alienbot | 5f144faed883fefbfa6f1483e8ee3384e163ac2740389a82bbfef32700cbec02

General

Target

Chrome3.17.10.apk
Size

3.0MB
MD5

e165fe32cdb23a7b1682462988147585
SHA1

ef4e393b1bcf2feb0e823546e0ef283269961aed
SHA256

5f144faed883fefbfa6f1483e8ee3384e163ac2740389a82bbfef32700cbec02
SHA512

4d0bf88d9fae966bc5befbb09d144bc2e9c66391cd2b7b19a05814f7356a8206e0b20af4c9bf54dd578b411aa8b5dc6629ad9cb6540d51ca5fa720dc4d90fd90

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://suffoopp.ga

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Removes its main activity from the application launcher 8 IoCs

stealth trojan

Processes:

thank.embark.blur

pid	process
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

thank.embark.blur

ioc	pid	process
/data/user/0/thank.embark.blur/app_DynamicOptDex/MtZ.json	3623	thank.embark.blur
/data/user/0/thank.embark.blur/app_DynamicOptDex/MtZ.json	3623	thank.embark.blur

Uses reflection 64 IoCs

obfuscation

Processes:

thank.embark.blur

description	pid	process
Invokes method java.lang.Object.getClass	3623	thank.embark.blur
Invokes method android.content.res.AssetManager.addAssetPath	3623	thank.embark.blur
Invokes method android.app.ContextImpl.getAssets	3623	thank.embark.blur
Invokes method java.lang.Object.getClass	3623	thank.embark.blur
Invokes method android.content.res.AssetManager.open	3623	thank.embark.blur
Invokes method java.io.FilterInputStream.read	3623	thank.embark.blur
Invokes method java.io.FilterInputStream.read	3623	thank.embark.blur
Invokes method java.io.BufferedInputStream.read	3623	thank.embark.blur
Invokes method java.lang.Object.getClass	3623	thank.embark.blur
Invokes method java.io.BufferedInputStream.close	3623	thank.embark.blur
Invokes method java.lang.Object.getClass	3623	thank.embark.blur
Invokes method java.lang.String.getBytes	3623	thank.embark.blur
Invokes method java.lang.Object.getClass	3623	thank.embark.blur
Invokes method java.io.FileOutputStream.write	3623	thank.embark.blur
Invokes method java.lang.Object.getClass	3623	thank.embark.blur
Invokes method java.io.BufferedInputStream.close	3623	thank.embark.blur
Invokes method java.lang.Object.getClass	3623	thank.embark.blur
Invokes method java.io.FilterOutputStream.close	3623	thank.embark.blur
Invokes method android.app.ActivityThread.currentActivityThread	3623	thank.embark.blur
Acesses field android.app.ActivityThread.mPackages	3623	thank.embark.blur
Invokes method java.lang.reflect.Field.get	3623	thank.embark.blur
Invokes method java.lang.Object.getClass	3623	thank.embark.blur
Invokes method java.lang.ref.Reference.get	3623	thank.embark.blur
Invokes method java.lang.ref.Reference.get	3623	thank.embark.blur
Acesses field android.app.LoadedApk.mClassLoader	3623	thank.embark.blur
Invokes method java.lang.reflect.Field.get	3623	thank.embark.blur
Acesses field android.app.LoadedApk.mClassLoader	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.get	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.open	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.get	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.open	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.get	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.open	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.get	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.open	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.get	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.open	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.get	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.open	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.get	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.open	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.get	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.open	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.get	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.open	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	thank.embark.blur
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	thank.embark.blur
Invokes method dalvik.system.CloseGuard.get	3623	thank.embark.blur

51 IoCs

Processes:

thank.embark.blur

pid	process
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur
3623	thank.embark.blur

thank.embark.blur
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:3623

thank.embark.blur
2⤵
PID:3671

getprop
2⤵
PID:3671

thank.embark.blur
2⤵
PID:3752

getprop
2⤵
PID:3752

thank.embark.blur
2⤵
PID:3785

getprop
2⤵
PID:3785

thank.embark.blur
2⤵
PID:3831

getprop
2⤵
PID:3831

thank.embark.blur
2⤵
PID:3892

getprop
2⤵
PID:3892

thank.embark.blur
2⤵
PID:3923

getprop
2⤵
PID:3923

thank.embark.blur
2⤵
PID:3954

getprop
2⤵
PID:3954

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads