alienbot | b1908d38e44242eece0cc1d11e51cf482400977f110d8210ff9c12d7365af743

General

Target

AndroidUpdate.apk
Size

2.3MB
MD5

570d868aca95df74b7e3a2b8005cda2b
SHA1

fe3b0d48e0d75e70eeb546448fb25e52e4ab6cff
SHA256

b1908d38e44242eece0cc1d11e51cf482400977f110d8210ff9c12d7365af743
SHA512

82f2b3f82e440b8b6c7f9335d98a9a4a169ee934233d43d94f28ae2a872d55daf26ff8ada6ea67a3db0ecd8edbd452595a815aca44caf2d1060a1b9e52915b2c

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://bestof12beach.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

arrest.brush.lounge

description ioc process

Framework API call android.app.ApplicationPackageManager.getInstalledApplications arrest.brush.lounge
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

arrest.brush.lounge

pid process

4552 arrest.brush.lounge

description	ioc	process
Framework API call	android.app.ApplicationPackageManager.getInstalledApplications	arrest.brush.lounge

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

arrest.brush.lounge/system/bin/dex2oat

ioc	pid	process
/data/user/0/arrest.brush.lounge/app_DynamicOptDex/inHC.json	4552	arrest.brush.lounge
/data/user/0/arrest.brush.lounge/app_DynamicOptDex/inHC.json	4682	/system/bin/dex2oat

Tries to add a device administrator. 1 IoCs

Processes:

arrest.brush.lounge

description ioc process

Intent action android.app.action.ADD_DEVICE_ADMIN arrest.brush.lounge
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

arrest.brush.lounge

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName arrest.brush.lounge

description	ioc	process
Intent action	android.app.action.ADD_DEVICE_ADMIN	arrest.brush.lounge

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	arrest.brush.lounge

Suspicious use of android.app.ActivityManager.getRunningServices 38 IoCs

Processes:

arrest.brush.lounge

pid	process
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge

Suspicious use of android.telephony.TelephonyManager.getLine1Number 8 IoCs

Processes:

arrest.brush.lounge

pid	process
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge
4552	arrest.brush.lounge

Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso 2 IoCs

Processes:

arrest.brush.lounge

pid process

4552 arrest.brush.lounge
4552 arrest.brush.lounge

Uses reflection 87 IoCs

obfuscation

Processes:

arrest.brush.lounge

description	pid	process
Invokes method java.lang.Object.getClass	4552	arrest.brush.lounge
Invokes method android.content.res.AssetManager.addAssetPath	4552	arrest.brush.lounge
Invokes method android.app.ContextImpl.getAssets	4552	arrest.brush.lounge
Invokes method java.lang.Object.getClass	4552	arrest.brush.lounge
Invokes method android.content.res.AssetManager.open	4552	arrest.brush.lounge
Invokes method java.io.FilterInputStream.read	4552	arrest.brush.lounge
Invokes method java.io.FilterInputStream.read	4552	arrest.brush.lounge
Invokes method java.io.BufferedInputStream.read	4552	arrest.brush.lounge
Invokes method java.lang.Object.getClass	4552	arrest.brush.lounge
Invokes method java.io.BufferedInputStream.close	4552	arrest.brush.lounge
Invokes method java.lang.Object.getClass	4552	arrest.brush.lounge
Invokes method java.lang.String.getBytes	4552	arrest.brush.lounge
Invokes method java.lang.Object.getClass	4552	arrest.brush.lounge
Invokes method java.io.FileOutputStream.write	4552	arrest.brush.lounge
Invokes method java.lang.Object.getClass	4552	arrest.brush.lounge
Invokes method java.io.BufferedInputStream.close	4552	arrest.brush.lounge
Invokes method java.lang.Object.getClass	4552	arrest.brush.lounge
Invokes method java.io.FilterOutputStream.close	4552	arrest.brush.lounge
Invokes method android.app.ActivityThread.currentActivityThread	4552	arrest.brush.lounge
Acesses field android.app.ActivityThread.mPackages	4552	arrest.brush.lounge
Invokes method java.lang.reflect.Field.get	4552	arrest.brush.lounge
Invokes method java.lang.Object.getClass	4552	arrest.brush.lounge
Invokes method java.lang.ref.Reference.get	4552	arrest.brush.lounge
Invokes method java.lang.ref.Reference.get	4552	arrest.brush.lounge
Acesses field android.app.LoadedApk.mClassLoader	4552	arrest.brush.lounge
Invokes method java.lang.reflect.Field.get	4552	arrest.brush.lounge
Acesses field android.app.LoadedApk.mClassLoader	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.get	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.open	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.getInstance	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.get	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.open	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.getInstance	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.get	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.open	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.getInstance	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.get	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.open	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.getInstance	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.get	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.open	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.getInstance	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.get	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.open	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.getInstance	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.get	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.open	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.getInstance	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.get	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.open	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.getInstance	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.get	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.open	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.getInstance	4552	arrest.brush.lounge
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4552	arrest.brush.lounge
Invokes method dalvik.system.CloseGuard.get	4552	arrest.brush.lounge

arrest.brush.lounge
1⤵
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Tries to add a device administrator.
- Reads name of network operator
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso
- Uses reflection
PID:4552

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads