alienbot | bce447711725ad9106a0094d25220103b1bf4ba83bc247b3662ff4a6bfe9c67e

General

Target

Evdeyim.apk
Size

2.3MB
MD5

3bfd4d18a3ceb4fb378772f1e4d1540c
SHA1

5f9926d498c3cd78fd99244cdd9f92de3a0eebc1
SHA256

bce447711725ad9106a0094d25220103b1bf4ba83bc247b3662ff4a6bfe9c67e
SHA512

dd841f39db5569e6ab1090eb0633f1370911edea38debc6621b57287d09063450c23a3b3f33b4e93269cda72a5c984537c03219a82cde834b202e5249c333f5a

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://asf12552fg.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

ghost.bottom.gap

pid process

4197 ghost.bottom.gap

Loads dropped Dex/Jar 12 IoCs

Runs executable file dropped to the device during analysis.

Processes:

ghost.bottom.gap

ioc	pid	process
/data/user/0/ghost.bottom.gap/app_DynamicOptDex/TuZN.json	4197	ghost.bottom.gap
/data/user/0/ghost.bottom.gap/app_DynamicOptDex/TuZN.json	4197	ghost.bottom.gap
/data/user/0/ghost.bottom.gap/app_apk/ring0.apk	4197	ghost.bottom.gap
/data/user/0/ghost.bottom.gap/app_apk/ring0.apk	4197	ghost.bottom.gap
/data/user/0/ghost.bottom.gap/app_apk/ring0.apk	4197	ghost.bottom.gap
/data/user/0/ghost.bottom.gap/app_apk/ring0.apk	4197	ghost.bottom.gap
/data/user/0/ghost.bottom.gap/app_apk/ring0.apk	4197	ghost.bottom.gap
/data/user/0/ghost.bottom.gap/app_apk/ring0.apk	4197	ghost.bottom.gap
/data/user/0/ghost.bottom.gap/app_apk/ring0.apk	4197	ghost.bottom.gap
/data/user/0/ghost.bottom.gap/app_apk/ring0.apk	4197	ghost.bottom.gap
/data/user/0/ghost.bottom.gap/app_apk/ring0.apk	4197	ghost.bottom.gap
/data/user/0/ghost.bottom.gap/app_apk/ring0.apk	4197	ghost.bottom.gap

Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.

Processes:

ghost.bottom.gap

description ioc process

Framework API call android.telephony.TelephonyManager.getNetworkOperatorName ghost.bottom.gap

description	ioc	process
Framework API call	android.telephony.TelephonyManager.getNetworkOperatorName	ghost.bottom.gap

Suspicious use of android.app.ActivityManager.getRunningServices 201 IoCs

Processes:

ghost.bottom.gap

pid	process
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap
4197	ghost.bottom.gap

Suspicious use of android.telephony.TelephonyManager.getLine1Number 2 IoCs

Processes:

ghost.bottom.gap

pid process

4197 ghost.bottom.gap
4197 ghost.bottom.gap
Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso 2 IoCs

Processes:

ghost.bottom.gap

pid process

4197 ghost.bottom.gap
4197 ghost.bottom.gap

Uses reflection 53 IoCs

obfuscation

Processes:

ghost.bottom.gap

description	pid	process
Invokes method java.lang.Object.getClass	4197	ghost.bottom.gap
Invokes method android.content.res.AssetManager.addAssetPath	4197	ghost.bottom.gap
Invokes method android.app.ContextImpl.getAssets	4197	ghost.bottom.gap
Invokes method java.lang.Object.getClass	4197	ghost.bottom.gap
Invokes method android.content.res.AssetManager.open	4197	ghost.bottom.gap
Invokes method java.io.FilterInputStream.read	4197	ghost.bottom.gap
Invokes method java.io.FilterInputStream.read	4197	ghost.bottom.gap
Invokes method java.io.BufferedInputStream.read	4197	ghost.bottom.gap
Invokes method java.lang.Object.getClass	4197	ghost.bottom.gap
Invokes method java.io.BufferedInputStream.close	4197	ghost.bottom.gap
Invokes method java.lang.Object.getClass	4197	ghost.bottom.gap
Invokes method java.lang.String.getBytes	4197	ghost.bottom.gap
Invokes method java.lang.Object.getClass	4197	ghost.bottom.gap
Invokes method java.io.FileOutputStream.write	4197	ghost.bottom.gap
Invokes method java.lang.Object.getClass	4197	ghost.bottom.gap
Invokes method java.io.BufferedInputStream.close	4197	ghost.bottom.gap
Invokes method java.lang.Object.getClass	4197	ghost.bottom.gap
Invokes method java.io.FilterOutputStream.close	4197	ghost.bottom.gap
Invokes method android.app.ActivityThread.currentActivityThread	4197	ghost.bottom.gap
Acesses field android.app.ActivityThread.mPackages	4197	ghost.bottom.gap
Invokes method java.lang.reflect.Field.get	4197	ghost.bottom.gap
Invokes method java.lang.Object.getClass	4197	ghost.bottom.gap
Invokes method java.lang.ref.Reference.get	4197	ghost.bottom.gap
Invokes method java.lang.ref.Reference.get	4197	ghost.bottom.gap
Acesses field android.app.LoadedApk.mClassLoader	4197	ghost.bottom.gap
Invokes method java.lang.reflect.Field.get	4197	ghost.bottom.gap
Acesses field android.app.LoadedApk.mClassLoader	4197	ghost.bottom.gap
Invokes method dalvik.system.CloseGuard.get	4197	ghost.bottom.gap
Invokes method dalvik.system.CloseGuard.open	4197	ghost.bottom.gap
Invokes method android.security.NetworkSecurityPolicy.getInstance	4197	ghost.bottom.gap
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4197	ghost.bottom.gap
Invokes method dalvik.system.CloseGuard.get	4197	ghost.bottom.gap
Invokes method dalvik.system.CloseGuard.open	4197	ghost.bottom.gap
Invokes method android.security.NetworkSecurityPolicy.getInstance	4197	ghost.bottom.gap
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4197	ghost.bottom.gap
Invokes method dalvik.system.CloseGuard.get	4197	ghost.bottom.gap
Invokes method dalvik.system.CloseGuard.open	4197	ghost.bottom.gap
Invokes method android.security.NetworkSecurityPolicy.getInstance	4197	ghost.bottom.gap
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4197	ghost.bottom.gap
Invokes method dalvik.system.CloseGuard.get	4197	ghost.bottom.gap
Invokes method dalvik.system.CloseGuard.open	4197	ghost.bottom.gap
Invokes method android.security.NetworkSecurityPolicy.getInstance	4197	ghost.bottom.gap
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4197	ghost.bottom.gap
Invokes method patch.ring0.run.main	4197	ghost.bottom.gap
Invokes method patch.ring0.run.main	4197	ghost.bottom.gap
Invokes method patch.ring0.run.main	4197	ghost.bottom.gap
Invokes method patch.ring0.run.main	4197	ghost.bottom.gap
Invokes method patch.ring0.run.main	4197	ghost.bottom.gap
Invokes method patch.ring0.run.main	4197	ghost.bottom.gap
Invokes method patch.ring0.run.main	4197	ghost.bottom.gap
Invokes method patch.ring0.run.main	4197	ghost.bottom.gap
Invokes method patch.ring0.run.main	4197	ghost.bottom.gap
Invokes method patch.ring0.run.main	4197	ghost.bottom.gap

ghost.bottom.gap
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads name of network operator
- Suspicious use of android.app.ActivityManager.getRunningServices
- Suspicious use of android.telephony.TelephonyManager.getLine1Number
- Suspicious use of android.telephony.TelephonyManager.getNetworkCountryIso
- Uses reflection
PID:4197

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads