alienbot | aabf6850d43466078485f3aadeaa14de9b9c925004a0f89f637d8469d6e267ce | Triage

Analysis

max time kernel
2800598s
max time network
129s
platform
android_x86_64
resource
android-x86_64
submitted
06-04-2021 11:22

Sharing

Report Analysis Logs

General

Target

3376050dc0a84ff700f5e9bb5f20b3cb4361b74bbc362a2a1d39e141db68ba06.apk
Size

335KB
MD5

b05a68cf54b407bbf081e6f58d57d7c0
SHA1

4921dee32d7301b10df02ae751fd8be24d88b943
SHA256

3376050dc0a84ff700f5e9bb5f20b3cb4361b74bbc362a2a1d39e141db68ba06
SHA512

a1055deb3de653c3560d782186439290b79437f794da2e7c04c2ed1240a35c06bc80d8593a4f3029d12bbb44485d703518969da064c47f956038ea634378c82d

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://devletpasakuzgunlese.digital

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Removes its main activity from the application launcher 8 IoCs
stealth trojan

Processes:

com.djv.knhdc

pid process

3612 com.djv.knhdc
3612 com.djv.knhdc
3612 com.djv.knhdc
3612 com.djv.knhdc
3612 com.djv.knhdc
3612 com.djv.knhdc
3612 com.djv.knhdc
3612 com.djv.knhdc

Uses reflection 17 IoCs

Processes:

com.djv.knhdc

description	pid	process
Invokes method dalvik.system.CloseGuard.get	3612	com.djv.knhdc
Invokes method dalvik.system.CloseGuard.open	3612	com.djv.knhdc
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	3612	com.djv.knhdc
Invokes method dalvik.system.CloseGuard.get	3612	com.djv.knhdc
Invokes method dalvik.system.CloseGuard.open	3612	com.djv.knhdc
Invokes method dalvik.system.CloseGuard.get	3612	com.djv.knhdc
Invokes method dalvik.system.CloseGuard.open	3612	com.djv.knhdc
Invokes method dalvik.system.CloseGuard.get	3612	com.djv.knhdc
Invokes method dalvik.system.CloseGuard.open	3612	com.djv.knhdc
Invokes method dalvik.system.CloseGuard.get	3612	com.djv.knhdc
Invokes method dalvik.system.CloseGuard.open	3612	com.djv.knhdc
Invokes method dalvik.system.CloseGuard.get	3612	com.djv.knhdc
Invokes method dalvik.system.CloseGuard.open	3612	com.djv.knhdc
Invokes method dalvik.system.CloseGuard.get	3612	com.djv.knhdc
Invokes method dalvik.system.CloseGuard.open	3612	com.djv.knhdc
Invokes method dalvik.system.CloseGuard.get	3612	com.djv.knhdc
Invokes method dalvik.system.CloseGuard.open	3612	com.djv.knhdc

com.djv.knhdc
1⤵
- Removes its main activity from the application launcher
- Uses reflection
PID:3612

com.djv.knhdc
2⤵
PID:3658

getprop
2⤵
PID:3658

com.djv.knhdc
2⤵
PID:3734

getprop
2⤵
PID:3734

com.djv.knhdc
2⤵
PID:3770

getprop
2⤵
PID:3770

com.djv.knhdc
2⤵
PID:3823

getprop
2⤵
PID:3823

com.djv.knhdc
2⤵
PID:3862

getprop
2⤵
PID:3862

com.djv.knhdc
2⤵
PID:3887

getprop
2⤵
PID:3887

com.djv.knhdc
2⤵
PID:3921

getprop
2⤵
PID:3921

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...