andrmonitor

Sharing

Copy URL

Twitter E-mail

General

Target

583b68d3c917ddc713d8621959f97d7f2636654494027e494f2368409730f88b.apk
Size

20.5MB
Sample

240502-bsyw2afb76
MD5

5682f19f3a2723db1c7141c9157ab93e
SHA1

748ea5d804fafc742824bd4c2f9c0259822de99d
SHA256

583b68d3c917ddc713d8621959f97d7f2636654494027e494f2368409730f88b
SHA512

63884b29b4b4714a2330d43529148ee9e8aba2b3ed62dbf85f9187148f330e846de2cf8516db3d2b8b7cd5b6cfa989b2e9a00e6df89da76e0b317d2ba415d46e
SSDEEP

393216:HHusJA35z7A79L+4wr1mbgafiubc6ZxbdT9i/zVN2I+TX3VsKpPbNiRSKcsLJJ:HRJA35z7c5KBmbBffcQxvi/zVN2IkHGl

Score

10^/10

Malware Config

Extracted

Family

andrmonitor

https://anmon.name/mch.html

Targets

- Target
  
  583b68d3c917ddc713d8621959f97d7f2636654494027e494f2368409730f88b.apk
- Size
  
  20.5MB
- MD5
  
  5682f19f3a2723db1c7141c9157ab93e
- SHA1
  
  748ea5d804fafc742824bd4c2f9c0259822de99d
- SHA256
  
  583b68d3c917ddc713d8621959f97d7f2636654494027e494f2368409730f88b
- SHA512
  
  63884b29b4b4714a2330d43529148ee9e8aba2b3ed62dbf85f9187148f330e846de2cf8516db3d2b8b7cd5b6cfa989b2e9a00e6df89da76e0b317d2ba415d46e
- SSDEEP
  
  393216:HHusJA35z7A79L+4wr1mbgafiubc6ZxbdT9i/zVN2I+TX3VsKpPbNiRSKcsLJJ:HRJA35z7c5KBmbBffcQxvi/zVN2IkHGl
Score

10^/10

andrmonitor banker collection discovery evasion infostealer persistence spyware stealth trojan
- AndrMonitor
  AndrMonitor is an Android stalkerware.
  trojan infostealer spyware andrmonitor
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries account information for other applications stored on the device
  Application may abuse the framework's APIs to collect account information stored on the device.
  collection
- Queries information about the current Wi-Fi connection
  Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
  discovery
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Registers a broadcast receiver at runtime (usually for listening for system events)
  persistence
- Acquires the wake lock
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests cell location
  Uses Android APIs to to get current cell information.
  collection discovery
- Requests dangerous framework permissions
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Queries account information for other applications stored on the device

Queries information about the current Wi-Fi connection

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Acquires the wake lock

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests cell location

Requests dangerous framework permissions

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2