andrmonitor

Sharing

Copy URL

Twitter E-mail

General

Target

ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772
Size

20.5MB
Sample

240701-cplmzawfqm
MD5

69a3362a56aceeae697d711b85ea1bd0
SHA1

05af8c183ee7934be6bb1077992be1aa79a4d17f
SHA256

ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772
SHA512

75f50d474571b4d722d623f7d74857fd831553f941bc5fe7b7b5b310ee2c8367adca0f4e32ee44ba9c5d945e76b8b6269d4197dcbd5efcea245dd6da118ae61b
SSDEEP

393216:/rTNsZsJA35z7A79L+piJ1mbgafiubcrZzbfT9i/zVN2I+TXu1qKpPbNiRSKcsaT:vzJA35z7c5R/mbBffc1z9i/zVN2Ike84

Score

10^/10

Malware Config

Extracted

Family

andrmonitor

https://anmon.name/mch.html

Targets

- Target
  
  ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772
- Size
  
  20.5MB
- MD5
  
  69a3362a56aceeae697d711b85ea1bd0
- SHA1
  
  05af8c183ee7934be6bb1077992be1aa79a4d17f
- SHA256
  
  ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772
- SHA512
  
  75f50d474571b4d722d623f7d74857fd831553f941bc5fe7b7b5b310ee2c8367adca0f4e32ee44ba9c5d945e76b8b6269d4197dcbd5efcea245dd6da118ae61b
- SSDEEP
  
  393216:/rTNsZsJA35z7A79L+piJ1mbgafiubcrZzbfT9i/zVN2I+TXu1qKpPbNiRSKcsaT:vzJA35z7c5R/mbBffc1z9i/zVN2Ike84
Score

10^/10

andrmonitor banker collection discovery evasion execution infostealer persistence spyware trojan
- AndrMonitor
  AndrMonitor is an Android stalkerware.
  trojan infostealer spyware andrmonitor
- Checks if the Android device is rooted.
  evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
  banker discovery
- Queries account information for other applications stored on the device
  Application may abuse the framework's APIs to collect account information stored on the device.
  collection
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  evasion persistence
- Queries information about the current Wi-Fi connection
  Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
  discovery
- Queries the unique device ID (IMEI, MEID, IMSI)
  discovery
- Reads information about phone network operator.
  discovery
- Requests cell location
  Uses Android APIs to to get current cell information.
  collection discovery
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries account information for other applications stored on the device

Queries the phone number (MSISDN for GSM devices)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Makes use of the framework's foreground persistence service

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests cell location

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2