alienbot | f409154a28f3ce4a2af50d1e570054c82a92481db5715011a92bc3776d0a3db3

General

Target

Android_Guncelleme.apk
Size

2.8MB
MD5

a2cd1717b5cce415d20e61f8190b2d32
SHA1

87af5e27170ee319c243cd61637c41b7e62d21fc
SHA256

f409154a28f3ce4a2af50d1e570054c82a92481db5715011a92bc3776d0a3db3
SHA512

951d17901e73fa1cf5f201a453810801418ccbef0b1e8a64cda0dc95c14dc715ac6f64c7a24dfd50f42d45a23220e6d89ae9302ce024c337a48409938bcd7172

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://seninle1tik.digital

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

fuel.current.under

pid process

4582 fuel.current.under
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

fuel.current.under

ioc pid process

/data/user/0/fuel.current.under/app_DynamicOptDex/ANpdHTs.json 4582 fuel.current.under

pid	process
4582	fuel.current.under

ioc	pid	process
/data/user/0/fuel.current.under/app_DynamicOptDex/ANpdHTs.json	4582	fuel.current.under

Uses reflection 46 IoCs

obfuscation

Processes:

fuel.current.under

description	pid	process
Invokes method java.lang.Object.getClass	4582	fuel.current.under
Invokes method android.content.res.AssetManager.addAssetPath	4582	fuel.current.under
Invokes method android.app.ContextImpl.getAssets	4582	fuel.current.under
Invokes method java.lang.Object.getClass	4582	fuel.current.under
Invokes method android.content.res.AssetManager.open	4582	fuel.current.under
Invokes method java.io.FilterInputStream.read	4582	fuel.current.under
Invokes method java.io.FilterInputStream.read	4582	fuel.current.under
Invokes method java.io.BufferedInputStream.read	4582	fuel.current.under
Invokes method java.lang.Object.getClass	4582	fuel.current.under
Invokes method java.io.BufferedInputStream.close	4582	fuel.current.under
Invokes method java.lang.Object.getClass	4582	fuel.current.under
Invokes method java.lang.String.getBytes	4582	fuel.current.under
Invokes method java.lang.Object.getClass	4582	fuel.current.under
Invokes method java.io.FileOutputStream.write	4582	fuel.current.under
Invokes method java.lang.Object.getClass	4582	fuel.current.under
Invokes method java.io.BufferedInputStream.close	4582	fuel.current.under
Invokes method java.lang.Object.getClass	4582	fuel.current.under
Invokes method java.io.FilterOutputStream.close	4582	fuel.current.under
Invokes method android.app.ActivityThread.currentActivityThread	4582	fuel.current.under
Acesses field android.app.ActivityThread.mPackages	4582	fuel.current.under
Invokes method java.lang.reflect.Field.get	4582	fuel.current.under
Invokes method java.lang.Object.getClass	4582	fuel.current.under
Invokes method java.lang.ref.Reference.get	4582	fuel.current.under
Invokes method java.lang.ref.Reference.get	4582	fuel.current.under
Acesses field android.app.LoadedApk.mClassLoader	4582	fuel.current.under
Invokes method java.lang.reflect.Field.get	4582	fuel.current.under
Acesses field android.app.LoadedApk.mClassLoader	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.get	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.open	4582	fuel.current.under
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.get	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.open	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.get	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.open	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.get	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.open	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.get	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.open	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.get	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.open	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.get	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.open	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.get	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.open	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.get	4582	fuel.current.under
Invokes method dalvik.system.CloseGuard.open	4582	fuel.current.under

fuel.current.under
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:4582

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads