andrmonitor | 8e17feb1ff96b3b2f5992f29e008b5581b44d3c16a1c742cd93d15971a587ff4

Analysis

max time kernel
125s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
01/04/2025, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e17feb1ff96b3b2f5992f29e008b5581b44d3c16a1c742cd93d15971a587ff4.apk
Size

20.8MB
MD5

49473349fc1c018462ca0802c7f3147a
SHA1

81365b09f929fefaa01f9e0aa55ca747d1dc009a
SHA256

8e17feb1ff96b3b2f5992f29e008b5581b44d3c16a1c742cd93d15971a587ff4
SHA512

f56d42633c74395eee242eaba7304687b09f42ce986ad6d7507850489ab5a0e226a559ccfe7bee1a40e8b007b8ac9c70df2fc0e4a4d5dcdb4d673e3d64ffeb8f
SSDEEP

393216:tfDiuU8+sJA35z7A79L+M8x1mbgafiubcrZ3bbT9i/zVN2I+TXiZmKpPbNiRSKcK:lD5jJA35z7c5mXmbBffc13xi/zVN2IkP

Score

10^/10

andrmonitor banker collection defense_evasion discovery evasion execution infostealer persistence spyware stealth trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor
Andrmonitor family
andrmonitor

Checks if the Android device is rooted. 1 TTPs 2 IoCs

defense_evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	zqlt.debkyrph
/sbin/su	zqlt.debkyrph

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4323	zqlt.debkyrph

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
Anonymous-DexFile@0xc3745000-0xc39ff690	4323	zqlt.debkyrph
Anonymous-DexFile@0xc2845000-0xc2aff690	4323	zqlt.debkyrph
Anonymous-DexFile@0xc2ee9000-0xc3015f24	4323	zqlt.debkyrph

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccounts	zqlt.debkyrph

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	zqlt.debkyrph

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs

flow	ioc
16	andmon.name
12	prog-money.com
14	anmon.name

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	zqlt.debkyrph

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	zqlt.debkyrph

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	zqlt.debkyrph

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	zqlt.debkyrph

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	zqlt.debkyrph

zqlt.debkyrph
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4323
- su
  2⤵
  PID:4359

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/zqlt.debkyrph/databases/SettingsDB

Filesize
128KB

MD5
83f9d1be51c0ef0019952bd962f70f05

SHA1
8f9e2782d24b692b46e6aa8974e61fb6aa7d903e

SHA256
9623d7ebba654211ee8fe37878dba389a66331142db2401a66207d308d29528b

SHA512
586686fe26bac50335757548d758303a9adc54ccaf923f9ed977d05ffb927a4c406480b8fd8723a6d8adbad5d079843931d7b1d20aab2c369e88e6a62b928a53

Download Submit
/data/data/zqlt.debkyrph/databases/SettingsDB

Filesize
100KB

MD5
3d6f00cc6dcad13c0289a6787ff26a9e

SHA1
8b504dc3fad9fdac9b26d2514b07956133f4534a

SHA256
ed03675dd9581b3856d9ba88b9db5d0846752e2c1f082b3c978dd0cfa61304b6

SHA512
7fa5133b66f3278142ae2b3cf2e0a28d0d65049339e5c7e02a4a22a97f9a4e1354d0b1a7be4596694c40f85f079087275649b7a8885c47685d1c1a5f3321ad44

Download Submit
/data/data/zqlt.debkyrph/databases/SettingsDB

Filesize
60KB

MD5
b84ec3ac5c1e79f72c55ea19bb82f981

SHA1
2a911a0494b171906a25ce812a25847c9f550a2f

SHA256
cd2acafa436796594063fa7599247531a5a1faf91b5035d85bf692a395cd3841

SHA512
9faa7a08293d0d00f9d0ec1b8c217d86d99e938a0e81f6d0324befefaf8c3a4226a64c1f1ee44119c07035c643e46f7fab51b6421819f346619382bae75ad2fb

Download Submit
/data/data/zqlt.debkyrph/databases/SettingsDB

Filesize
52KB

MD5
b6815b344f6926d458cea05acd052cdd

SHA1
88f524aff1d4c5fee979a203dd952427871a7097

SHA256
028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

SHA512
0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

Download Submit
/data/data/zqlt.debkyrph/databases/SettingsDB

Filesize
100KB

MD5
188e569d0075e137c3d5ede1457b8c3c

SHA1
b9fcc40054b614df6d7590081bf2ef61e4b6d6e8

SHA256
1d48d5a7d5d7caf6fcd74c5c9663d33126f54088d74f277ef877b12e3ab87790

SHA512
fedb652f415f87e96820824b9200acda4d949a87fbcc1757096a8321e01883c7af3763b34d5a1c6ec506311d15a4e15199ab318f9a63acce03031b498f9f0631

Download Submit
/data/data/zqlt.debkyrph/databases/SettingsDB

Filesize
148KB

MD5
c58ec4c939d4d2d76a63a60416774409

SHA1
92c100ff4dd31b186bb0f3841d133522e27ca206

SHA256
aeea4545736c11d3ce054e90147b32810c2cca6818387cd96b1ee2c0e60b17e5

SHA512
b5f637f6ad462cdd0f48d41f88feaa41f38919625496ce20d216a49152444005963e8f9a9ee12930828dbaa437c95f204c7084921a5036c4ec91965daa7c75bf

Download Submit
/data/data/zqlt.debkyrph/databases/SettingsDB-journal

Filesize
512B

MD5
f010d44addf64a378ca03ae3dc4c95a9

SHA1
c8113f8c954b1e782cc91741c4d201d8023f1d32

SHA256
c9b04ea1ee4321fa79d8e16a256c92d88b0e4d353eaba2d156f3534dd8afd1ae

SHA512
db8781f83d0ccfc791af41a25fdbf5763389f2f090256a6feeec7fb66a7ba689aa3599d6b7162d8a90e1e544c2694ffae2ba1eda80f0d1803e044f07cf6c6228

Download Submit
/data/data/zqlt.debkyrph/databases/SettingsDB-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/zqlt.debkyrph/databases/SettingsDB-wal

Filesize
410KB

MD5
ecf6561ea4cc5e5859da1429774c4d94

SHA1
a1ac4fdb8324309faa313ed400fc39c2328766b0

SHA256
4622da93b2e1d9f56220f8ae3f230c12fab1ccfcf6b20027eacec4dcc38cf5cd

SHA512
fefe85c5933a78ed96af99bd57c473edaeae2189dedd7f27ee4cadc2b86bbde65c9da776769f480ff41292f87f6216866397ff4d14c5a89d1302107e92a3697b

Download Submit
/data/data/zqlt.debkyrph/databases/SettingsDB-wal

Filesize
8KB

MD5
d92befc4bcfc9ae4ad7e7775637d165b

SHA1
301cc9ae787b568186cf9475ebbe86f7e908f403

SHA256
e9e14ca0083bd860ff859a410bfcac0886958e937c2c21ee77bb19c73fa54116

SHA512
5eaaf8f4eba4d1b09479f7b0ff1a9d5483c444d0b2e15f9e8b5c05807bd9bef4046b5efd99b6d779f8b6782da1f122936ef951ce3d59392862c01b6a946dc9b9

Download Submit
/data/data/zqlt.debkyrph/databases/SettingsDB-wal

Filesize
4KB

MD5
ed7ff6593252ce56c0b66857ce9f1ed3

SHA1
66f5eac0bc8df0774a4a831ce2f7ae6c4ade4f70

SHA256
b96a2d87eca08202652b8b844424694105e6f0faef74758435427802332f67e9

SHA512
694b53eb1d7aa7839a1c843f22e872b7913899b556b4bd4ff009fc13c03d92636d2c94a832ecebb00e0539e7a1141e218803dd1b7875ac3088549245206d3b48

Download Submit
/data/data/zqlt.debkyrph/databases/SettingsDB-wal

Filesize
4KB

MD5
a0ab3c83c955ed3fc001ef109829ac8d

SHA1
d8d860ba2762a58f783bc67811e3d8a1ca1e264e

SHA256
7e817b93b237762c5967efe2ee667b9df9c63aa0b580a3d025ee75f5e3061ac9

SHA512
e6a68f4fb385df006d1350af6939a906e57095637a31327d87838e933a787d204fffa450345cf4b965623582e80e0468181e9b6c73b11f60af37291585a1a883

Download Submit
/data/data/zqlt.debkyrph/databases/SettingsDB-wal

Filesize
8KB

MD5
4274127ffafd8f01a636dc3d35a36300

SHA1
48425f114bb75df6f9275782cb89177484881504

SHA256
0303bf58f7e6f332104a0f4e7927abad45e10dc626ab52a67eeaf14c35c51ae4

SHA512
5dfcca5548bf42b903dc1bcec581ead040fc339aea0a1b11d96eee629f9c522a7277acc4f291c26afbe939bcb15fb4f5a15272442bb137a471ddb557ca616d0c

Download Submit
/data/data/zqlt.debkyrph/databases/SettingsDB-wal

Filesize
418KB

MD5
4df22af71db697aedf66a6dd2c344e3c

SHA1
1d655db300747be2258818369bc8640e524a0368

SHA256
245902438c5af525d4639406b40542172adc1fd566fba858247b451ebb9e9976

SHA512
9bc177b91422dc97f9cd330e827d438cd2f211a401d0517d3cf2175497a1f7d0b29882ad49db05df553fde90f1e524e55cf60be4b93527408dc09e52d1de1512

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.7MB

MD5
afb0e886d79490fa6ec85e4fd8f2edb7

SHA1
2f37716bfc66ccdb52ab9a6103895602456c6759

SHA256
3d01d283f0ae90c8abb8c19a682bd674cf2aaf2e4bf0e0bcb1dced53bcf95d17

SHA512
8a28edbf5f27cc4dac1f37bb560ee73b19ce12bc8954bd9940ce360b8724a57cc90f77728228d6497bf79faab601993d88c1c199fffccc6d277a90f177263b7d

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
c81c51456766e174d6b23e17e56b3151

SHA1
2b8f21a13af6efdfe1bfa00c011ba6a1bc5d6f20

SHA256
79ceb49440a30e4e0b9ab83015384650cc535a1f54d457cf4a0873f9621c0822

SHA512
a88c8290d5804d10cbbe811eb3b041d122c66cb75b44c5095f3e03ebf90e8f39d58d6d7e20066df046e9999b3341337094336b35c987ed6af34852c8a049a13b

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
128B

MD5
1e5e23b24a97622e8393f3e6a8eabc5f

SHA1
87fb82b30ce2103946c2292fca0a6ceabd1ce9e9

SHA256
2b7586537465b9806b10ce8f4ccacdcd3359421a34a732fe78ced262a1aaa9f5

SHA512
5489b12886332adf0c07b5d5276623a249620e4867e5d02de9e59868075c3d918665176ba9c9765437d043146f326ec2b38eb7f3ffdb6692932a98d6c573687a

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
171B

MD5
687c50c676143a0e6001142ab1187b38

SHA1
e59bc19b765723887dd1383ddc129685e7b6ee57

SHA256
5d810a8046e11b5e95501d46558ac9702cc47a211fe32252f238eff5948adeb1

SHA512
7a49482b2baa215e1bc9d54c46bd2ff8e2f31323a217f50d457f77d852d5fb626d5eaffce1d7c17ace37e2e7f50f943977241faab92f45b7d1cdf6ffa0247566

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
3KB

MD5
487dfb2c470e68c8b8a6e00ee3004573

SHA1
170863087d3bcb96b996d8f143c27154c42fef00

SHA256
1b2d0c29fd571a672b2290709678d4126c0a2390bb5201b5fb024661cecca2a8

SHA512
cc986be1953dfff0b8ad97224fe36fd3d1cf627dae955d202ee31d83cda8ef60bf368c686fdd54e69301271ff2b1665760da668263cfabd02298c15850161950

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
62B

MD5
df2bd426aa4684da11e364196da2da6a

SHA1
9784e3e2460407f4c4c0c73692104ecbd6b9d7a1

SHA256
84d75e8cd3540dfed674c4161a184e9aed1fe408f3c8cd00d48bb4dffefeba55

SHA512
e9d0f6efd7c2c8b9533238247197b0c06b2f34a07a5fd7c912ff70c1d1371d513efbe43ef09b5fb38dd8832774195ae601f66775e6d647b2f904edb142aa4889

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
70B

MD5
098df4581fce3e41f4ec40e0228a2410

SHA1
7f5b311b4711b3025771c148a9f466d70c21b879

SHA256
cfa8437f0bc02c4a29e07c5f632383177b7ba1772ca8f5d8ac23ea9f82d2bc7f

SHA512
bc7b1de614045807e359c0bf8045f7fe2f79f99b6205584dcacdc93633f78229c3bdd5a9b76d9f00a4f708147e3f928b790c6d043a5a7886933d3a75487e7d30

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
59B

MD5
52ce8f2d08b3c67c9e9ba09b1877649a

SHA1
ee28414d6259cf1d47bf40c9580e3d508e516c33

SHA256
8afd40f117878f68fa8b9b427a15bde14b7bc9462e23b3829b6a67ca1d35d4e4

SHA512
de263a08ce07694626f169d46f60afe1e3beed45df1aeb7dabf3a3371fd7d38da7a9b3722a7399fec007ee2206c74abebc6a4186af0e4a3b9233819b44d9f7fc

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
153B

MD5
d797477f498e938b8cc891772e4a6031

SHA1
d0258eec88393d8dfba405748fd287c4b57ba22f

SHA256
e2d3e7912f13b4de54dc013b7f0f36033013d60c5a4c1e7c507c18d1b9682acd

SHA512
f97c59046b51b4eaceb3a6587be11112a12c9eb249e2209edf9adaf1627dc9766344861ecbee4624e78a19bcf7fd0bf95b3555031cd29b74d32f4ccb19077a93

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
34KB

MD5
bab1aa852ee2749aa0038342b12848db

SHA1
2c2441906278ad1e4d0302e7a57d02f2ec4e0ca6

SHA256
c1d55275c7185f82e61c8b91e496996427dbb1648c0e8eb30c6fe423d2357b29

SHA512
fb44932473fab928ee588ecbfbf94dfa7a9435b0158e3aa4c19dc92ccadfde14529eb455a1aaf480b7977336ba9225d7708f0aff22722c84f570b0b9f7149b25

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
8KB

MD5
0c3d8252ab02d66e1cb4c7a7e09991e6

SHA1
c8e436e38fd2900e86c4b2916ab0d0aabb4cb8da

SHA256
e7a0b8d2d0c64a4af90884011d0e9e158b761f2a9faf8835b19726e52279e62c

SHA512
9d22f44afe9b5c8716a6b25cb9c1668b3d08988a010e780f293f9c192508538fd9ea0fc02d510c7482ee61aa8e902822f63520dcb7dd84392362ec8e9358776b

Download Submit
/storage/emulated/0/.am/log_1743476667745.txt.zip

Filesize
217B

MD5
1a89e304fc0d99da2d2b91756d9f32d4

SHA1
d08895f8fa28c570493ce382b5bf0967c5ee9d82

SHA256
f184d26a81ceac57a35166c0181919379f4496c188b934d3e98617cd8db48489

SHA512
1940a4a31b0b800b95f50cf5ac97e6f7d79cfa7b3b74226becabab2475443985aeb083f6765cf0414a6bd2f72c327cfd08c3a6191df3bdcddec5770c34ede1f1

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
71B

MD5
449838686efaec3d6d76a922b9a884d1

SHA1
efe0fd1cbfc24600171b1850a87fe9f551927002

SHA256
6adee0df800bf2d3a1c25ba36f7e8384a4454a590d0db73cd6e53248532d55a1

SHA512
d20bdc76da4cb2efffa495c41f7fd8062952770c1880fa13a18e73d961403be677c51a71703a173debf4df6eeabe5dda844f46d0e32f73e6cd9ce33d30d672a7

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
69B

MD5
df8c9cf7ace1b7d9e83eea1679c68c2d

SHA1
8f0212b8a4368d17309bb304b11af661992a034f

SHA256
60b2b1d4d9ed69961577577f594a792f4a833c9738cf931fc44f47393f51a764

SHA512
2e732661e83d9d94a4ad7c45914e2ce0447c60da04039f402e0c1528abe8ae8aa25c960b9461aa9294f7f6771e58eee1d13262b401fd32b61a8a3aaa8f5ccbca

Download Submit
Anonymous-DexFile@0xc2ee9000-0xc3015f24

Filesize
1.2MB

MD5
4768956e02a41b7e2032707b7c65a52a

SHA1
eb730a2e6f2b0497ee9731c488b02f0e68105942

SHA256
c50c0434ac58766df76b0ffb3fdd9489a6d8ea7b8789f0bfbb3fb78299a00060

SHA512
afae3c09e482e6577f4e79013b6d2dc1ce89a00a2ef5571074931da9bc91aceb53a01298dd3072325034ecd1ea0ec92dda630c06433dcd458ba7ac574778848c

Download Submit
Anonymous-DexFile@0xc3745000-0xc39ff690

Filesize
2.7MB

MD5
e9ec7f944632eb47d67bfa3da63d2baf

SHA1
c04f06050c104383991cab6d32839a9720d7dac5

SHA256
9833631cfd0bf3424371788094e612090d9c7f1f8e597352b8a8c79791dc1c41

SHA512
4e643962df583e06991a7be44447eccdcd6db31c6ea1b78cf9923cb044ea615969cfd374abd89e138ff6bbafcb1b027d6413cfb79866cb7ef5d8d6d2a44c5b18

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads