alienbot | b5141a34167d62ecc823b792f5e69fb98c247945394b93e1547fd29c11b093d2

General

Target

b5141a34167d62ecc823b792f5e69fb98c247945394b93e1547fd29c11b093d2.apk
Size

3.0MB
MD5

e27735ebf7edd8776463c6422d5344e9
SHA1

0c2a5bf1503c62be6bb31cb46a20f6151cb2a19e
SHA256

b5141a34167d62ecc823b792f5e69fb98c247945394b93e1547fd29c11b093d2
SHA512

7dda963a7fea88f15b2965e965523bbc7ec9fd3802ed147f916984e0294832bcbc8b6dd1ef6397bbe44b60690c888fd2601d496a6da04961c50ac9d0a3a65320

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://lwk25kl2424.com

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Removes its main activity from the application launcher 8 IoCs

stealth trojan

Processes:

adjust.disagree.enroll

pid	process
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

adjust.disagree.enroll

ioc	pid	process
/data/user/0/adjust.disagree.enroll/app_DynamicOptDex/Hl.json	3611	adjust.disagree.enroll
/data/user/0/adjust.disagree.enroll/app_DynamicOptDex/Hl.json	3611	adjust.disagree.enroll

Uses reflection 44 IoCs

obfuscation

Processes:

adjust.disagree.enroll

description	pid	process
Invokes method java.lang.Object.getClass	3611	adjust.disagree.enroll
Invokes method android.content.res.AssetManager.addAssetPath	3611	adjust.disagree.enroll
Invokes method android.app.ContextImpl.getAssets	3611	adjust.disagree.enroll
Invokes method java.lang.Object.getClass	3611	adjust.disagree.enroll
Invokes method android.content.res.AssetManager.open	3611	adjust.disagree.enroll
Invokes method java.io.FilterInputStream.read	3611	adjust.disagree.enroll
Invokes method java.io.FilterInputStream.read	3611	adjust.disagree.enroll
Invokes method java.io.BufferedInputStream.read	3611	adjust.disagree.enroll
Invokes method java.lang.Object.getClass	3611	adjust.disagree.enroll
Invokes method java.io.BufferedInputStream.close	3611	adjust.disagree.enroll
Invokes method java.lang.Object.getClass	3611	adjust.disagree.enroll
Invokes method java.lang.String.getBytes	3611	adjust.disagree.enroll
Invokes method java.lang.Object.getClass	3611	adjust.disagree.enroll
Invokes method java.io.FileOutputStream.write	3611	adjust.disagree.enroll
Invokes method java.lang.Object.getClass	3611	adjust.disagree.enroll
Invokes method java.io.BufferedInputStream.close	3611	adjust.disagree.enroll
Invokes method java.lang.Object.getClass	3611	adjust.disagree.enroll
Invokes method java.io.FilterOutputStream.close	3611	adjust.disagree.enroll
Invokes method android.app.ActivityThread.currentActivityThread	3611	adjust.disagree.enroll
Acesses field android.app.ActivityThread.mPackages	3611	adjust.disagree.enroll
Invokes method java.lang.reflect.Field.get	3611	adjust.disagree.enroll
Invokes method java.lang.Object.getClass	3611	adjust.disagree.enroll
Invokes method java.lang.ref.Reference.get	3611	adjust.disagree.enroll
Invokes method java.lang.ref.Reference.get	3611	adjust.disagree.enroll
Acesses field android.app.LoadedApk.mClassLoader	3611	adjust.disagree.enroll
Invokes method java.lang.reflect.Field.get	3611	adjust.disagree.enroll
Acesses field android.app.LoadedApk.mClassLoader	3611	adjust.disagree.enroll
Invokes method dalvik.system.CloseGuard.get	3611	adjust.disagree.enroll
Invokes method dalvik.system.CloseGuard.open	3611	adjust.disagree.enroll
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	3611	adjust.disagree.enroll
Invokes method dalvik.system.CloseGuard.get	3611	adjust.disagree.enroll
Invokes method dalvik.system.CloseGuard.open	3611	adjust.disagree.enroll
Invokes method dalvik.system.CloseGuard.get	3611	adjust.disagree.enroll
Invokes method dalvik.system.CloseGuard.open	3611	adjust.disagree.enroll
Invokes method dalvik.system.CloseGuard.get	3611	adjust.disagree.enroll
Invokes method dalvik.system.CloseGuard.open	3611	adjust.disagree.enroll
Invokes method dalvik.system.CloseGuard.get	3611	adjust.disagree.enroll
Invokes method dalvik.system.CloseGuard.open	3611	adjust.disagree.enroll
Invokes method dalvik.system.CloseGuard.get	3611	adjust.disagree.enroll
Invokes method dalvik.system.CloseGuard.open	3611	adjust.disagree.enroll
Invokes method dalvik.system.CloseGuard.get	3611	adjust.disagree.enroll
Invokes method dalvik.system.CloseGuard.open	3611	adjust.disagree.enroll
Invokes method dalvik.system.CloseGuard.get	3611	adjust.disagree.enroll
Invokes method dalvik.system.CloseGuard.open	3611	adjust.disagree.enroll

43 IoCs

Processes:

adjust.disagree.enroll

pid	process
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll
3611	adjust.disagree.enroll

adjust.disagree.enroll
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:3611

adjust.disagree.enroll
2⤵
PID:3658

getprop
2⤵
PID:3658

adjust.disagree.enroll
2⤵
PID:3754

getprop
2⤵
PID:3754

adjust.disagree.enroll
2⤵
PID:3790

getprop
2⤵
PID:3790

adjust.disagree.enroll
2⤵
PID:3836

getprop
2⤵
PID:3836

adjust.disagree.enroll
2⤵
PID:3874

getprop
2⤵
PID:3874

adjust.disagree.enroll
2⤵
PID:3904

getprop
2⤵
PID:3904

adjust.disagree.enroll
2⤵
PID:3935

getprop
2⤵
PID:3935

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads