Overview

overview

10

Static

static

6

a34c1e334e...af.apk

android-9-x86

10

a34c1e334e...af.apk

android-10-x64

10

a34c1e334e...af.apk

android-11-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    26/03/2025, 09:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a34c1e334e9d76e97b8e8ac6b88bbc45cbed7ab7fc3a62e2f348c940136778af.apk

  • Size

    4.1MB

  • MD5

    bd0ee78cded55ff30a37c670cfa66236

  • SHA1

    70d690a40fb7307280d2bebf77615e757c7f6513

  • SHA256

    a34c1e334e9d76e97b8e8ac6b88bbc45cbed7ab7fc3a62e2f348c940136778af

  • SHA512

    f6e5dabbced24b03f44c40d189d27dee8e9a085cf4499d903289ee556b992557f6ffc33f13e58fbc3dfce3ad89a6834cad10a9c34764b6a372316bd7bab2fd53

  • SSDEEP

    98304:k5GKk+jrrhCMTMI+On1L0Mcuw4P4dhdJAiA0vd3iYZQl:SGa7lYRQh0McufP0AiLsH

Score
10/10
teabotbankercollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistencestealthtrojan

Malware Config

Signatures

  • TeaBot

    TeaBot is an android banker first seen in January 2021.

    bankertrojaninfostealerteabot
  • TeaBot payload 2 IoCs
  • Teabot family
    teabot
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Acquires the wake lock 1 IoCs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 7 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • subject.exhaust.play
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4334
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/subject.exhaust.play/app_DynamicOptDex/ulXNC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/subject.exhaust.play/app_DynamicOptDex/oat/x86/ulXNC.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4360

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/subject.exhaust.play/app_DynamicOptDex/oat/ulXNC.json.cur.prof
    Filesize

    977B

    MD5

    b16b88ae22adff18035dc4f930012813

    SHA1

    2ed5eca4dc4f6920e646da0529588f8947f71b3f

    SHA256

    b703dbdbcf203f8a7ae7fa6c6de621a64dd80b26c24393cd68ef938aed19ad84

    SHA512

    bc4adb87da0d64a098c649d7ecb3b27c8ee59629ce2c432e2375e4ba4dab89bd07ac5f3f8b3c99a035d05df35274c8bd4cb75b343fab92cd13c0a5dbbebd80d8

    Download Submit

  • /data/data/subject.exhaust.play/app_DynamicOptDex/ulXNC.json
    Filesize

    1.2MB

    MD5

    10d446daca47f5f2f0c5de4280408c15

    SHA1

    dfbda37b38eef397e1e5ef06729ea8894fe1dfa9

    SHA256

    800eed0e3318eeb602066c1a4027c1e5a81aca53c6483cc11f64ed14de9726c3

    SHA512

    3afdca401822b283a78ea6070a5ab7be7ee29dc30dcedf0c840e9ab688ef613dab7252ee28196eca404a357def92b6ad4418283f33bef410ccd08d1946d784fb

    Download Submit

  • /data/data/subject.exhaust.play/app_DynamicOptDex/ulXNC.json
    Filesize

    1.2MB

    MD5

    513129acd55676ccfcb4fe14e416f5f4

    SHA1

    8664df47e10463f008cbb5307792939efde32ee6

    SHA256

    1b52eec113f562186d5dac682b16975a9fe284627c8ba7b3b8c0c2c0c8ded9e7

    SHA512

    acac5b4f2964d73c865bfb5eee2ad28835b14555d71f74d65bc88a006137c15c898d198875cc9a01199f056bee25919372b67cc19d9f352d4d6712ad79e1bafe

    Download Submit

  • /data/user/0/subject.exhaust.play/app_DynamicOptDex/ulXNC.json
    Filesize

    1.2MB

    MD5

    064a5e63b4478a2d216c2f63a74895c1

    SHA1

    f321e612c1a9576756fbd62a2dba21d6bcadb10a

    SHA256

    48184a421e460f484e651dcb1168817bd205d5275b012093c36e78a9d55b7cc5

    SHA512

    b59d8ba767ca9feb522ebc38d4b6bed373168f4e71923355e46862c897581e6c1b1f25dc73b7fc964c34a4bd180f9691b36323015da4ad49d8e0be2b9c07a2a5

    Download Submit