alienbot | 4fd61deadc84584edcc74e460877946f76740015aa15a208a5466e31e8502db1

General

Target

tmpioy8kvbq.apk
Size

2.2MB
MD5

8c254f45c9c31ae441691da4840d4677
SHA1

6270a5b2286a21c1d4706594dfdecc31e6ac6520
SHA256

4fd61deadc84584edcc74e460877946f76740015aa15a208a5466e31e8502db1
SHA512

bf99bf6872821d5d161232a6a0b515d26f44b9d41dc0c5c2ccd338d4b3c95e38c6dff6151288d0e1c6f77066e226f8de7fb8688c27d6b949d6fc8dacbfeab6e3

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://kolombickmolonick.site

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Removes its main activity from the application launcher 3 IoCs
stealth trojan

Processes:

nxnlfydxznzcnnoi.rfslsde.obtjkugx

pid process

3610 nxnlfydxznzcnnoi.rfslsde.obtjkugx
3610 nxnlfydxznzcnnoi.rfslsde.obtjkugx
3610 nxnlfydxznzcnnoi.rfslsde.obtjkugx

pid	process
3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

nxnlfydxznzcnnoi.rfslsde.obtjkugx

ioc	pid	process
/data/user/0/nxnlfydxznzcnnoi.rfslsde.obtjkugx/app_DynamicOptDex/Ud.json	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
/data/user/0/nxnlfydxznzcnnoi.rfslsde.obtjkugx/app_DynamicOptDex/Ud.json	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx

Uses reflection 35 IoCs

obfuscation

Processes:

nxnlfydxznzcnnoi.rfslsde.obtjkugx

description	pid	process
Invokes method java.lang.Object.getClass	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method android.content.res.AssetManager.addAssetPath	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method android.app.ContextImpl.getAssets	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.lang.Object.getClass	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method android.content.res.AssetManager.open	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.io.FilterInputStream.read	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.io.FilterInputStream.read	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.io.BufferedInputStream.read	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.lang.Object.getClass	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.io.BufferedInputStream.close	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.lang.String.getBytes	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.lang.Object.getClass	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.io.FileOutputStream.write	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.lang.Object.getClass	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.io.BufferedInputStream.close	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.lang.Object.getClass	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.io.FilterOutputStream.close	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method android.app.ActivityThread.currentActivityThread	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Acesses field android.app.ActivityThread.mPackages	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.lang.reflect.Field.get	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.lang.Object.getClass	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.lang.ref.Reference.get	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.lang.ref.Reference.get	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Acesses field android.app.LoadedApk.mClassLoader	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method java.lang.reflect.Field.get	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Acesses field android.app.LoadedApk.mClassLoader	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method dalvik.system.CloseGuard.get	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method dalvik.system.CloseGuard.open	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method dalvik.system.CloseGuard.get	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method dalvik.system.CloseGuard.open	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method dalvik.system.CloseGuard.get	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method dalvik.system.CloseGuard.open	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method dalvik.system.CloseGuard.get	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx
Invokes method dalvik.system.CloseGuard.open	3610	nxnlfydxznzcnnoi.rfslsde.obtjkugx

nxnlfydxznzcnnoi.rfslsde.obtjkugx
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:3610

nxnlfydxznzcnnoi.rfslsde.obtjkugx
2⤵
PID:3658

getprop
2⤵
PID:3658

nxnlfydxznzcnnoi.rfslsde.obtjkugx
2⤵
PID:3742

getprop
2⤵
PID:3742

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads