andrmonitor | 8e17feb1ff96b3b2f5992f29e008b5581b44d3c16a1c742cd93d15971a587ff4

Analysis

max time kernel
34s
max time network
150s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
01/04/2025, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e17feb1ff96b3b2f5992f29e008b5581b44d3c16a1c742cd93d15971a587ff4.apk
Size

20.8MB
MD5

49473349fc1c018462ca0802c7f3147a
SHA1

81365b09f929fefaa01f9e0aa55ca747d1dc009a
SHA256

8e17feb1ff96b3b2f5992f29e008b5581b44d3c16a1c742cd93d15971a587ff4
SHA512

f56d42633c74395eee242eaba7304687b09f42ce986ad6d7507850489ab5a0e226a559ccfe7bee1a40e8b007b8ac9c70df2fc0e4a4d5dcdb4d673e3d64ffeb8f
SSDEEP

393216:tfDiuU8+sJA35z7A79L+M8x1mbgafiubcrZ3bbT9i/zVN2I+TXiZmKpPbNiRSKcK:lD5jJA35z7c5mXmbBffc13xi/zVN2IkP

Score

10^/10

andrmonitor banker collection defense_evasion discovery evasion execution infostealer persistence spyware stealth trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor
Andrmonitor family
andrmonitor

Checks if the Android device is rooted. 1 TTPs 3 IoCs

defense_evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	zqlt.debkyrph
/sbin/su	zqlt.debkyrph
/system/bin/su	zqlt.debkyrph

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4784	zqlt.debkyrph

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/zqlt.debkyrph/[email protected]	4784	zqlt.debkyrph
/data/user/0/zqlt.debkyrph/[email protected]	4784	zqlt.debkyrph
/data/user/0/zqlt.debkyrph/[email protected]	4784	zqlt.debkyrph

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	zqlt.debkyrph

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	zqlt.debkyrph

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 5 IoCs

flow	ioc
24	prog-money.com
25	prog-money.com
26	anmon.name
27	anmon.name
30	andmon.name

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	zqlt.debkyrph

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	zqlt.debkyrph

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	zqlt.debkyrph

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	zqlt.debkyrph

zqlt.debkyrph
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4784

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/zqlt.debkyrph/[email protected]

Filesize
1.2MB

MD5
4768956e02a41b7e2032707b7c65a52a

SHA1
eb730a2e6f2b0497ee9731c488b02f0e68105942

SHA256
c50c0434ac58766df76b0ffb3fdd9489a6d8ea7b8789f0bfbb3fb78299a00060

SHA512
afae3c09e482e6577f4e79013b6d2dc1ce89a00a2ef5571074931da9bc91aceb53a01298dd3072325034ecd1ea0ec92dda630c06433dcd458ba7ac574778848c

Download Submit
/data/user/0/zqlt.debkyrph/[email protected]

Filesize
2.7MB

MD5
e9ec7f944632eb47d67bfa3da63d2baf

SHA1
c04f06050c104383991cab6d32839a9720d7dac5

SHA256
9833631cfd0bf3424371788094e612090d9c7f1f8e597352b8a8c79791dc1c41

SHA512
4e643962df583e06991a7be44447eccdcd6db31c6ea1b78cf9923cb044ea615969cfd374abd89e138ff6bbafcb1b027d6413cfb79866cb7ef5d8d6d2a44c5b18

Download Submit
/data/user/0/zqlt.debkyrph/databases/SettingsDB

Filesize
128KB

MD5
5d2c5bf685ead0b7f87039880b71d65e

SHA1
5b1bb7108910aaac16aedb86b9e781d55334745b

SHA256
e4516426d2db5a4a7a91d4c3a2f8ad1a272df3b2eb58935e191df9b979b7e128

SHA512
ef5a00d0a7721fe108b17bb517572a6662b7ae3cc3fb50f0c21822db995c347c71922e85b8a0c29a82e9c329e267c78fee59739eb73522ba3c1bc35038834024

Download Submit
/data/user/0/zqlt.debkyrph/databases/SettingsDB

Filesize
100KB

MD5
1c3a09a7804fa716f9a3d7aba085e497

SHA1
697cf9ab22fcd31720cd5638edad9b15587b1a7c

SHA256
d980977db6e3473b0f3af5b9ba42edc84bc6f5f91c1bd6855f7f1b04e8d6e4f8

SHA512
90eadb6cac7f2c0dceec54bc1f5d46ee3a23b5379cea269c1d98ab8c50c18955f4c8c90fcb8feb94d65419aa5b6e81c075b532113803a862330e48d73dc93fc4

Download Submit
/data/user/0/zqlt.debkyrph/databases/SettingsDB

Filesize
60KB

MD5
2ffae654aa2fe194190b2467c61b9c88

SHA1
346dd61fdeea77c99debf6016497922571439eac

SHA256
7178bda30584d7a5dae81d223e5c2208ac1b95afa3b5d223357aa46ee730b337

SHA512
aabd1e31a623253a9271c1e3ff713a89754675f872953c919f753123ed1018633f0a351306751325cf132a57f2f16e095153cb7e5ec778e7dc0b5891333f4e9c

Download Submit
/data/user/0/zqlt.debkyrph/databases/SettingsDB

Filesize
100KB

MD5
0512b4ab9c900f7f281faa76201d32e3

SHA1
a819e7374f9df05be77e78f0bee7bf1e251733ca

SHA256
466da3e8c119d690c5cb6e4dfa5b5f9972d682d3c974e1e5ecea7974d872598a

SHA512
2f09cc5a22f93a7b1d888524f949181cd540f5b6ca45b655d65604644471f18b8ba0c453dc93ef445f163cc68fb14d773b1b93ba366d62fb18942bb9323099c4

Download Submit
/data/user/0/zqlt.debkyrph/databases/SettingsDB

Filesize
100KB

MD5
d6b572e152c72d84ac88ebe3ba5890ce

SHA1
772a51a20607f0577a3148eceb1519e4946f68b5

SHA256
58adee54516e629bd5785f386573c98cb2a310b72ec3a611e765c1a1818bcc50

SHA512
bc9264e2e9751f2cc2faf20cd837c1eafef0e803454358c920f53f85da9792823c4dd044136a54f780a12dc936a4fef9112faadfc2ae48e689a7700ab73f6a34

Download Submit
/data/user/0/zqlt.debkyrph/databases/SettingsDB

Filesize
176KB

MD5
8da9a405e4f335918a90b64c8e59c75c

SHA1
124e8e4e83543950db3c6903f18b1627f76e89ab

SHA256
e4a22d35caf5042b33fb3c64f7f025a52f99065aede64bd27d4e80f2bb6d736e

SHA512
17308a827009f222fe9e47dc5a0a5346a5ab779f76f3d9103de907b154a256fc8d5455654b94bc4d77d878a6f8994b7cb3824f80491fc8bbfc0bf77a1298908e

Download Submit
/data/user/0/zqlt.debkyrph/databases/SettingsDB-journal

Filesize
512B

MD5
483f7f9c5f99cd0287ba47bf718d6f74

SHA1
72fc151375cca3726988c96a087f119bb781dd95

SHA256
1d83466133f5851501e70a99d035c2dd03aac704a100133a0019849f94800a6a

SHA512
5eb25697420426c59f5677465f99b5d201d372001858df4b6f74f88e5d4fb30b3563cb6280d0b57f4c76324272507329a03401ed75b8bf472e6e250915c1bda8

Download Submit
/data/user/0/zqlt.debkyrph/databases/SettingsDB-journal

Filesize
8KB

MD5
a574445fc5cd714607be1d55cc6cf257

SHA1
11e5a557ed5aace90ca4c63d373d0bee4020dd6b

SHA256
94a33658d9e6818a8e355b4a5c3dae6a62b592e04a80f5b7048ef45b3845b5a9

SHA512
0627e1ed119e8002376b14c3d7edbdfce41d9451b2908a3529e053956361a4e1cf8c97c95f5f6411e8a0b967605d935f3bde2f710619c176a915d6445736bf4b

Download Submit
/data/user/0/zqlt.debkyrph/databases/SettingsDB-journal

Filesize
4KB

MD5
af6eb8b134b455ea463490a2d0da7339

SHA1
d5dfce1e5428e9da15cf5ceb2053b0b6e4d6a883

SHA256
75635d859b2d8b29727adf267bc9fb40973f68ac01222d30a49b200f214119c4

SHA512
a65ee81c974056048950167dcb32745b697cc58fabd9a363d78b34018a878d23ab3229d297dcf784e37620e06634f4921024efff4065f6a36d93f3400c41ddc9

Download Submit
/data/user/0/zqlt.debkyrph/databases/SettingsDB-journal

Filesize
8KB

MD5
dfe1fa4b0823c49d70e1c6b2e3fbb745

SHA1
7c7d5e39c217605ed7b5fcead1c1756cd91d6a75

SHA256
8ad8575a72f533ff0d97809f2205ecd708a0f16374ba840c298674e92db656e6

SHA512
b61d0fe9cbdfd1f1ffc79ba98065cf80d5bb53b25d50267829a5c5f010efe40e5ad3012a270303712cda753a4e2c6121026f35157b3ca7e84c304c85585d00fc

Download Submit
/data/user/0/zqlt.debkyrph/databases/SettingsDB-journal

Filesize
12KB

MD5
8a3c405e9d338abc05d73ce98eccba0a

SHA1
aa775be964d265f92db75ab4ddf4cbf32a3c31b6

SHA256
1526b08e5066d873b4165906b9e9f64595ad9e00c9b7c90a53a32eacca544929

SHA512
590228557b9922d6214662030f8249c88cebcdbdc5a61e69037122d17640842ac0119f721904af88ef9115d7fec25852d46ceb5c8e1e4f2fb51b825b2b0a517d

Download Submit
/data/user/0/zqlt.debkyrph/databases/SettingsDB-journal

Filesize
24KB

MD5
8d1acce09e72737990cc3947f04c5fbc

SHA1
5edbdae584d336a67417e2ddb65b33e457cfefa6

SHA256
2316042ae1ec74be2fee06774f1e380e486e7011611b24a01728d1ad4a8bdb7f

SHA512
fec219c57f49ac860487d69967d69374cd2722bf15b58bf2aab8df541ad8733a6b391dc68172a2f9faa99c55db9d8236c53fe34f7ba745f66f9258bdb0523136

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.7MB

MD5
afb0e886d79490fa6ec85e4fd8f2edb7

SHA1
2f37716bfc66ccdb52ab9a6103895602456c6759

SHA256
3d01d283f0ae90c8abb8c19a682bd674cf2aaf2e4bf0e0bcb1dced53bcf95d17

SHA512
8a28edbf5f27cc4dac1f37bb560ee73b19ce12bc8954bd9940ce360b8724a57cc90f77728228d6497bf79faab601993d88c1c199fffccc6d277a90f177263b7d

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
c81c51456766e174d6b23e17e56b3151

SHA1
2b8f21a13af6efdfe1bfa00c011ba6a1bc5d6f20

SHA256
79ceb49440a30e4e0b9ab83015384650cc535a1f54d457cf4a0873f9621c0822

SHA512
a88c8290d5804d10cbbe811eb3b041d122c66cb75b44c5095f3e03ebf90e8f39d58d6d7e20066df046e9999b3341337094336b35c987ed6af34852c8a049a13b

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
128B

MD5
5ae2d01de3ea82904aae3f3b79449baf

SHA1
201147fb89d31b302ede088174a9d5d83ee42e67

SHA256
2bb53abe28801f0ba2be033ee6d317afb11635f6764bc8b2be73bafa3b7d33f5

SHA512
fea8465e9759b1fc82920890b11ea3675877d45349b77d08651d3776892c997aee80de68ae3b0d7c72adb1a5a625bd3cba46e22109cb579c66028947c857adea

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
171B

MD5
a0fd16bc5f8d8b7bc13444f6675bfb81

SHA1
dd891043089cf0ca782181ae461b499903bf28bd

SHA256
526fc8fedd2954c260a6a4338a0dc89ef8b9d236cb81b9c04fbaa951505125df

SHA512
b2295b4cf965d6440f2a6b98f8bff06b8620dc5665f80a4ca3dab01507d396fabc5a6a3417b2e8e75605559d2e9ea5953284fef8ec0ee774f43e25e2cf603d7f

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
4KB

MD5
8242ffd68c97987d1378c303bdeacd43

SHA1
e6ce127086b63ae4d15ac2800cf981051eb48ac0

SHA256
22b9027625d4f7fd7a4878f133fae163a7d8537a21741309135238379e110edd

SHA512
60cb34cc6e8046c97500dfe9c3e4c7d4d6459a6111e363ec4e9b00f1f91bdb76e81db9ba3f0e019ab843fb5a697e0b8843a05b8e387d2d8a9901697d03bf92a3

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
62B

MD5
9cf8eca057bfb49d059bef284d970474

SHA1
4b72ca5355874586a73e73cb28e165cdd0b9896f

SHA256
3345009dfbf7c0942cca8beef4a18287f461990a08fdcc53acd4058b7cf7f462

SHA512
d9a401c8b8290d63078aa6df07e9149f775654f94ee17cb2180ee7decb10439a38751cc0cbece2cffc05d3d8a0ca83803dc5cdc144aba2a37a28f59df450fb44

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
70B

MD5
a8eef987cba6e2f90905c73079f1d9ee

SHA1
66b9423f4fde61048e2d5ba725b43bc7341cbb60

SHA256
2589c915653bbfbd8cf16f5226cf12f7fcf868941f69d2c711d78deef0f4ddaa

SHA512
ff1955770a64f1f135d83eec74b07789b18c5f6a50cc465d6acc54dfd8782247e2d12272141fda2459ca9a636e5d25e634596ba31ded52926b82b6ccd3473385

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
59B

MD5
593051a26c4fdd4e17b10ef3541bb918

SHA1
3b9705c3531c144a255e817e5bd3d96a2da27aa2

SHA256
7bc0a93e037e78ff56b88c2099321a283e4194a6fa35378a9846f56f12ad9544

SHA512
3261cdcc94606ddf9d05e461f13d4ed49674eb2c8337935e698f0beafddce4a8abcf0e4025e44e3648d9bc63bd91302c6aae2f12712d1a907b3299dba8812b6f

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
183B

MD5
3780ea43dae2cff58ecaee197ff5d0f8

SHA1
691d575d47cc8b85066fc98fa60edb68af51fd34

SHA256
5fda9b5e066175dfe5e89c7c7547743f13c20475d0a62de115eace53dcdf62d3

SHA512
e16524b08b08aab1bdc2281c18f8fe1a5c1ff7226db61c60e64389593559c385c94434193fd84c36c7c5a2dd94d8066f1635e98cf213655e825962cecaae5df2

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
33KB

MD5
8f1a65084b7ea281a737c0c378fc2a6c

SHA1
6116b6f153ad2b6db74feb500be931cfb70f27c7

SHA256
fcd4fd1a0a152da422925d84ca422393ef58dfb9ffcff4eb47527ca1e88799ea

SHA512
2b655299afc62b3f2d43670edf698a03d4a20cb45515c848b112cafd016aa4f7054dbb558652d4925f28cd2dbd6afbd303a9599ac92ee52b617e5e2ad32f0797

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
8KB

MD5
503ec9fa19f15554be962fc43cd3618a

SHA1
349687320a37a52269d33959c307aa5fcd5ce6ce

SHA256
7668fe7a405ca906a631cab38a34074335e3874c6f58cfa4c653af3c88150fda

SHA512
869e6908e60e498943fe05916d1324d96c12555ca20140f490193d5ee5656c8423c9781d7c55dd932142224e2163d704dbb6ca60376d84cb303c865c2f36f948

Download Submit
/storage/emulated/0/.am/log_1743476666616.txt.zip

Filesize
218B

MD5
22f1d0b300143e99fd2ae76c19f227eb

SHA1
0e1a49bef225d1eb4165a054c65cafc4d1e7f27e

SHA256
e1f8a55872e151577c1aab191b9535a92eab8b0e76e4b33b7000a92b1993fc90

SHA512
158c51bb8537302bd8385768f702c87e520a76c86ba6a41a6db3209572363b6b780c20035753cf597c9eb51e180f570cd7df8cbfaa13bd622367f3a21e09f705

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
71B

MD5
449838686efaec3d6d76a922b9a884d1

SHA1
efe0fd1cbfc24600171b1850a87fe9f551927002

SHA256
6adee0df800bf2d3a1c25ba36f7e8384a4454a590d0db73cd6e53248532d55a1

SHA512
d20bdc76da4cb2efffa495c41f7fd8062952770c1880fa13a18e73d961403be677c51a71703a173debf4df6eeabe5dda844f46d0e32f73e6cd9ce33d30d672a7

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
69B

MD5
df8c9cf7ace1b7d9e83eea1679c68c2d

SHA1
8f0212b8a4368d17309bb304b11af661992a034f

SHA256
60b2b1d4d9ed69961577577f594a792f4a833c9738cf931fc44f47393f51a764

SHA512
2e732661e83d9d94a4ad7c45914e2ce0447c60da04039f402e0c1528abe8ae8aa25c960b9461aa9294f7f6771e58eee1d13262b401fd32b61a8a3aaa8f5ccbca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads