soumnibot | 1fd54bad315642808de0b246fe681fd1a874bde924e0dc23ad0be1ec4334fadf

Analysis

max time kernel
149s
max time network
155s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
27/03/2025, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fd54bad315642808de0b246fe681fd1a874bde924e0dc23ad0be1ec4334fadf.apk
Size

2.6MB
MD5

d7554e77d6172f2a58f6a8d7437689a6
SHA1

ef0b2fd728e3d96f55e4e1a962dc77d23282d7b2
SHA256

1fd54bad315642808de0b246fe681fd1a874bde924e0dc23ad0be1ec4334fadf
SHA512

68d5ff0a729acc8a8536a5d6b6674602e7ba654f6c7b54d5ffdf27ef5f0ca84a3d473897f63dc5c1f64bb1bfdd0b68c4f03433e4cbbb1b0c8fc81cce19b7c100
SSDEEP

24576:Ylu4m51+WtE00JJc3VpCKHA+MwBHk5qXtYuYUJWZ7vJPycPybSo1qqE+hPJCXb5f:SJWu00WDM0RYUsZYmlcuCCoCAw

Score

10^/10

soumnibot banker defense_evasion evasion infostealer trojan

Malware Config

Signatures

Android SoumniBot payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-2.dat	family_soumnibot

SoumniBot
SoumniBot is an Android banking trojan first seen in April 2024.
trojan infostealer banker soumnibot
Soumnibot family
soumnibot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/rgvkdkf.epfvsode.gsrldvf/app_rgvkdkf.epfvsode.gsrldvf.AAbaseZZ.AABaseApplicationZZ/newobfs/0.pobfs	4804	rgvkdkf.epfvsode.gsrldvf
/data/user/0/rgvkdkf.epfvsode.gsrldvf/app_rgvkdkf.epfvsode.gsrldvf.AAbaseZZ.AABaseApplicationZZ/newobfs/0.pobfs	4804	rgvkdkf.epfvsode.gsrldvf

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	rgvkdkf.epfvsode.gsrldvf

rgvkdkf.epfvsode.gsrldvf
1⤵
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4804

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/rgvkdkf.epfvsode.gsrldvf/app_rgvkdkf.epfvsode.gsrldvf.AAbaseZZ.AABaseApplicationZZ/newobfs/0.pobfs

Filesize
1.8MB

MD5
87e67c86e762b77e1816d94e13c850ec

SHA1
974c2c449c5c363dca441d23c3059766b2e3ff52

SHA256
83a8e1de8bfe330101cc730c7bdd841f5a397923073c96f5f335b5e175e2b34b

SHA512
239fb8a2939e568353efbf434567bc91e587b8dcdefbf2b38e15aac84612c4dabf1a77dc4c344ca807d461cd15e149f5bab00450f06c0b1820ca27388f465679

Download Submit