soumnibot | 34bac84af1e3e8fbb878b10aaff53b5222d5fa89a0c7e8e1248c1d357a68cc6c

Analysis

max time kernel
149s
max time network
150s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
28/03/2025, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34bac84af1e3e8fbb878b10aaff53b5222d5fa89a0c7e8e1248c1d357a68cc6c.apk
Size

2.6MB
MD5

9a37898745812328541414fe804542b5
SHA1

2bcdf78aa322d5379f3c61fd386f102eb4b4ed14
SHA256

34bac84af1e3e8fbb878b10aaff53b5222d5fa89a0c7e8e1248c1d357a68cc6c
SHA512

24e0dd0db99b5745680afa4fa9f835208c86c17e7af9ffc299d41ff06e7ae60306569e1668e2764c68c8ac797579d6685638b3cbd1974a7f9fc792d8a90ddfe7
SSDEEP

24576:ns4m51+WtE0j05HisjAYVBdeVpn0lWnsz0/volF8XWP+QUZBE+KQqluHYckXbu9G:7JWu0CpjpKIFgLtxxqwOCAu4

Score

10^/10

soumnibot banker defense_evasion evasion infostealer trojan

Malware Config

Signatures

Android SoumniBot payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-2.dat	family_soumnibot

SoumniBot
SoumniBot is an Android banking trojan first seen in April 2024.
trojan infostealer banker soumnibot
Soumnibot family
soumnibot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/krwegf.ewkfkerd.gvref/app_krwegf.ewkfkerd.gvref.AAbaseZZ.AABaseApplicationZZ/newobfs/0.pobfs	4782	krwegf.ewkfkerd.gvref
/data/user/0/krwegf.ewkfkerd.gvref/app_krwegf.ewkfkerd.gvref.AAbaseZZ.AABaseApplicationZZ/newobfs/0.pobfs	4782	krwegf.ewkfkerd.gvref

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	krwegf.ewkfkerd.gvref

krwegf.ewkfkerd.gvref
1⤵
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4782

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/krwegf.ewkfkerd.gvref/app_krwegf.ewkfkerd.gvref.AAbaseZZ.AABaseApplicationZZ/newobfs/0.pobfs

Filesize
1.8MB

MD5
3065d121d85b059be18a663932b77bd4

SHA1
aa489ed7e99a744254b61c3e6b8db0f64e20d101

SHA256
5f7ad8ce1109887cdd68d44a90bb564b2479d5dcea58d1699e692757b545b62d

SHA512
29f5bb83d3639d704f2be4c17906d34ac42e3a7bf0a37acfcad113fa45e245eff0af796977bf11021d48c3bc488d090867f8f1af06adfec7279cae710588758d

Download Submit