alienbot | 24893879c3a9e87ac259bc6557a0ed223bcf1abb7690ccd2edb6422f525da4a5

General

Target

Chrome3.18.2.apk
Size

3.0MB
MD5

061c838dffa17d136956b4eb9815d54c
SHA1

ee5af102c65e5da10a7b8fccd21423f3d29d1d44
SHA256

24893879c3a9e87ac259bc6557a0ed223bcf1abb7690ccd2edb6422f525da4a5
SHA512

b871d22e2c86b28b78906807750d3dca9561997df45a84818e153d152e0907993c3e8a8fa3c99142181a98bddb5f0d7881018a83c031c3fa928111744199056c

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://fiollool.ga

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Removes its main activity from the application launcher 3 IoCs
stealth trojan

Processes:

truck.stable.already

pid process

3623 truck.stable.already
3623 truck.stable.already
3623 truck.stable.already

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

truck.stable.already

ioc	pid	process
/data/user/0/truck.stable.already/app_DynamicOptDex/RWElieZ.json	3623	truck.stable.already
/data/user/0/truck.stable.already/app_DynamicOptDex/RWElieZ.json	3623	truck.stable.already

Uses reflection 64 IoCs

obfuscation

Processes:

truck.stable.already

description	pid	process
Invokes method java.lang.Object.getClass	3623	truck.stable.already
Invokes method android.content.res.AssetManager.addAssetPath	3623	truck.stable.already
Invokes method android.app.ContextImpl.getAssets	3623	truck.stable.already
Invokes method java.lang.Object.getClass	3623	truck.stable.already
Invokes method android.content.res.AssetManager.open	3623	truck.stable.already
Invokes method java.io.FilterInputStream.read	3623	truck.stable.already
Invokes method java.io.FilterInputStream.read	3623	truck.stable.already
Invokes method java.io.BufferedInputStream.read	3623	truck.stable.already
Invokes method java.lang.Object.getClass	3623	truck.stable.already
Invokes method java.io.BufferedInputStream.close	3623	truck.stable.already
Invokes method java.lang.Object.getClass	3623	truck.stable.already
Invokes method java.lang.String.getBytes	3623	truck.stable.already
Invokes method java.lang.Object.getClass	3623	truck.stable.already
Invokes method java.io.FileOutputStream.write	3623	truck.stable.already
Invokes method java.lang.Object.getClass	3623	truck.stable.already
Invokes method java.io.BufferedInputStream.close	3623	truck.stable.already
Invokes method java.lang.Object.getClass	3623	truck.stable.already
Invokes method java.io.FilterOutputStream.close	3623	truck.stable.already
Invokes method android.app.ActivityThread.currentActivityThread	3623	truck.stable.already
Acesses field android.app.ActivityThread.mPackages	3623	truck.stable.already
Invokes method java.lang.reflect.Field.get	3623	truck.stable.already
Invokes method java.lang.Object.getClass	3623	truck.stable.already
Invokes method java.lang.ref.Reference.get	3623	truck.stable.already
Invokes method java.lang.ref.Reference.get	3623	truck.stable.already
Acesses field android.app.LoadedApk.mClassLoader	3623	truck.stable.already
Invokes method java.lang.reflect.Field.get	3623	truck.stable.already
Acesses field android.app.LoadedApk.mClassLoader	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.get	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.open	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.get	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.open	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.get	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.open	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.get	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.open	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.get	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.open	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.get	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.open	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.get	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.open	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.get	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.open	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.get	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.open	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.getInstance	3623	truck.stable.already
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3623	truck.stable.already
Invokes method dalvik.system.CloseGuard.get	3623	truck.stable.already

35 IoCs

Processes:

truck.stable.already

pid	process
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already
3623	truck.stable.already

truck.stable.already
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:3623

truck.stable.already
2⤵
PID:3673

getprop
2⤵
PID:3673

truck.stable.already
2⤵
PID:3755

getprop
2⤵
PID:3755

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads