alienbot | 18a65a4a2f2a090779878504bd199de8c2b74ddccfd74d213ac91c36d5db0582

General

Target

Android_update20.5.apk
Size

3.5MB
MD5

da37ad165c23e8351975e1e93c6c6b0e
SHA1

8e3bf72cf845477023213c12a2297f47de8bee67
SHA256

18a65a4a2f2a090779878504bd199de8c2b74ddccfd74d213ac91c36d5db0582
SHA512

c70da19c784420eab78d533a620a3fd32119d5990cb9b7cfbcce30d424849dfe5128dde01b21d8b22b1a2973e8f0f8a591ba7479f8e65526c84d59a2e8816084

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://trafpop22.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

swallow.mother.drift

pid process

4442 swallow.mother.drift

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

swallow.mother.drift

ioc	pid	process
/data/user/0/swallow.mother.drift/app_DynamicOptDex/BA.json	4442	swallow.mother.drift
/data/user/0/swallow.mother.drift/app_DynamicOptDex/BA.json	4442	swallow.mother.drift

Uses reflection 34 IoCs

obfuscation

Processes:

swallow.mother.drift

description	pid	process
Invokes method java.lang.Object.getClass	4442	swallow.mother.drift
Invokes method android.content.res.AssetManager.addAssetPath	4442	swallow.mother.drift
Invokes method android.app.ContextImpl.getAssets	4442	swallow.mother.drift
Invokes method java.lang.Object.getClass	4442	swallow.mother.drift
Invokes method android.content.res.AssetManager.open	4442	swallow.mother.drift
Invokes method java.io.FilterInputStream.read	4442	swallow.mother.drift
Invokes method java.io.FilterInputStream.read	4442	swallow.mother.drift
Invokes method java.io.BufferedInputStream.read	4442	swallow.mother.drift
Invokes method java.lang.Object.getClass	4442	swallow.mother.drift
Invokes method java.io.BufferedInputStream.close	4442	swallow.mother.drift
Invokes method java.lang.Object.getClass	4442	swallow.mother.drift
Invokes method java.lang.String.getBytes	4442	swallow.mother.drift
Invokes method java.lang.Object.getClass	4442	swallow.mother.drift
Invokes method java.io.FileOutputStream.write	4442	swallow.mother.drift
Invokes method java.lang.Object.getClass	4442	swallow.mother.drift
Invokes method java.io.BufferedInputStream.close	4442	swallow.mother.drift
Invokes method java.lang.Object.getClass	4442	swallow.mother.drift
Invokes method java.io.FilterOutputStream.close	4442	swallow.mother.drift
Invokes method android.app.ActivityThread.currentActivityThread	4442	swallow.mother.drift
Acesses field android.app.ActivityThread.mPackages	4442	swallow.mother.drift
Invokes method java.lang.reflect.Field.get	4442	swallow.mother.drift
Invokes method java.lang.Object.getClass	4442	swallow.mother.drift
Invokes method java.lang.ref.Reference.get	4442	swallow.mother.drift
Invokes method java.lang.ref.Reference.get	4442	swallow.mother.drift
Acesses field android.app.LoadedApk.mClassLoader	4442	swallow.mother.drift
Invokes method java.lang.reflect.Field.get	4442	swallow.mother.drift
Acesses field android.app.LoadedApk.mClassLoader	4442	swallow.mother.drift
Invokes method dalvik.system.CloseGuard.get	4442	swallow.mother.drift
Invokes method dalvik.system.CloseGuard.open	4442	swallow.mother.drift
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4442	swallow.mother.drift
Invokes method dalvik.system.CloseGuard.get	4442	swallow.mother.drift
Invokes method dalvik.system.CloseGuard.open	4442	swallow.mother.drift
Invokes method dalvik.system.CloseGuard.get	4442	swallow.mother.drift
Invokes method dalvik.system.CloseGuard.open	4442	swallow.mother.drift

64 IoCs

Processes:

swallow.mother.drift

pid	process
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift
4442	swallow.mother.drift

swallow.mother.drift
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:4442

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads