alienbot | 1f79f445605a9f5651f415de8d472b33a6e2d1a787dc625a95d45a0aab1e1a04

General

Target

e3ae7cb2eaa532da35412d2d96ec08b02a907678f18518c9e7d3dd59ddd96e67.apk
Size

3.6MB
MD5

dea978d07ac311a6e5c98704c01c95c5
SHA1

2443f8e9795088d7277524cef6be6497ca4bc6da
SHA256

e3ae7cb2eaa532da35412d2d96ec08b02a907678f18518c9e7d3dd59ddd96e67
SHA512

c93800347bac73550477cdf5258bac1d760e2ddbf8b3608c2fd71c3b8e0d5f93f48d9decfe529c3b89fb07485c56f04dfc83007dd094803379aa8f61a98a47cf

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://ototmootot.com

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

course.long.type

pid process

4499 course.long.type

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

course.long.type

ioc	pid	process
/data/user/0/course.long.type/app_DynamicOptDex/hs.json	4499	course.long.type
/data/user/0/course.long.type/app_DynamicOptDex/hs.json	4499	course.long.type

Uses reflection 34 IoCs

obfuscation

Processes:

course.long.type

description	pid	process
Invokes method java.lang.Object.getClass	4499	course.long.type
Invokes method android.content.res.AssetManager.addAssetPath	4499	course.long.type
Invokes method android.app.ContextImpl.getAssets	4499	course.long.type
Invokes method java.lang.Object.getClass	4499	course.long.type
Invokes method android.content.res.AssetManager.open	4499	course.long.type
Invokes method java.io.FilterInputStream.read	4499	course.long.type
Invokes method java.io.FilterInputStream.read	4499	course.long.type
Invokes method java.io.BufferedInputStream.read	4499	course.long.type
Invokes method java.lang.Object.getClass	4499	course.long.type
Invokes method java.io.BufferedInputStream.close	4499	course.long.type
Invokes method java.lang.Object.getClass	4499	course.long.type
Invokes method java.lang.String.getBytes	4499	course.long.type
Invokes method java.lang.Object.getClass	4499	course.long.type
Invokes method java.io.FileOutputStream.write	4499	course.long.type
Invokes method java.lang.Object.getClass	4499	course.long.type
Invokes method java.io.BufferedInputStream.close	4499	course.long.type
Invokes method java.lang.Object.getClass	4499	course.long.type
Invokes method java.io.FilterOutputStream.close	4499	course.long.type
Invokes method android.app.ActivityThread.currentActivityThread	4499	course.long.type
Acesses field android.app.ActivityThread.mPackages	4499	course.long.type
Invokes method java.lang.reflect.Field.get	4499	course.long.type
Invokes method java.lang.Object.getClass	4499	course.long.type
Invokes method java.lang.ref.Reference.get	4499	course.long.type
Invokes method java.lang.ref.Reference.get	4499	course.long.type
Acesses field android.app.LoadedApk.mClassLoader	4499	course.long.type
Invokes method java.lang.reflect.Field.get	4499	course.long.type
Acesses field android.app.LoadedApk.mClassLoader	4499	course.long.type
Invokes method dalvik.system.CloseGuard.get	4499	course.long.type
Invokes method dalvik.system.CloseGuard.open	4499	course.long.type
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4499	course.long.type
Invokes method dalvik.system.CloseGuard.get	4499	course.long.type
Invokes method dalvik.system.CloseGuard.open	4499	course.long.type
Invokes method dalvik.system.CloseGuard.get	4499	course.long.type
Invokes method dalvik.system.CloseGuard.open	4499	course.long.type

64 IoCs

Processes:

course.long.type

pid	process
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type
4499	course.long.type

course.long.type
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:4499

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads