Thursday, July 20, 2023

FantasyMW, a brazilian banking trojan

Update: Apparently this is a rebrand from an existing malware family called GoatRat and it was named as FantasyMW. More details at:

Sample seen from MalwareHunterTeam's tweet.

The sample is written in kotlin and under a Windows host OS. This is possible to guess because the strings hint to Windows paths. At the time of the analysis the domains were not resolving. It seems to be a new or under development banking trojan, as hinted by the path strings:


This is not the first ITW sample of this developer. The first ITW sample was seen on 2023-06-06 13:25:28 UTC and uses a different path for development: 


The path differs from the latest spotted sample. Since this is a brazilian malware, I chose to dub it as Casanossolar from the package name instead of FantasyMalware. 

This malware requests accessibility permissions and overlay permissions to perform its activities. A complete list of permissions requested:









The sample contains URLs pointing to a ping endpoint and an initialization URL. On initialization, the device information such as hwid, device model, manufacturer is sent to the C2. The CLIENT_ID hardcoded in each sample is sent on each ping attempt.



It currently targets only 6 applications, but all of them are bank applications from Brazil/Portugal. It calls PackageManager.getInstalledPackages to obtain the list of installed applications. Each targeted application has a separate class for each of them with shared methods. It applies overlays to steal credentials when the user tries to access their bank application.

Complete list of targeted applications as of 2023-07-20.

  • com.picpay

The first versions don't feature emulator checks on startup. However the latest samples contain emulator checks on startup and attempts to detect Android x86, Android Emulators, and XPosed among others:

  • goldfish

  • ranchu

  • google_sdk

  • Emulator

  • Android SDK built for x86

  • Genymotion

  • sdk_google

  • google_sdk

  • sdk

  • sdk_x86

  • vbox86p

  • emulator

It also makes use of RootBeer to verify if there is root available on the device:

One of the first samples contains an image presumably from the developer, referring to himself as "Sicko", mentioning that you are being hacked and a identifier to purchase his malware. Reverse image search returns nothing, so it seems to be handcrafted by the author.

In in one of the first versions seen in the wild, there is a Discord webhook URL and the Discord webhook module is also present in the code. Since the latest spotted samples exclude the Discord hooks, it points to the author relying only on their backend.

There are different builds of the same code with different icons, in an attempt to deceive users to install the application in their device or be trusted.

Overall, it looks like a family still in development. I will update this post with any updates and update the sample collection as well.


Virustotal Collection:












Friday, June 9, 2023

MammothFraud, an eastern SMS stealer

 The malware, dubbed MammothFraud from one of the logging strings МАМОНТИЗАЦИЯ!  checks for the android.permission.CALL_PHONE permission and also that the SDK is greater than 26. If positive, it will attempt to introduce an USSD code to obtain the mobile phone number. For example, *111*0887# for the MTS RU provider. When the permissions are not granted by the user, it will prompt the user with a message to allow the requested permissions. In the list there are other telecom providers from Uzbekistan, Ukraine and Russia with USSD codes present.

A list of the permissions requested:

  • android.permission.CALL_PHONE

  • android.permission.READ_SMS

  • android.permission.READ_PHONE_STATE

  • android.permission.SEND_SMS

  • android.permission.RECEIVE_SMS

  • android.permission.POST_NOTIFICATIONS

In case there are active SIM cards in the device, the sample registers broadcast receivers for handling specific SMS-related events and for shutdown events. It also verifies whether the following applications are installed in the system:



  • ru.raiffeisennews

  • ru.belkacar.belkacar

  • com.carshering

  • ru.tsk.ftc.bender.qpay


  • ru.sberbankmobile

All the information is logged and sent to the following Telegram account:

It has some available commands for sending SMS, send USSD requests, getting sent SMS, showing toasts or banning. If it receives the ban command, it will exit the application as seen on the screenshot. The screenshot also lists all the commands that can be received: sendsms|sendussd|getsms|ban|showtoast|getsentsms


"card": "", 

"limit": "100", 

"maxProfitValue": 1", 

"delay": "1


The sample also downloads a raw file from pastebin and at the time of the visit it showed the following content:

If it fails to fetch the URL,  it will wait until it is back online or the device has internet access.

Anti-detection measures

The sample shows a function that focuses on detecting whether the APK is running in an emulated environment or not. Before doing any more thorough checks it verifies that the sample isn’t running under QEMU by checking

If any of the following strings are found, it will return false:

  • google_sdk, emulator, Android SDK built for x86, Genymotion, unknown

  • Boards: QC_Reference_Phone

  • Brands: generic, Xiaomi

  • Product: google_sdk 

There are also checks against Build.MANUFACTURER, Build.FINGERPRINT and Build.Product. If it detects the Google in Build.BRAND, it checks for specific fingerprints:

  • :userdebug/dev-keys

  • :user/release-keys

So far, I have noticed 4 samples contacting the same telegram bot. It is safe to say that all of them are likely to be from the same authors. 


Friday, November 11, 2022

Zanubis updates with screenshot recording

As always, IOCs and targets at the end. Previous updates of this family at:

The latest Zanubis sample contains overall updates to the code. Among the most interesting ones, is that they are shifting to record the screen via the MediaProjection API and use it to send to back to the C2. The functionality is triggered via socket with the command "iniciarVnc".

The crafted video from the screen recording is stored as "RecordedVideo.mp4" in external storage:

Via accessibility is has also added code to copy text from the clipboard as well as sending keystrokes remotely. It also contains a method to simulate swipes given the start and end coordinates, with the intention of controlling the victims device:

As of recent samples, it will also send the users to a government site to check their debts on app startup:



KEY: $%FLO032DFKSF234dsdf4RLOCMV@#

Banks targeted:

  • com.mibanco.bancamovil
  • com.bcp.innovacxion.yapeapp
  • com.ripley.banco.peru
  • com.cmac.cajamovilaqp
  • com.cajahuancayo.cajahuancayo.appcajahuancayo
  • com.cmacica.prd
  • pe.cajapiura.bancamovil
  • pe.solera.tarjetaoh
  • com.alfinbanco.appclientes
  • com.bm_gnb_pe
  • com.zoluxiones.officebanking
  • com.caja.myapplication
  • com.cajamaynas.cajamaynas
  • com.cajatacna.droid
  • com.appcajatrujillo
  • pe.confianza.bancamovil
  • com.efectivadigital.appclientes
  • com.qapaq.banking
  • air.PrexPeru
  • com.tottus
  • com.pichincha.cashmanagement
  • com.gateio.gateio
  • com.scotiabank.telebankingapp
  • com.bitkeep.wallet
  • com.bitmart.bitmarket
  • com.bitcoin.mwallet
  • cash.klever.blockchain.wallet
  • org.theta.wallet
  • com.wallet.crypto.trustapp
  • com.myetherwallet.mewwallet
  • pe.interbank.bie

Initial URL: https://mibegnon[.]com/wp-content/css/index.php

Socket C2:


  • http://001.kidz4lifeplus[.]org/005/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/006/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/001/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/004/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/002/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/010/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/003/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/008/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/007/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/009/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/011/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/015/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/017/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/012/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/014/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/013/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34
  • http://001.kidz4lifeplus[.]org/016/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34

Wednesday, October 19, 2022


As always, IOCs at the end. 


  • Uses IRC to send data to the attacker and FTP.

  • Get the victim's IP address via external services, uses ip2location until it is able to connect to the external service.

  • Get list of applications

  • Send SMS using the device.

  • Requests several permissions:

    • android.permission.INTERNET

    • android.permission.READ_EXTERNAL_STORAGE

    • android.permission.RECEIVE_BOOT_COMPLETED

    • android.permission.REBOOT

    • android.permission.CALL_PHONE

    • android.permission.READ_SMS

    • android.permission.READ_CONTACTS

    • android.permission.SEND_SMS

    • android.permission.WRITE_EXTERNAL_STORAGE

    • android.permission.READ_CALL_LOG

    • android.permission.SYSTEM_ALERT_WINDOW

  • Includes Spanish strings in the code, suggesting the actor is from a Spanish speaking country. 

  • The IP the duckdns serves the APK from is from Spain.

  • Useful links:

  • Virustotal Graph: 

  • Virustotal Collection:

This sample seems like work in progress. There is functionality implemented that is not called during execution. 

The channel and ids and credentials used to send data via IRC or via FTP. 

When connecting to the remote IRC server it answers from `irc.prodigybot[.]net`:

The random ID is generated by choosing a random number which is hardcoded:

It iterates in a loop to ensure that the BOT_IP is always the latest one:

There is functionality to get the list of applications installed in the device but it is not called, the same goes for sending SMS and getting the contacts list. 

The owner or owners point to maybe two different actors, SharK and G0ku, as seen in the code:


On the other side, this duckdns dynDNS url has been used in the past for other payloads and has hosted other unrelated malicious files:

Also, the serving IP address 95.60.57[.]103 is from Spain:

Similar samples were seen in the wild previously the 12th of August of 2022 and points to a work in progress. In previous samples, it contains similar functionality with slight differences. For example, data is stored in resources and the credentials stay the same. The resource owner might point to two actors.

Some functions not present in the current sample such as fetching mails via accountmanager are present in these old samples:


  • Sample SHA256: a0715a88e289763cac6ca6ce5b5b24575c6d966591c7949eb88d0024dcace2bc

  • IRC port

  • Owners: {"G0KU", "SharK"}

  • Resolving IP address of the dyndns: 95.60.57[.]103

  • Other SHA256:

    • ca0f0b0f2175ad5a982c6a135fb833e0d0f6093fdbd8004483804e5177c89671

    • 496590c57e3c3cc1cebbfb5135667a00ff11678ca0a3c913c5532ce8169221f4

    • c3fa7ac9db35a7d28468b25429a8334d22c6819b12df923e6dd65e2d0f9c8aa3

    • 7e339c8bac29595a26185bdda3242919e0c0ab64fa54ce454ede738c983c306d

    • 33c9320da28b5d1bd7b1a3ef1ac2b16f2977dfb6cd5e03f2868d956fa1d6ab45

    • 2855011ea35cb91642ca75bd3d027273b83cb4511f5a4da50c41b15df9490793

FantasyMW, a brazilian banking trojan

Update: Apparently this is a rebrand from an existing malware family called GoatRat and it was named as FantasyMW. More details at: https://...