alienbot | 2ca0aec897795e2e06e561b695b1ac2c796eba4fb6d0bcde4ed33611708103e2

General

Target

Chrome3.17.16.apk
Size

3.0MB
MD5

e103b6704c3275ba7887707908f9788d
SHA1

4a83e31bb312631a038c1e0e0b441c905af0c2bc
SHA256

2ca0aec897795e2e06e561b695b1ac2c796eba4fb6d0bcde4ed33611708103e2
SHA512

c0ad04b937ac1f932b8aac84f90aeb9a5580421ef4dd1ac77370bc72267fa79bd4bcc4cee5e1cf2f6901fdac6cf661649a7e92eb856e0d61598e4cc69c324835

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://suffoopp.ga

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

twin.perfect.immense

pid process

4324 twin.perfect.immense

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

twin.perfect.immense

ioc	pid	process
/data/user/0/twin.perfect.immense/app_DynamicOptDex/tODJ.json	4324	twin.perfect.immense
/data/user/0/twin.perfect.immense/app_DynamicOptDex/tODJ.json	4324	twin.perfect.immense

Uses reflection 38 IoCs

obfuscation

Processes:

twin.perfect.immense

description	pid	process
Invokes method java.lang.Object.getClass	4324	twin.perfect.immense
Invokes method android.content.res.AssetManager.addAssetPath	4324	twin.perfect.immense
Invokes method android.app.ContextImpl.getAssets	4324	twin.perfect.immense
Invokes method java.lang.Object.getClass	4324	twin.perfect.immense
Invokes method android.content.res.AssetManager.open	4324	twin.perfect.immense
Invokes method java.io.FilterInputStream.read	4324	twin.perfect.immense
Invokes method java.io.FilterInputStream.read	4324	twin.perfect.immense
Invokes method java.io.BufferedInputStream.read	4324	twin.perfect.immense
Invokes method java.lang.Object.getClass	4324	twin.perfect.immense
Invokes method java.io.BufferedInputStream.close	4324	twin.perfect.immense
Invokes method java.lang.Object.getClass	4324	twin.perfect.immense
Invokes method java.lang.String.getBytes	4324	twin.perfect.immense
Invokes method java.lang.Object.getClass	4324	twin.perfect.immense
Invokes method java.io.FileOutputStream.write	4324	twin.perfect.immense
Invokes method java.lang.Object.getClass	4324	twin.perfect.immense
Invokes method java.io.BufferedInputStream.close	4324	twin.perfect.immense
Invokes method java.lang.Object.getClass	4324	twin.perfect.immense
Invokes method java.io.FilterOutputStream.close	4324	twin.perfect.immense
Invokes method android.app.ActivityThread.currentActivityThread	4324	twin.perfect.immense
Acesses field android.app.ActivityThread.mPackages	4324	twin.perfect.immense
Invokes method java.lang.reflect.Field.get	4324	twin.perfect.immense
Invokes method java.lang.Object.getClass	4324	twin.perfect.immense
Invokes method java.lang.ref.Reference.get	4324	twin.perfect.immense
Invokes method java.lang.ref.Reference.get	4324	twin.perfect.immense
Acesses field android.app.LoadedApk.mClassLoader	4324	twin.perfect.immense
Invokes method java.lang.reflect.Field.get	4324	twin.perfect.immense
Acesses field android.app.LoadedApk.mClassLoader	4324	twin.perfect.immense
Invokes method dalvik.system.CloseGuard.get	4324	twin.perfect.immense
Invokes method dalvik.system.CloseGuard.open	4324	twin.perfect.immense
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4324	twin.perfect.immense
Invokes method dalvik.system.CloseGuard.get	4324	twin.perfect.immense
Invokes method dalvik.system.CloseGuard.open	4324	twin.perfect.immense
Invokes method android.security.NetworkSecurityPolicy.getInstance	4324	twin.perfect.immense
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4324	twin.perfect.immense
Invokes method dalvik.system.CloseGuard.get	4324	twin.perfect.immense
Invokes method dalvik.system.CloseGuard.open	4324	twin.perfect.immense
Invokes method android.security.NetworkSecurityPolicy.getInstance	4324	twin.perfect.immense
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4324	twin.perfect.immense

64 IoCs

Processes:

twin.perfect.immense

pid	process
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense
4324	twin.perfect.immense

twin.perfect.immense
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:4324

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads