antidot | b039eb4e742a77a99452781f9de0aafd51bcfad6dcfea745e88200d0dd1ab69a

Analysis

max time kernel
149s
max time network
150s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
04/04/2025, 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update.apk
Size

17.1MB
MD5

d44caa02e4fa7e2992b327abb4242791
SHA1

2ec56ee9ad5fe44a3407ff977c6d0b5dfe4704e6
SHA256

3de709dadce6084258b4928145e5da404affeeedad19426f93a2741d6fd6dcf4
SHA512

46b0c1d1a118bbfe621a1f95d2186259db9f3d458adbfdd07686961559d88b37252b1d71fdd4d9aad6e6f6e2b120c906fd52dc04612ae6e1de17fe9d356af57a
SSDEEP

393216:n/6/FU/4HPKDDeXtn7rqqn8W41YRdcz27+rDrfn7S3Zd:n/6924yDiXZr18W41YRvwDrfmZd

Score

10^/10

antidot banker collection credential_access defense_evasion discovery evasion execution impact infostealer persistence trojan

Malware Config

Signatures

Antidot
Antidot is an Android banking trojan first seen in May 2024.
banker trojan infostealer antidot
Antidot family
antidot

Antidot payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_antidot

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.belilu.acm/app_dex/classes.dex	5080	com.belilu.acm
/data/user/0/com.belilu.acm/app_dex/classes.dex	5080	com.belilu.acm

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.belilu.acm

Checks the application is allowed to request package installs through the package installer 1 TTPs 1 IoCs

Checks the application is allowed to install additional applications (Might try to install applications from unknown sources).

defense_evasion

Code Signing Policy Modification

T1632.001

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.canRequestPackageInstalls	com.belilu.acm

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.belilu.acm

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.belilu.acm

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.belilu.acm

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.belilu.acm

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.belilu.acm

com.belilu.acm
1⤵
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Checks the application is allowed to request package installs through the package installer
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:5080

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Subvert Trust Controls

T1632

Code Signing Policy Modification

T1632.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.belilu.acm/app_dex/classes.dex

Filesize
1.6MB

MD5
f255edad36ca54915519e76fed7d8049

SHA1
1b5e5200fc0a4739f65170d8c62a12914272e480

SHA256
ea8abdff5124a73c975b186e92de2fefc8d19b688082bea46cd7773b46374dfc

SHA512
939eee51aa07b8672a911510603fa88fa1a5e9de2f907a2352e46d04cc2002dfb2c50aa7a91b8d1d92c724ecc0f7e992c412f6cd4f208cc7183a99a01dbdb397

Download Submit
/data/data/com.belilu.acm/cache/classes.dex

Filesize
781KB

MD5
52c154dcde5d100bb1526079b0d7966c

SHA1
fb8b8531e5c1da60d3d4ad3336df1202c6b2ee66

SHA256
6c5ba604db8fcec76fbdca3a3a6356effc5d74cb20e526834157ec2c1055d56b

SHA512
81d5297e24d3935b88c88a8bb5af2c2fa56323a375200f3d3ecd0215bdce53d13b017c2ed76f4668000eb3f5a9a61cbfb4661735f6b22c250bd12af68ee0263b

Download Submit
/data/data/com.belilu.acm/cache/classes.zip

Filesize
782KB

MD5
37e70e82c84d65f7b0334ddd76d7b3ff

SHA1
0661ee06aa45c7c7e90e94b0ac3b19bb70f60b5f

SHA256
3b8f83cf8b8e2033f0d1198ac495858e4803b4c655a4281a1f77187b7b779ce5

SHA512
eec81c2771c655fb76f2ffb85f8fa24ae03eba6576299e295f21632e73d02f7c341c35f448ab8ac3de1b1b7eef409f1217e44fc55ce862f0cb5f022c70edc981

Download Submit
/data/data/com.belilu.acm/files/profileInstalled

Filesize
24B

MD5
235fb6895480d643054f9290417b97d7

SHA1
33f865c6ce8901d243f0fd50ee5dd5671b6c1261

SHA256
a0afdebac467f09d74f5d095d5060c87f8d79f452112910a7386441e7dd83f76

SHA512
0fdee1e31a436fafbfb9e6f3e9a9ce4d0a582993e4f5e209f20367385886289355ce60d75ea5706a342ab4a00e64b8eefcdbfbbe6d3c0dd93dcea46ef94c9d71

Download Submit
/data/data/com.belilu.acm/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
7d218f0240ab3f25d49e368129013887

SHA1
049e0b2e88ce958ac019461f6af7bddbd2bf2fdf

SHA256
49e19d5c30fb643527814eb2bd9039669f8505143ebf9ad95f1d34e007fe7320

SHA512
5e27228809063a9169ebbc66184b1ad7c96904d8ef4e5fd4bfc2a9486ac36b01b67510b75f254a5bacdb808aa0bb4255e7c7defa392b8bd4e26923b4ad24fdcc

Download Submit
/data/data/com.belilu.acm/no_backup/androidx.work.workdb

Filesize
172KB

MD5
757e8f0164ef0cc54751fb2a1b06f618

SHA1
5a8775c12bf176adc62a05f1cdaff1e39fe201be

SHA256
44059e270b344d1a99269a4836e49fd5bf234be194487d3ae9695f2fb2f55957

SHA512
1c29ac0bbfa28c0542f6241393a06d67eecd34a9a5ca82544667a195d92a589393d2fab90bea6720d9908f6eea8360af1c160ba4498d560dfd9a74ddc7195203

Download Submit
/data/data/com.belilu.acm/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
3e337e3d61a80747e9714da9e60da3ac

SHA1
2c433a1c9f4fa25756f97ea8bb43422bf12f87ce

SHA256
415342e1760f0206e8f36ce57ecdaafaa0753e81e5e9b75ecc6d1029798bb740

SHA512
b1bdbda8090eaf650080f2dbc884ae818e55c74084748fcf79a82183181f8acee776ecd66a0004ec8318ebc97734da77ca23c1ae9edee9a69d1c31f1c9eb31da

Download Submit
/data/data/com.belilu.acm/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.belilu.acm/no_backup/androidx.work.workdb-wal

Filesize
426KB

MD5
047c4487c085f6c2521d0b918d06b00c

SHA1
15a36baf4d4fa9452d7112c5b57afea7641d164c

SHA256
1fac74dbb18e5752aa7995e6fc34105eb1d86383da661c5a7a3d17e2371b04c3

SHA512
5762f54a59e8771aa0277bcb7a7f9ca6a89a166178d676e5a0e6c2169f580fef1e6bd38daf324f94bc3c75968e0b8cc0a4164997044f335fd6b6a83c54883d1e

Download Submit
/data/data/com.belilu.acm/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
ab69b83c506f038e906c58176163c020

SHA1
bab6ab6725fb666af465e38b7bb14f5fc8595255

SHA256
bd3aad5368d6302897c112b69617b1e56451f028d0c6892eb62e13b74d31ddfd

SHA512
b00947d694d2e42ca1d937dca5403fe5006f4d9309fc4c0b8ec0d82c2a8a41206966399791c01a70b26ed49eb20bfff2d7ba8db15e29fcd480590f779385c01a

Download Submit
/data/data/com.belilu.acm/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
2e17817947c434facac5f6f2d762ea5f

SHA1
c540101b205dcd40be657a656c4c5d2d7b400206

SHA256
e8933546c3b90b14da4bd14ff2dd4e5bfac4432d7081ab87771c6bd1338bbdfe

SHA512
7289db323e427ad2814b04ccb051eb026fd978169616a140904d1cbdffe0fef079cdd35fa6162c15d5b7e7841075667da1e46253bf96ac62b64bab4408050487

Download Submit
/data/misc/profiles/cur/0/com.belilu.acm/primary.prof

Filesize
1013B

MD5
00290bc6b09ac837f078d4ac753e0284

SHA1
135a20dd7ca2c536b52883a1c3210e146087ffc1

SHA256
0f30686171731bd060c6bfed03aa7d8efd96b517b9dc9b962ac1432d7d9fc717

SHA512
0d2a64d482fac57df157ea4278f8025fc4a1dc1918b78b282b61a3f34fbd74ab7cdd47dfac7f92f7c6378c58226ae0f952bf32cf5fd5f5fd919704a5c7ac0fe2

Download Submit
/data/misc/profiles/cur/0/com.belilu.acm/primary.prof

Filesize
25B

MD5
b9d9e0f8902d129e1aeebff0ae7b725b

SHA1
cb0d2b4c9dd60a5c1fc6261fb581bcd3416fe781

SHA256
25a822139d06016af8be1296c0242b60e35074f94c713e03323636be1162ce91

SHA512
f158a9dc753e0cb41f71a98714ff02198c576bacdd792a6153fdaf6f9a7b52d8cfb6d09099a269d0c1b0d31e2ea5a307ea1db85115bdc6797887a6de36d597f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads