alienbot | 015737cccb4f8d953a8bd467413f42f02011fe99a080343a87117be941525396

General

Target

015737cccb4f8d953a8bd467413f42f02011fe99a080343a87117be941525396.apk
Size

3.0MB
MD5

15aebcb0ec47bc61eb7da673bf476659
SHA1

22db1208082ff490ce009f31504b4acccc468787
SHA256

015737cccb4f8d953a8bd467413f42f02011fe99a080343a87117be941525396
SHA512

917bcee1a894b54cdb7241615a840dd0181ca54dda54070a89340055fdd930f15b00b2ac612a79b4f870babcca978e2011a850501c3212a1ef7dae7d70f5421e

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://FulfillAgencytrooopy995.ga

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Removes its main activity from the application launcher 3 IoCs
stealth trojan

Processes:

deposit.economy.glue

pid process

3634 deposit.economy.glue
3634 deposit.economy.glue
3634 deposit.economy.glue

pid	process
3634	deposit.economy.glue
3634	deposit.economy.glue
3634	deposit.economy.glue

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

deposit.economy.glue

ioc	pid	process
/data/user/0/deposit.economy.glue/app_DynamicOptDex/Rog.json	3634	deposit.economy.glue
/data/user/0/deposit.economy.glue/app_DynamicOptDex/Rog.json	3634	deposit.economy.glue

Uses reflection 64 IoCs

obfuscation

Processes:

deposit.economy.glue

description	pid	process
Invokes method java.lang.Object.getClass	3634	deposit.economy.glue
Invokes method android.content.res.AssetManager.addAssetPath	3634	deposit.economy.glue
Invokes method android.app.ContextImpl.getAssets	3634	deposit.economy.glue
Invokes method java.lang.Object.getClass	3634	deposit.economy.glue
Invokes method android.content.res.AssetManager.open	3634	deposit.economy.glue
Invokes method java.io.FilterInputStream.read	3634	deposit.economy.glue
Invokes method java.io.FilterInputStream.read	3634	deposit.economy.glue
Invokes method java.io.BufferedInputStream.read	3634	deposit.economy.glue
Invokes method java.lang.Object.getClass	3634	deposit.economy.glue
Invokes method java.io.BufferedInputStream.close	3634	deposit.economy.glue
Invokes method java.lang.Object.getClass	3634	deposit.economy.glue
Invokes method java.lang.String.getBytes	3634	deposit.economy.glue
Invokes method java.lang.Object.getClass	3634	deposit.economy.glue
Invokes method java.io.FileOutputStream.write	3634	deposit.economy.glue
Invokes method java.lang.Object.getClass	3634	deposit.economy.glue
Invokes method java.io.BufferedInputStream.close	3634	deposit.economy.glue
Invokes method java.lang.Object.getClass	3634	deposit.economy.glue
Invokes method java.io.FilterOutputStream.close	3634	deposit.economy.glue
Invokes method android.app.ActivityThread.currentActivityThread	3634	deposit.economy.glue
Acesses field android.app.ActivityThread.mPackages	3634	deposit.economy.glue
Invokes method java.lang.reflect.Field.get	3634	deposit.economy.glue
Invokes method java.lang.Object.getClass	3634	deposit.economy.glue
Invokes method java.lang.ref.Reference.get	3634	deposit.economy.glue
Invokes method java.lang.ref.Reference.get	3634	deposit.economy.glue
Acesses field android.app.LoadedApk.mClassLoader	3634	deposit.economy.glue
Invokes method java.lang.reflect.Field.get	3634	deposit.economy.glue
Acesses field android.app.LoadedApk.mClassLoader	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.get	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.open	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.getInstance	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.get	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.open	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.getInstance	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.get	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.open	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.getInstance	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.get	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.open	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.getInstance	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.get	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.open	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.getInstance	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.get	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.open	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.getInstance	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.get	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.open	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.getInstance	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.get	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.open	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.getInstance	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.get	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.open	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.getInstance	3634	deposit.economy.glue
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3634	deposit.economy.glue
Invokes method dalvik.system.CloseGuard.get	3634	deposit.economy.glue

deposit.economy.glue
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:3634

deposit.economy.glue
2⤵
PID:3680

getprop
2⤵
PID:3680

deposit.economy.glue
2⤵
PID:3779

getprop
2⤵
PID:3779

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads