alienbot | 103073604235e9e047abead5f497b5079e3a813f1aa036f5c6cb987c01ec421b

Analysis

max time kernel
1069174s
max time network
129s
platform
android_x86_64
resource
android-x86_64
submitted
08-12-2020 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fibabanka_Destek_obf.apk
Size

2.7MB
MD5

6073f077566eae176783153d604c018f
SHA1

fc94034f137032576e4cec1b79fa34c0f2cc3ab5
SHA256

103073604235e9e047abead5f497b5079e3a813f1aa036f5c6cb987c01ec421b
SHA512

3ac90c4ebb356a42f475b6f4f431050fbc4f3f1a199fa54a2b1aa4845a3f433c6e012220b2c6cf6e8d4cb574ebacd8e8d3d93d3a801be224e1df0c210121c91e

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

http://turkasker12.net

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Removes its main activity from the application launcher 3 IoCs

stealth trojan

pid	Process
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/floor.visual.onion/app_DynamicOptDex/xaspZOn.json	3597	floor.visual.onion
/data/user/0/floor.visual.onion/app_DynamicOptDex/xaspZOn.json	3597	floor.visual.onion

Suspicious use of android.app.ActivityManager.getRunningServices 23 IoCs

pid	Process
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion

Suspicious use of android.telephony.TelephonyManager.getLine1Number 6 IoCs

pid	Process
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion
3597	floor.visual.onion

Uses reflection 40 IoCs

obfuscation

description	pid	Process
Invokes method java.lang.Object.getClass	3597	floor.visual.onion
Invokes method android.content.res.AssetManager.addAssetPath	3597	floor.visual.onion
Invokes method android.app.ContextImpl.getAssets	3597	floor.visual.onion
Invokes method java.lang.Object.getClass	3597	floor.visual.onion
Invokes method android.content.res.AssetManager.open	3597	floor.visual.onion
Invokes method java.io.FilterInputStream.read	3597	floor.visual.onion
Invokes method java.io.FilterInputStream.read	3597	floor.visual.onion
Invokes method java.io.BufferedInputStream.read	3597	floor.visual.onion
Invokes method java.lang.Object.getClass	3597	floor.visual.onion
Invokes method java.io.BufferedInputStream.close	3597	floor.visual.onion
Invokes method java.lang.Object.getClass	3597	floor.visual.onion
Invokes method java.lang.String.getBytes	3597	floor.visual.onion
Invokes method java.lang.Object.getClass	3597	floor.visual.onion
Invokes method java.io.FileOutputStream.write	3597	floor.visual.onion
Invokes method java.lang.Object.getClass	3597	floor.visual.onion
Invokes method java.io.BufferedInputStream.close	3597	floor.visual.onion
Invokes method java.lang.Object.getClass	3597	floor.visual.onion
Invokes method java.io.FilterOutputStream.close	3597	floor.visual.onion
Invokes method android.app.ActivityThread.currentActivityThread	3597	floor.visual.onion
Acesses field android.app.ActivityThread.mPackages	3597	floor.visual.onion
Invokes method java.lang.reflect.Field.get	3597	floor.visual.onion
Invokes method java.lang.Object.getClass	3597	floor.visual.onion
Invokes method java.lang.ref.Reference.get	3597	floor.visual.onion
Invokes method java.lang.ref.Reference.get	3597	floor.visual.onion
Acesses field android.app.LoadedApk.mClassLoader	3597	floor.visual.onion
Invokes method java.lang.reflect.Field.get	3597	floor.visual.onion
Acesses field android.app.LoadedApk.mClassLoader	3597	floor.visual.onion
Invokes method dalvik.system.CloseGuard.get	3597	floor.visual.onion
Invokes method dalvik.system.CloseGuard.open	3597	floor.visual.onion
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	3597	floor.visual.onion
Invokes method dalvik.system.CloseGuard.get	3597	floor.visual.onion
Invokes method dalvik.system.CloseGuard.open	3597	floor.visual.onion
Invokes method dalvik.system.CloseGuard.get	3597	floor.visual.onion
Invokes method dalvik.system.CloseGuard.open	3597	floor.visual.onion
Invokes method dalvik.system.CloseGuard.get	3597	floor.visual.onion
Invokes method dalvik.system.CloseGuard.open	3597	floor.visual.onion
Invokes method dalvik.system.CloseGuard.get	3597	floor.visual.onion
Invokes method dalvik.system.CloseGuard.open	3597	floor.visual.onion
Invokes method dalvik.system.CloseGuard.get	3597	floor.visual.onion
Invokes method dalvik.system.CloseGuard.open	3597	floor.visual.onion

floor.visual.onion
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Uses reflection
PID:3597
- floor.visual.onion
  2⤵
  PID:3647
- getprop
  2⤵
  PID:3647
- floor.visual.onion
  2⤵
  PID:3730
- getprop
  2⤵
  PID:3730

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads