alienbot | 85e2227bac98f2a283470798f9f15d63dc3e8f5d98c71385514603f181aefd83

General

Target

Correos_Seguimiento (1).apk
Size

2.6MB
MD5

b5ed569ccb0dcb73b78bd471cc5c7193
SHA1

d3226720af70556411228f967228fa775b60b0e3
SHA256

85e2227bac98f2a283470798f9f15d63dc3e8f5d98c71385514603f181aefd83
SHA512

9b26696b75ab92429ae3e715cf0d9cdbec775ff15f6d70381a60630010029621b2119f7c080a9c7644beb55a21bcb135630bd2804e1c901673132c490805ac1b

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://drasdsasa.com

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

collect.path.one

pid process

4364 collect.path.one

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

collect.path.one

ioc	pid	process
/data/user/0/collect.path.one/app_DynamicOptDex/jq.json	4364	collect.path.one
/data/user/0/collect.path.one/app_DynamicOptDex/jq.json	4364	collect.path.one

Uses reflection 64 IoCs

obfuscation

Processes:

collect.path.one

description	pid	process
Invokes method java.lang.Object.getClass	4364	collect.path.one
Invokes method android.content.res.AssetManager.addAssetPath	4364	collect.path.one
Invokes method android.app.ContextImpl.getAssets	4364	collect.path.one
Invokes method java.lang.Object.getClass	4364	collect.path.one
Invokes method android.content.res.AssetManager.open	4364	collect.path.one
Invokes method java.io.FilterInputStream.read	4364	collect.path.one
Invokes method java.io.FilterInputStream.read	4364	collect.path.one
Invokes method java.io.BufferedInputStream.read	4364	collect.path.one
Invokes method java.lang.Object.getClass	4364	collect.path.one
Invokes method java.io.BufferedInputStream.close	4364	collect.path.one
Invokes method java.lang.Object.getClass	4364	collect.path.one
Invokes method java.lang.String.getBytes	4364	collect.path.one
Invokes method java.lang.Object.getClass	4364	collect.path.one
Invokes method java.io.FileOutputStream.write	4364	collect.path.one
Invokes method java.lang.Object.getClass	4364	collect.path.one
Invokes method java.io.FilterOutputStream.close	4364	collect.path.one
Invokes method android.app.ActivityThread.currentActivityThread	4364	collect.path.one
Acesses field android.app.ActivityThread.mPackages	4364	collect.path.one
Invokes method java.lang.reflect.Field.get	4364	collect.path.one
Invokes method java.lang.Object.getClass	4364	collect.path.one
Invokes method java.lang.ref.Reference.get	4364	collect.path.one
Invokes method java.lang.ref.Reference.get	4364	collect.path.one
Acesses field android.app.LoadedApk.mClassLoader	4364	collect.path.one
Invokes method java.lang.reflect.Field.get	4364	collect.path.one
Acesses field android.app.LoadedApk.mClassLoader	4364	collect.path.one
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4364	collect.path.one
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4364	collect.path.one
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.get	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.open	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.get	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.open	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.get	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.open	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.get	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.open	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.get	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.open	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.get	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.open	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.get	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.open	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.get	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.open	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.get	4364	collect.path.one
Invokes method dalvik.system.CloseGuard.open	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	4364	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4364	collect.path.one

64 IoCs

Processes:

collect.path.one

pid	process
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one
4364	collect.path.one

collect.path.one
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:4364

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads