alienbot | 96665e4a1638bec10375c4e402fbdbef6e7adee2849dcb5a15da4f9052391fde

General

Target

96665e4a1638bec10375c4e402fbdbef6e7adee2849dcb5a15da4f9052391fde.apk
Size

3.2MB
MD5

e0ad7691ce2766e8023aafb2b7954350
SHA1

87aa7b15fd5af3153486eb3b17f187da2da0e0ef
SHA256

96665e4a1638bec10375c4e402fbdbef6e7adee2849dcb5a15da4f9052391fde
SHA512

e39f563d76537d88b90ec4d91008e2cba05e11638ea52e87987acbbb8e58c4b54312062acc27687acd48904664ca8c241924c743a9f27e009a23198727b074cc

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://lgntsasasa.com

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Removes its main activity from the application launcher 5 IoCs
stealth trojan

Processes:

afraid.move.pink

pid process

3610 afraid.move.pink
3610 afraid.move.pink
3610 afraid.move.pink
3610 afraid.move.pink
3610 afraid.move.pink

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

afraid.move.pink

ioc	pid	process
/data/user/0/afraid.move.pink/app_DynamicOptDex/PpZiGDt.json	3610	afraid.move.pink
/data/user/0/afraid.move.pink/app_DynamicOptDex/PpZiGDt.json	3610	afraid.move.pink

Tries to add a device administrator. 1 IoCs

Processes:

afraid.move.pink

description ioc process

Intent action android.app.action.ADD_DEVICE_ADMIN afraid.move.pink

description	ioc	process
Intent action	android.app.action.ADD_DEVICE_ADMIN	afraid.move.pink

Uses reflection 64 IoCs

obfuscation

Processes:

afraid.move.pink

description	pid	process
Invokes method java.lang.Object.getClass	3610	afraid.move.pink
Invokes method android.content.res.AssetManager.addAssetPath	3610	afraid.move.pink
Invokes method android.app.ContextImpl.getAssets	3610	afraid.move.pink
Invokes method java.lang.Object.getClass	3610	afraid.move.pink
Invokes method android.content.res.AssetManager.open	3610	afraid.move.pink
Invokes method java.io.FilterInputStream.read	3610	afraid.move.pink
Invokes method java.io.FilterInputStream.read	3610	afraid.move.pink
Invokes method java.io.BufferedInputStream.read	3610	afraid.move.pink
Invokes method java.lang.Object.getClass	3610	afraid.move.pink
Invokes method java.io.BufferedInputStream.close	3610	afraid.move.pink
Invokes method java.lang.Object.getClass	3610	afraid.move.pink
Invokes method java.lang.String.getBytes	3610	afraid.move.pink
Invokes method java.lang.Object.getClass	3610	afraid.move.pink
Invokes method java.io.FileOutputStream.write	3610	afraid.move.pink
Invokes method java.lang.Object.getClass	3610	afraid.move.pink
Invokes method java.io.BufferedInputStream.close	3610	afraid.move.pink
Invokes method java.lang.Object.getClass	3610	afraid.move.pink
Invokes method java.io.FilterOutputStream.close	3610	afraid.move.pink
Invokes method android.app.ActivityThread.currentActivityThread	3610	afraid.move.pink
Acesses field android.app.ActivityThread.mPackages	3610	afraid.move.pink
Invokes method java.lang.reflect.Field.get	3610	afraid.move.pink
Invokes method java.lang.Object.getClass	3610	afraid.move.pink
Invokes method java.lang.ref.Reference.get	3610	afraid.move.pink
Invokes method java.lang.ref.Reference.get	3610	afraid.move.pink
Acesses field android.app.LoadedApk.mClassLoader	3610	afraid.move.pink
Invokes method java.lang.reflect.Field.get	3610	afraid.move.pink
Acesses field android.app.LoadedApk.mClassLoader	3610	afraid.move.pink
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	3610	afraid.move.pink
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3610	afraid.move.pink
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.get	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.open	3610	afraid.move.pink
Invokes method android.security.NetworkSecurityPolicy.getInstance	3610	afraid.move.pink
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.get	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.open	3610	afraid.move.pink
Invokes method android.security.NetworkSecurityPolicy.getInstance	3610	afraid.move.pink
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.get	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.open	3610	afraid.move.pink
Invokes method android.security.NetworkSecurityPolicy.getInstance	3610	afraid.move.pink
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.get	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.open	3610	afraid.move.pink
Invokes method android.security.NetworkSecurityPolicy.getInstance	3610	afraid.move.pink
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.get	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.open	3610	afraid.move.pink
Invokes method android.security.NetworkSecurityPolicy.getInstance	3610	afraid.move.pink
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.get	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.open	3610	afraid.move.pink
Invokes method android.security.NetworkSecurityPolicy.getInstance	3610	afraid.move.pink
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.get	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.open	3610	afraid.move.pink
Invokes method android.security.NetworkSecurityPolicy.getInstance	3610	afraid.move.pink
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.get	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.open	3610	afraid.move.pink
Invokes method android.security.NetworkSecurityPolicy.getInstance	3610	afraid.move.pink
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.get	3610	afraid.move.pink
Invokes method dalvik.system.CloseGuard.open	3610	afraid.move.pink

48 IoCs

Processes:

afraid.move.pink

pid	process
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink
3610	afraid.move.pink

afraid.move.pink
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Tries to add a device administrator.
- Uses reflection
PID:3610

afraid.move.pink
2⤵
PID:3664

getprop
2⤵
PID:3664

afraid.move.pink
2⤵
PID:3749

getprop
2⤵
PID:3749

afraid.move.pink
2⤵
PID:3788

getprop
2⤵
PID:3788

afraid.move.pink
2⤵
PID:3833

getprop
2⤵
PID:3833

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads