256
80002805d7ec3641f2a632acd3efdf8ec099a94c5ea2895db0fa5a0750988aed

SHA512
0ae93b4517b9f19d628b57ff346fe75cd6d75a60a97da40d1377a8dc4575a6435d23920e0027188b24d28690dd869063e11d016a44f73cafcf726ca69b971d49

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads