alienbot | 85e2227bac98f2a283470798f9f15d63dc3e8f5d98c71385514603f181aefd83

General

Target

Correos_Seguimiento.apk
Size

2.6MB
MD5

b5ed569ccb0dcb73b78bd471cc5c7193
SHA1

d3226720af70556411228f967228fa775b60b0e3
SHA256

85e2227bac98f2a283470798f9f15d63dc3e8f5d98c71385514603f181aefd83
SHA512

9b26696b75ab92429ae3e715cf0d9cdbec775ff15f6d70381a60630010029621b2119f7c080a9c7644beb55a21bcb135630bd2804e1c901673132c490805ac1b

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://drasdsasa.com

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Removes its main activity from the application launcher 7 IoCs

stealth trojan

Processes:

collect.path.one

pid	process
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

collect.path.one

ioc	pid	process
/data/user/0/collect.path.one/app_DynamicOptDex/jq.json	3612	collect.path.one
/data/user/0/collect.path.one/app_DynamicOptDex/jq.json	3612	collect.path.one

Tries to add a device administrator. 1 IoCs

Processes:

collect.path.one

description ioc process

Intent action android.app.action.ADD_DEVICE_ADMIN collect.path.one

description	ioc	process
Intent action	android.app.action.ADD_DEVICE_ADMIN	collect.path.one

Uses reflection 64 IoCs

obfuscation

Processes:

collect.path.one

description	pid	process
Invokes method java.lang.Object.getClass	3612	collect.path.one
Invokes method android.content.res.AssetManager.addAssetPath	3612	collect.path.one
Invokes method android.app.ContextImpl.getAssets	3612	collect.path.one
Invokes method java.lang.Object.getClass	3612	collect.path.one
Invokes method android.content.res.AssetManager.open	3612	collect.path.one
Invokes method java.io.FilterInputStream.read	3612	collect.path.one
Invokes method java.io.FilterInputStream.read	3612	collect.path.one
Invokes method java.io.BufferedInputStream.read	3612	collect.path.one
Invokes method java.lang.Object.getClass	3612	collect.path.one
Invokes method java.io.BufferedInputStream.close	3612	collect.path.one
Invokes method java.lang.Object.getClass	3612	collect.path.one
Invokes method java.lang.String.getBytes	3612	collect.path.one
Invokes method java.lang.Object.getClass	3612	collect.path.one
Invokes method java.io.FileOutputStream.write	3612	collect.path.one
Invokes method java.lang.Object.getClass	3612	collect.path.one
Invokes method java.io.FilterOutputStream.close	3612	collect.path.one
Invokes method android.app.ActivityThread.currentActivityThread	3612	collect.path.one
Acesses field android.app.ActivityThread.mPackages	3612	collect.path.one
Invokes method java.lang.reflect.Field.get	3612	collect.path.one
Invokes method java.lang.Object.getClass	3612	collect.path.one
Invokes method java.lang.ref.Reference.get	3612	collect.path.one
Invokes method java.lang.ref.Reference.get	3612	collect.path.one
Acesses field android.app.LoadedApk.mClassLoader	3612	collect.path.one
Invokes method java.lang.reflect.Field.get	3612	collect.path.one
Acesses field android.app.LoadedApk.mClassLoader	3612	collect.path.one
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	3612	collect.path.one
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3612	collect.path.one
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.get	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.open	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.get	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.open	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.get	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.open	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.get	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.open	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.get	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.open	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.get	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.open	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.get	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.open	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.get	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.open	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.get	3612	collect.path.one
Invokes method dalvik.system.CloseGuard.open	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	collect.path.one
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	collect.path.one

57 IoCs

Processes:

collect.path.one

pid	process
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one
3612	collect.path.one

collect.path.one
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Tries to add a device administrator.
- Uses reflection
PID:3612

collect.path.one
2⤵
PID:3682

getprop
2⤵
PID:3682

collect.path.one
2⤵
PID:3768

getprop
2⤵
PID:3768

collect.path.one
2⤵
PID:3803

getprop
2⤵
PID:3803

collect.path.one
2⤵
PID:3849

getprop
2⤵
PID:3849

collect.path.one
2⤵
PID:3899

getprop
2⤵
PID:3899

collect.path.one
2⤵
PID:3932

getprop
2⤵
PID:3932

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads