alienbot | 0d234a99d189910685ac0dcc450f0cf95695f6ad896978cf85dc10e072362c64

General

Target

Chrome3.18.8.apk
Size

3.0MB
MD5

bcb4b45244bc3ab7ca5f36f8a291391f
SHA1

65cdcd763a142838c726ea03ee0916864e9e778d
SHA256

0d234a99d189910685ac0dcc450f0cf95695f6ad896978cf85dc10e072362c64
SHA512

76e68ff95ac96d16d9e2e8dd9be0e938367d3878ab924d98133e86118956c56780100787fe3c3b6dfbb9247fa8c588541741620a973c320fe71d9b957ccd5e6a

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://fiollool.ga

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

smoke.left.prepare

pid process

4232 smoke.left.prepare

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

smoke.left.prepare

ioc	pid	process
/data/user/0/smoke.left.prepare/app_DynamicOptDex/Kn.json	4232	smoke.left.prepare
/data/user/0/smoke.left.prepare/app_DynamicOptDex/Kn.json	4232	smoke.left.prepare

Uses reflection 47 IoCs

obfuscation

Processes:

smoke.left.prepare

description	pid	process
Invokes method java.lang.Object.getClass	4232	smoke.left.prepare
Invokes method android.content.res.AssetManager.addAssetPath	4232	smoke.left.prepare
Invokes method android.app.ContextImpl.getAssets	4232	smoke.left.prepare
Invokes method java.lang.Object.getClass	4232	smoke.left.prepare
Invokes method android.content.res.AssetManager.open	4232	smoke.left.prepare
Invokes method java.io.FilterInputStream.read	4232	smoke.left.prepare
Invokes method java.io.FilterInputStream.read	4232	smoke.left.prepare
Invokes method java.io.BufferedInputStream.read	4232	smoke.left.prepare
Invokes method java.lang.Object.getClass	4232	smoke.left.prepare
Invokes method java.io.BufferedInputStream.close	4232	smoke.left.prepare
Invokes method java.lang.Object.getClass	4232	smoke.left.prepare
Invokes method java.lang.String.getBytes	4232	smoke.left.prepare
Invokes method java.lang.Object.getClass	4232	smoke.left.prepare
Invokes method java.io.FileOutputStream.write	4232	smoke.left.prepare
Invokes method java.lang.Object.getClass	4232	smoke.left.prepare
Invokes method java.io.BufferedInputStream.close	4232	smoke.left.prepare
Invokes method java.lang.Object.getClass	4232	smoke.left.prepare
Invokes method java.io.FilterOutputStream.close	4232	smoke.left.prepare
Invokes method android.app.ActivityThread.currentActivityThread	4232	smoke.left.prepare
Acesses field android.app.ActivityThread.mPackages	4232	smoke.left.prepare
Invokes method java.lang.reflect.Field.get	4232	smoke.left.prepare
Invokes method java.lang.Object.getClass	4232	smoke.left.prepare
Invokes method java.lang.ref.Reference.get	4232	smoke.left.prepare
Invokes method java.lang.ref.Reference.get	4232	smoke.left.prepare
Acesses field android.app.LoadedApk.mClassLoader	4232	smoke.left.prepare
Invokes method java.lang.reflect.Field.get	4232	smoke.left.prepare
Acesses field android.app.LoadedApk.mClassLoader	4232	smoke.left.prepare
Invokes method dalvik.system.CloseGuard.get	4232	smoke.left.prepare
Invokes method dalvik.system.CloseGuard.open	4232	smoke.left.prepare
Invokes method android.security.NetworkSecurityPolicy.getInstance	4232	smoke.left.prepare
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4232	smoke.left.prepare
Invokes method dalvik.system.CloseGuard.get	4232	smoke.left.prepare
Invokes method dalvik.system.CloseGuard.open	4232	smoke.left.prepare
Invokes method android.security.NetworkSecurityPolicy.getInstance	4232	smoke.left.prepare
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4232	smoke.left.prepare
Invokes method dalvik.system.CloseGuard.get	4232	smoke.left.prepare
Invokes method dalvik.system.CloseGuard.open	4232	smoke.left.prepare
Invokes method android.security.NetworkSecurityPolicy.getInstance	4232	smoke.left.prepare
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4232	smoke.left.prepare
Invokes method dalvik.system.CloseGuard.get	4232	smoke.left.prepare
Invokes method dalvik.system.CloseGuard.open	4232	smoke.left.prepare
Invokes method android.security.NetworkSecurityPolicy.getInstance	4232	smoke.left.prepare
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4232	smoke.left.prepare
Invokes method dalvik.system.CloseGuard.get	4232	smoke.left.prepare
Invokes method dalvik.system.CloseGuard.open	4232	smoke.left.prepare
Invokes method android.security.NetworkSecurityPolicy.getInstance	4232	smoke.left.prepare
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	4232	smoke.left.prepare

64 IoCs

Processes:

smoke.left.prepare

pid	process
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare
4232	smoke.left.prepare

smoke.left.prepare
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:4232

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads