alienbot | 7c0049eaabd4a8a29f89124a6270c065c7ce543ea9123c76b8e4572757ccfb54

General

Target

Chrome3.3.39.apk
Size

3.2MB
MD5

53a43f911ccbb37ee659216a3eb554ba
SHA1

10a722a2db60e1ad6dc770405b82e519df85b1e0
SHA256

7c0049eaabd4a8a29f89124a6270c065c7ce543ea9123c76b8e4572757ccfb54
SHA512

233d4d611f47bc38d0b5e7d1fabc5c1299f36941b4cc2f3d0f8d4182010da508edc40098026c531e44ded5f155bf23c6b898f9ea4b6554df394f8aafb585739e

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://fiollool.ga

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Removes its main activity from the application launcher 2 IoCs
stealth trojan

Processes:

shine.furnace.original

pid process

3608 shine.furnace.original
3608 shine.furnace.original

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

shine.furnace.original

ioc	pid	process
/data/user/0/shine.furnace.original/app_DynamicOptDex/dtHkhk.json	3608	shine.furnace.original
/data/user/0/shine.furnace.original/app_DynamicOptDex/dtHkhk.json	3608	shine.furnace.original

Uses reflection 61 IoCs

obfuscation

Processes:

shine.furnace.original

description	pid	process
Invokes method java.lang.Object.getClass	3608	shine.furnace.original
Invokes method android.content.res.AssetManager.addAssetPath	3608	shine.furnace.original
Invokes method android.app.ContextImpl.getAssets	3608	shine.furnace.original
Invokes method java.lang.Object.getClass	3608	shine.furnace.original
Invokes method android.content.res.AssetManager.open	3608	shine.furnace.original
Invokes method java.io.FilterInputStream.read	3608	shine.furnace.original
Invokes method java.io.FilterInputStream.read	3608	shine.furnace.original
Invokes method java.io.BufferedInputStream.read	3608	shine.furnace.original
Invokes method java.lang.Object.getClass	3608	shine.furnace.original
Invokes method java.io.BufferedInputStream.close	3608	shine.furnace.original
Invokes method java.lang.Object.getClass	3608	shine.furnace.original
Invokes method java.lang.String.getBytes	3608	shine.furnace.original
Invokes method java.lang.Object.getClass	3608	shine.furnace.original
Invokes method java.io.FileOutputStream.write	3608	shine.furnace.original
Invokes method java.lang.Object.getClass	3608	shine.furnace.original
Invokes method java.io.BufferedInputStream.close	3608	shine.furnace.original
Invokes method java.lang.Object.getClass	3608	shine.furnace.original
Invokes method java.io.FilterOutputStream.close	3608	shine.furnace.original
Invokes method android.app.ActivityThread.currentActivityThread	3608	shine.furnace.original
Acesses field android.app.ActivityThread.mPackages	3608	shine.furnace.original
Invokes method java.lang.reflect.Field.get	3608	shine.furnace.original
Invokes method java.lang.Object.getClass	3608	shine.furnace.original
Invokes method java.lang.ref.Reference.get	3608	shine.furnace.original
Invokes method java.lang.ref.Reference.get	3608	shine.furnace.original
Acesses field android.app.LoadedApk.mClassLoader	3608	shine.furnace.original
Invokes method java.lang.reflect.Field.get	3608	shine.furnace.original
Acesses field android.app.LoadedApk.mClassLoader	3608	shine.furnace.original
Invokes method dalvik.system.CloseGuard.get	3608	shine.furnace.original
Invokes method dalvik.system.CloseGuard.open	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.getInstance	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3608	shine.furnace.original
Invokes method dalvik.system.CloseGuard.get	3608	shine.furnace.original
Invokes method dalvik.system.CloseGuard.open	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.getInstance	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3608	shine.furnace.original
Invokes method dalvik.system.CloseGuard.get	3608	shine.furnace.original
Invokes method dalvik.system.CloseGuard.open	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.getInstance	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.getInstance	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3608	shine.furnace.original
Invokes method dalvik.system.CloseGuard.get	3608	shine.furnace.original
Invokes method dalvik.system.CloseGuard.open	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.getInstance	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.getInstance	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3608	shine.furnace.original
Invokes method dalvik.system.CloseGuard.get	3608	shine.furnace.original
Invokes method dalvik.system.CloseGuard.open	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.getInstance	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.getInstance	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3608	shine.furnace.original
Invokes method dalvik.system.CloseGuard.get	3608	shine.furnace.original
Invokes method dalvik.system.CloseGuard.open	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.getInstance	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3608	shine.furnace.original
Invokes method dalvik.system.CloseGuard.get	3608	shine.furnace.original
Invokes method dalvik.system.CloseGuard.open	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.getInstance	3608	shine.furnace.original
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3608	shine.furnace.original

28 IoCs

Processes:

shine.furnace.original

pid	process
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original
3608	shine.furnace.original

shine.furnace.original
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:3608

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads