alienbot | a298c2ad9e9bac7e160dce844f99bba4971f320c0ad8290a35c3cf7b3b9f44d5

General

Target

guncelleme.apk
Size

3.7MB
MD5

c184e85063a08d73206e31fa80475588
SHA1

e691051953a7616a1f39e7495c19c0f585c02f78
SHA256

a298c2ad9e9bac7e160dce844f99bba4971f320c0ad8290a35c3cf7b3b9f44d5
SHA512

8f184aaed1bc98fd0f163294e96ee2be113fd5c53dd2bb62c221e1247b4f766447a956e2d9f2e3ab36b0f5969f4b25d5ef0786be7b12b991e4eadd6eed059655

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://kralvevezir21.digital

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

coach.mystery.liquid

pid process

4711 coach.mystery.liquid
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

coach.mystery.liquid

ioc pid process

/data/user/0/coach.mystery.liquid/app_DynamicOptDex/BAUS.json 4711 coach.mystery.liquid

pid	process
4711	coach.mystery.liquid

ioc	pid	process
/data/user/0/coach.mystery.liquid/app_DynamicOptDex/BAUS.json	4711	coach.mystery.liquid

Uses reflection 44 IoCs

obfuscation

Processes:

coach.mystery.liquid

description	pid	process
Invokes method java.lang.Object.getClass	4711	coach.mystery.liquid
Invokes method android.content.res.AssetManager.addAssetPath	4711	coach.mystery.liquid
Invokes method android.app.ContextImpl.getAssets	4711	coach.mystery.liquid
Invokes method java.lang.Object.getClass	4711	coach.mystery.liquid
Invokes method android.content.res.AssetManager.open	4711	coach.mystery.liquid
Invokes method java.io.FilterInputStream.read	4711	coach.mystery.liquid
Invokes method java.io.FilterInputStream.read	4711	coach.mystery.liquid
Invokes method java.io.BufferedInputStream.read	4711	coach.mystery.liquid
Invokes method java.lang.Object.getClass	4711	coach.mystery.liquid
Invokes method java.io.BufferedInputStream.close	4711	coach.mystery.liquid
Invokes method java.lang.Object.getClass	4711	coach.mystery.liquid
Invokes method java.lang.String.getBytes	4711	coach.mystery.liquid
Invokes method java.lang.Object.getClass	4711	coach.mystery.liquid
Invokes method java.io.FileOutputStream.write	4711	coach.mystery.liquid
Invokes method java.lang.Object.getClass	4711	coach.mystery.liquid
Invokes method java.io.BufferedInputStream.close	4711	coach.mystery.liquid
Invokes method java.lang.Object.getClass	4711	coach.mystery.liquid
Invokes method java.io.FilterOutputStream.close	4711	coach.mystery.liquid
Invokes method android.app.ActivityThread.currentActivityThread	4711	coach.mystery.liquid
Acesses field android.app.ActivityThread.mPackages	4711	coach.mystery.liquid
Invokes method java.lang.reflect.Field.get	4711	coach.mystery.liquid
Invokes method java.lang.Object.getClass	4711	coach.mystery.liquid
Invokes method java.lang.ref.Reference.get	4711	coach.mystery.liquid
Invokes method java.lang.ref.Reference.get	4711	coach.mystery.liquid
Acesses field android.app.LoadedApk.mClassLoader	4711	coach.mystery.liquid
Invokes method java.lang.reflect.Field.get	4711	coach.mystery.liquid
Acesses field android.app.LoadedApk.mClassLoader	4711	coach.mystery.liquid
Invokes method dalvik.system.CloseGuard.get	4711	coach.mystery.liquid
Invokes method dalvik.system.CloseGuard.open	4711	coach.mystery.liquid
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4711	coach.mystery.liquid
Invokes method dalvik.system.CloseGuard.get	4711	coach.mystery.liquid
Invokes method dalvik.system.CloseGuard.open	4711	coach.mystery.liquid
Invokes method dalvik.system.CloseGuard.get	4711	coach.mystery.liquid
Invokes method dalvik.system.CloseGuard.open	4711	coach.mystery.liquid
Invokes method dalvik.system.CloseGuard.get	4711	coach.mystery.liquid
Invokes method dalvik.system.CloseGuard.open	4711	coach.mystery.liquid
Invokes method dalvik.system.CloseGuard.get	4711	coach.mystery.liquid
Invokes method dalvik.system.CloseGuard.open	4711	coach.mystery.liquid
Invokes method dalvik.system.CloseGuard.get	4711	coach.mystery.liquid
Invokes method dalvik.system.CloseGuard.open	4711	coach.mystery.liquid
Invokes method dalvik.system.CloseGuard.get	4711	coach.mystery.liquid
Invokes method dalvik.system.CloseGuard.open	4711	coach.mystery.liquid
Invokes method dalvik.system.CloseGuard.get	4711	coach.mystery.liquid
Invokes method dalvik.system.CloseGuard.open	4711	coach.mystery.liquid

coach.mystery.liquid
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:4711

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads