alienbot | ef4e055b09926d762ce6beae47df5170980213d8e69d6c6a7952f0b24748814f

General

Target

UpdateApps_obf.apk
Size

2.7MB
MD5

3d17727e871c75397625b9c235e24c35
SHA1

e8d5218a592a25318ab42ad58c68a6683a1a5bc3
SHA256

ef4e055b09926d762ce6beae47df5170980213d8e69d6c6a7952f0b24748814f
SHA512

4528c17a9c145d4820081fae2c02f0138bdbb0b98ace08aeb4737f87ac56250a1a559a56d3f72c63e89420290abdc615d8af43028623ba346f165b1802bdc582

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://yataarfsns.com

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

sun.excuse.image

description ioc process

Framework API call android.app.ApplicationPackageManager.getInstalledApplications sun.excuse.image
Removes its main activity from the application launcher 3 IoCs
stealth trojan

Processes:

sun.excuse.image

pid process

3597 sun.excuse.image
3597 sun.excuse.image
3597 sun.excuse.image

description	ioc	process
Framework API call	android.app.ApplicationPackageManager.getInstalledApplications	sun.excuse.image

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

sun.excuse.image

ioc	pid	process
/data/user/0/sun.excuse.image/app_DynamicOptDex/aHnh.json	3597	sun.excuse.image
/data/user/0/sun.excuse.image/app_DynamicOptDex/aHnh.json	3597	sun.excuse.image

Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

sun.excuse.image

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName sun.excuse.image

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	sun.excuse.image

Suspicious use of android.app.ActivityManager.getRunningServices 23 IoCs

Processes:

sun.excuse.image

pid	process
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image
3597	sun.excuse.image

Suspicious use of android.telephony.TelephonyManager.getLine1Number 6 IoCs

Processes:

sun.excuse.image

pid process

3597 sun.excuse.image
3597 sun.excuse.image
3597 sun.excuse.image
3597 sun.excuse.image
3597 sun.excuse.image
3597 sun.excuse.image
Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso 2 IoCs

Processes:

sun.excuse.image

pid process

3597 sun.excuse.image
3597 sun.excuse.image

Uses reflection 71 IoCs

obfuscation

Processes:

sun.excuse.image

description	pid	process
Invokes method java.lang.Object.getClass	3597	sun.excuse.image
Invokes method android.content.res.AssetManager.addAssetPath	3597	sun.excuse.image
Invokes method android.app.ContextImpl.getAssets	3597	sun.excuse.image
Invokes method java.lang.Object.getClass	3597	sun.excuse.image
Invokes method android.content.res.AssetManager.open	3597	sun.excuse.image
Invokes method java.io.FilterInputStream.read	3597	sun.excuse.image
Invokes method java.io.FilterInputStream.read	3597	sun.excuse.image
Invokes method java.io.BufferedInputStream.read	3597	sun.excuse.image
Invokes method java.lang.Object.getClass	3597	sun.excuse.image
Invokes method java.io.BufferedInputStream.close	3597	sun.excuse.image
Invokes method java.lang.Object.getClass	3597	sun.excuse.image
Invokes method java.lang.String.getBytes	3597	sun.excuse.image
Invokes method java.lang.Object.getClass	3597	sun.excuse.image
Invokes method java.io.FileOutputStream.write	3597	sun.excuse.image
Invokes method java.lang.Object.getClass	3597	sun.excuse.image
Invokes method java.io.BufferedInputStream.close	3597	sun.excuse.image
Invokes method java.lang.Object.getClass	3597	sun.excuse.image
Invokes method java.io.FilterOutputStream.close	3597	sun.excuse.image
Invokes method android.app.ActivityThread.currentActivityThread	3597	sun.excuse.image
Acesses field android.app.ActivityThread.mPackages	3597	sun.excuse.image
Invokes method java.lang.reflect.Field.get	3597	sun.excuse.image
Invokes method java.lang.Object.getClass	3597	sun.excuse.image
Invokes method java.lang.ref.Reference.get	3597	sun.excuse.image
Invokes method java.lang.ref.Reference.get	3597	sun.excuse.image
Acesses field android.app.LoadedApk.mClassLoader	3597	sun.excuse.image
Invokes method java.lang.reflect.Field.get	3597	sun.excuse.image
Acesses field android.app.LoadedApk.mClassLoader	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.get	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.open	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.getInstance	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.get	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.open	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.getInstance	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.get	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.open	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.getInstance	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.get	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.open	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.getInstance	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.get	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.open	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.getInstance	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.get	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.open	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.getInstance	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.get	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.open	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.getInstance	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.get	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.open	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.getInstance	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.get	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.open	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.getInstance	3597	sun.excuse.image
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3597	sun.excuse.image
Invokes method dalvik.system.CloseGuard.get	3597	sun.excuse.image

sun.excuse.image
1⤵
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso
- Uses reflection
PID:3597
- sun.excuse.image
  2⤵
  PID:3643
- getprop
  2⤵
  PID:3643
- sun.excuse.image
  2⤵
  PID:3730
- getprop
  2⤵
  PID:3730

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads