tanglebot | 37172730dbb1a6dd1ad846b32fd64d9b09b43ce2b9fe41d22f3c98e6cf39e241

General

Target

37172730dbb1a6dd1ad846b32fd64d9b09b43ce2b9fe41d22f3c98e6cf39e241.apk
Size

3.7MB
MD5

3993d424e29a77ac1022d87a015f4841
SHA1

53f5617ff33bf8014bce697bdce5c1dbf9d3d9f8
SHA256

37172730dbb1a6dd1ad846b32fd64d9b09b43ce2b9fe41d22f3c98e6cf39e241
SHA512

8b6ebf3aa7c4a11d0319313b8b7d3a89b239bda5f457aaffe1460ef0bb07b2f2270bdaba7c74da35db1fde5237ecc3f2de2b6c63c287ff86f46d02ec8939edec
SSDEEP

98304:gTpRe6axXPeN8AeN8LWXMi+j8koAxWS6v3:Mp4PhNLcgkoIWSC3

Score

10^/10

tanglebot banker collection credential_access defense_evasion discovery evasion impact infostealer persistence spyware trojan

Malware Config

Extracted

Family

tanglebot

C2

https://t.me/+LFAFYjStX6wzZmFk

https://t.me/+s8bf3BX_dUYxMzU0

https://t.me/+sklwiGKlByJhZGM0

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral2/memory/5097-0.dex	family_tanglebot2

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/dznixxl.xpxol.zmxpl/code_cache/secondary-dexes/base.apk.classes1.zip	5097	dznixxl.xpxol.zmxpl

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	dznixxl.xpxol.zmxpl

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	dznixxl.xpxol.zmxpl

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	dznixxl.xpxol.zmxpl

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	dznixxl.xpxol.zmxpl

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	dznixxl.xpxol.zmxpl

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	dznixxl.xpxol.zmxpl

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	dznixxl.xpxol.zmxpl

dznixxl.xpxol.zmxpl
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5097

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/dznixxl.xpxol.zmxpl/code_cache/secondary-dexes/tmp-base.apk.classes6393528100401449938.zip

Filesize
455KB

MD5
75f7b5e317c80d3bd5e2325df2f633e8

SHA1
4c211635d5f9bbac15f3665d5795e5b70ec73c9c

SHA256
fa53a94830c1a7997bafe508b35472bc80ee04ab060ca0c0551eb974404a2d5c

SHA512
0d2bd52aa1b15e1695f847bf9739fe7394aa3a8847a81619c7d412d0ce895dd599bcf4f4f90b4989aed5011d1f8e95d54871557e71f87398ab09072f8d439d44

Download Submit
/data/user/0/dznixxl.xpxol.zmxpl/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
951KB

MD5
9cd92531bece8d391ab59d69498e3847

SHA1
1976fa73b62cab5faa8abb07044be85213c7f51c

SHA256
23027b31d3096aff8e805ab54d44fa5cfeb35ba1c44e8e70e0b3f5856b06d5da

SHA512
ca2509e0f26932c6817b5ece685741fe400aaee5e5cae1f14b418d5f9f31d4af8a5a506362d8177f17cf92bbbe170f90760e3d107d36277b0fb8ffa3244d443a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads