entdark's blog

Update: Apparently this is a rebrand from an existing malware family called GoatRat and it was named as FantasyMW. More details at: https://www.opencti.net.br/goatrat-ressurge-com-um-novo-nome-fantasymw-android-banking-trojan-40dbbba8e7d9 Sample seen from MalwareHunterTeam's tweet . The sample is written in kotlin and under a Windows host OS. This is possible to guess because the strings hint to Windows paths. At the time of the analysis the domains were not resolving. It seems to be a new or under development banking trojan, as hinted by the path strings: C:/Users/55119/Documents/NewBankingTrojan/production/app/src/main/java/com/fuck/thepolice/MainActivity.kt   This is not the first ITW sample of this developer. The first ITW sample was seen on 2023-06-06 13:25:28 UTC and uses a different path for development:  C:/Users/nuke/Documents/FantasyMalware/BasicVersion/ The path differs from the latest spotted sample. Since this is a brazilian malware, I chose to dub it as Casanossolar f