Overview

overview

10

Static

static

6

a34c1e334e...af.apk

android-9-x86

10

a34c1e334e...af.apk

android-10-x64

10

a34c1e334e...af.apk

android-11-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    26/03/2025, 09:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a34c1e334e9d76e97b8e8ac6b88bbc45cbed7ab7fc3a62e2f348c940136778af.apk

  • Size

    4.1MB

  • MD5

    bd0ee78cded55ff30a37c670cfa66236

  • SHA1

    70d690a40fb7307280d2bebf77615e757c7f6513

  • SHA256

    a34c1e334e9d76e97b8e8ac6b88bbc45cbed7ab7fc3a62e2f348c940136778af

  • SHA512

    f6e5dabbced24b03f44c40d189d27dee8e9a085cf4499d903289ee556b992557f6ffc33f13e58fbc3dfce3ad89a6834cad10a9c34764b6a372316bd7bab2fd53

  • SSDEEP

    98304:k5GKk+jrrhCMTMI+On1L0Mcuw4P4dhdJAiA0vd3iYZQl:SGa7lYRQh0McufP0AiLsH

Score
10/10
teabotbankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencestealthtrojan

Malware Config

Signatures

  • TeaBot

    TeaBot is an android banker first seen in January 2021.

    bankertrojaninfostealerteabot
  • TeaBot payload 2 IoCs
  • Teabot family
    teabot
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Acquires the wake lock 1 IoCs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 7 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • subject.exhaust.play
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4335
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/subject.exhaust.play/app_DynamicOptDex/ulXNC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/subject.exhaust.play/app_DynamicOptDex/oat/x86/ulXNC.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4362

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/subject.exhaust.play/app_DynamicOptDex/oat/ulXNC.json.cur.prof
    Filesize

    979B

    MD5

    b4f9a633a3663b9d68221004eee5dc97

    SHA1

    3b7ac85a7d7c4c17fdefb7706cc7cc7bcb341d15

    SHA256

    8b0e364dc20016ef19917a642d7ffc0a3adad3218a0ba50f23c9b5b254c960d3

    SHA512

    6c682c76dd6a99c2b13c0f6becfa610471590579b9d602a006ef35f2d86586c2d69a0f7e3af5ca9d25c4817c9c3deaf7c137fe1535aa9130d879d0db92bc272e

    Download Submit

  • /data/data/subject.exhaust.play/app_DynamicOptDex/ulXNC.json
    Filesize

    1.2MB

    MD5

    10d446daca47f5f2f0c5de4280408c15

    SHA1

    dfbda37b38eef397e1e5ef06729ea8894fe1dfa9

    SHA256

    800eed0e3318eeb602066c1a4027c1e5a81aca53c6483cc11f64ed14de9726c3

    SHA512

    3afdca401822b283a78ea6070a5ab7be7ee29dc30dcedf0c840e9ab688ef613dab7252ee28196eca404a357def92b6ad4418283f33bef410ccd08d1946d784fb

    Download Submit

  • /data/data/subject.exhaust.play/app_DynamicOptDex/ulXNC.json
    Filesize

    1.2MB

    MD5

    513129acd55676ccfcb4fe14e416f5f4

    SHA1

    8664df47e10463f008cbb5307792939efde32ee6

    SHA256

    1b52eec113f562186d5dac682b16975a9fe284627c8ba7b3b8c0c2c0c8ded9e7

    SHA512

    acac5b4f2964d73c865bfb5eee2ad28835b14555d71f74d65bc88a006137c15c898d198875cc9a01199f056bee25919372b67cc19d9f352d4d6712ad79e1bafe

    Download Submit

  • /data/user/0/subject.exhaust.play/app_DynamicOptDex/ulXNC.json
    Filesize

    1.2MB

    MD5

    064a5e63b4478a2d216c2f63a74895c1

    SHA1

    f321e612c1a9576756fbd62a2dba21d6bcadb10a

    SHA256

    48184a421e460f484e651dcb1168817bd205d5275b012093c36e78a9d55b7cc5

    SHA512

    b59d8ba767ca9feb522ebc38d4b6bed373168f4e71923355e46862c897581e6c1b1f25dc73b7fc964c34a4bd180f9691b36323015da4ad49d8e0be2b9c07a2a5

    Download Submit