soumnibot | 0505be6f429fe4941991d6fec86f1b7fe3eda3f9db3f8c954a5bdffd42c1c06b

Analysis

max time kernel
149s
max time network
156s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
03/04/2025, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0505be6f429fe4941991d6fec86f1b7fe3eda3f9db3f8c954a5bdffd42c1c06b.apk
Size

2.6MB
MD5

770f0a962d9f4e5174651d88a6d50fad
SHA1

2f938610f8016ab86172f25bf7856df990523a5b
SHA256

0505be6f429fe4941991d6fec86f1b7fe3eda3f9db3f8c954a5bdffd42c1c06b
SHA512

02ec06fc4121b10aa8edd1e1f4d3486338e3e73328848c77b7917dfd98a4b4e3fee9222c3f09f9bd5787952115f9a13c34c4247d26c626036f7656fe67a510c0
SSDEEP

24576:G4m51+WtE0Ee93y/29339YPa8UGYqRpv+crRy5vstKctS3WCHUC2aFZee:9JWu0n9l9X8UGL5r/RtS3WVCjee

Score

10^/10

soumnibot banker defense_evasion evasion infostealer trojan

Malware Config

Signatures

Android SoumniBot payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-2.dat	family_soumnibot

SoumniBot
SoumniBot is an Android banking trojan first seen in April 2024.
trojan infostealer banker soumnibot
Soumnibot family
soumnibot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/rflg.ewdorgvf.edf/app_rflg.ewdorgvf.edf.AAbaseZZ.AABaseApplicationZZ/newobfs/0.pobfs	4803	rflg.ewdorgvf.edf
/data/user/0/rflg.ewdorgvf.edf/app_rflg.ewdorgvf.edf.AAbaseZZ.AABaseApplicationZZ/newobfs/0.pobfs	4803	rflg.ewdorgvf.edf

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	rflg.ewdorgvf.edf

rflg.ewdorgvf.edf
1⤵
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4803

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

User Evasion

T1628.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/rflg.ewdorgvf.edf/app_rflg.ewdorgvf.edf.AAbaseZZ.AABaseApplicationZZ/newobfs/0.pobfs

Filesize
1.8MB

MD5
0af274d1d131c1ec2c4d427aa24c7e11

SHA1
acb5753b984e09a470cc2b75015eff90dc500d1f

SHA256
9a84703777fd6622dffc5ea44de0420ba421bd139fd0ae165f95413adc5e2be3

SHA512
ec0b906888b24210f6bb501f9043f030bc1c97c2437f85789e96d895d9b9383766086ea9f9d88e05dc409c2c8e45729370bdbb30730508600e05d76af1121301

Download Submit