alienbot | 4cb206bfc929e743a65f70a90e781dfb048e40b034e79724e1f785cf001b491f

General

Target

Correos3.22.1.apk
Size

2.9MB
MD5

a94f7795ebd3ee482479f9ec73022db2
SHA1

a068b0e0dd2e8f913b9891dde366b1c9fb9d6222
SHA256

4cb206bfc929e743a65f70a90e781dfb048e40b034e79724e1f785cf001b491f
SHA512

d861238d27d2d75d253d9fc2b9ece737829d1be1fe2f1438991e1a95fe3f38a223ea9edc496b45748a3ded9abf60b074e308c9de92b03249533068dff4ff6f04

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://siopoloiop.ga

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Removes its main activity from the application launcher 8 IoCs

stealth trojan

Processes:

tortoise.rich.panic

pid	process
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

tortoise.rich.panic

ioc	pid	process
/data/user/0/tortoise.rich.panic/app_DynamicOptDex/ef.json	3612	tortoise.rich.panic
/data/user/0/tortoise.rich.panic/app_DynamicOptDex/ef.json	3612	tortoise.rich.panic

Uses reflection 64 IoCs

obfuscation

Processes:

tortoise.rich.panic

description	pid	process
Invokes method java.lang.Object.getClass	3612	tortoise.rich.panic
Invokes method android.content.res.AssetManager.addAssetPath	3612	tortoise.rich.panic
Invokes method android.app.ContextImpl.getAssets	3612	tortoise.rich.panic
Invokes method java.lang.Object.getClass	3612	tortoise.rich.panic
Invokes method android.content.res.AssetManager.open	3612	tortoise.rich.panic
Invokes method java.io.FilterInputStream.read	3612	tortoise.rich.panic
Invokes method java.io.FilterInputStream.read	3612	tortoise.rich.panic
Invokes method java.io.BufferedInputStream.read	3612	tortoise.rich.panic
Invokes method java.lang.Object.getClass	3612	tortoise.rich.panic
Invokes method java.io.BufferedInputStream.close	3612	tortoise.rich.panic
Invokes method java.lang.Object.getClass	3612	tortoise.rich.panic
Invokes method java.lang.String.getBytes	3612	tortoise.rich.panic
Invokes method java.lang.Object.getClass	3612	tortoise.rich.panic
Invokes method java.io.FileOutputStream.write	3612	tortoise.rich.panic
Invokes method java.lang.Object.getClass	3612	tortoise.rich.panic
Invokes method java.io.BufferedInputStream.close	3612	tortoise.rich.panic
Invokes method java.lang.Object.getClass	3612	tortoise.rich.panic
Invokes method java.io.FilterOutputStream.close	3612	tortoise.rich.panic
Invokes method android.app.ActivityThread.currentActivityThread	3612	tortoise.rich.panic
Acesses field android.app.ActivityThread.mPackages	3612	tortoise.rich.panic
Invokes method java.lang.reflect.Field.get	3612	tortoise.rich.panic
Invokes method java.lang.Object.getClass	3612	tortoise.rich.panic
Invokes method java.lang.ref.Reference.get	3612	tortoise.rich.panic
Invokes method java.lang.ref.Reference.get	3612	tortoise.rich.panic
Acesses field android.app.LoadedApk.mClassLoader	3612	tortoise.rich.panic
Invokes method java.lang.reflect.Field.get	3612	tortoise.rich.panic
Acesses field android.app.LoadedApk.mClassLoader	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.get	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.open	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.get	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.open	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.get	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.open	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.get	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.open	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.get	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.open	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.get	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.open	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.get	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.open	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.get	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.open	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.get	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.open	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.getInstance	3612	tortoise.rich.panic
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3612	tortoise.rich.panic
Invokes method dalvik.system.CloseGuard.get	3612	tortoise.rich.panic

51 IoCs

Processes:

tortoise.rich.panic

pid	process
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic
3612	tortoise.rich.panic

tortoise.rich.panic
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:3612

tortoise.rich.panic
2⤵
PID:3659

getprop
2⤵
PID:3659

tortoise.rich.panic
2⤵
PID:3738

getprop
2⤵
PID:3738

tortoise.rich.panic
2⤵
PID:3773

getprop
2⤵
PID:3773

tortoise.rich.panic
2⤵
PID:3816

getprop
2⤵
PID:3816

tortoise.rich.panic
2⤵
PID:3866

getprop
2⤵
PID:3866

tortoise.rich.panic
2⤵
PID:3896

getprop
2⤵
PID:3896

tortoise.rich.panic
2⤵
PID:3930

getprop
2⤵
PID:3930

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads