alienbot | 96ab53899db38080f89781aa6e0b3826fbdc4d650e781a4faba9b49a1f96b560

General

Target

DestekBasvuruFormu.apk
Size

2.8MB
MD5

e763207653ee9506e09c10ef43090faa
SHA1

1856ebdd170ca8abc15cc38dc065190997f141eb
SHA256

96ab53899db38080f89781aa6e0b3826fbdc4d650e781a4faba9b49a1f96b560
SHA512

6b29b7cb99ce686606172586a1af94c4c9a1bac3e7c5c7b8b98f6f8c47f6bd8a5f8ce9ec9a113dffc2d08454bb9bac1a107859d1d54e307b0638a96f259f318a

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://seymidostm0214.com

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Removes its main activity from the application launcher 7 IoCs

stealth trojan

Processes:

time.rhythm.rent

pid	process
3615	time.rhythm.rent
3615	time.rhythm.rent
3615	time.rhythm.rent
3615	time.rhythm.rent
3615	time.rhythm.rent
3615	time.rhythm.rent
3615	time.rhythm.rent

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

time.rhythm.rent

ioc	pid	process
/data/user/0/time.rhythm.rent/app_DynamicOptDex/BXkEYB.json	3615	time.rhythm.rent
/data/user/0/time.rhythm.rent/app_DynamicOptDex/BXkEYB.json	3615	time.rhythm.rent
/data/data/time.rhythm.rent/app_apk/ring0.apk	3615	time.rhythm.rent

Uses reflection 55 IoCs

obfuscation

Processes:

time.rhythm.rent

description	pid	process
Invokes method java.lang.Object.getClass	3615	time.rhythm.rent
Invokes method android.content.res.AssetManager.addAssetPath	3615	time.rhythm.rent
Invokes method android.app.ContextImpl.getAssets	3615	time.rhythm.rent
Invokes method java.lang.Object.getClass	3615	time.rhythm.rent
Invokes method android.content.res.AssetManager.open	3615	time.rhythm.rent
Invokes method java.io.FilterInputStream.read	3615	time.rhythm.rent
Invokes method java.io.FilterInputStream.read	3615	time.rhythm.rent
Invokes method java.io.BufferedInputStream.read	3615	time.rhythm.rent
Invokes method java.lang.Object.getClass	3615	time.rhythm.rent
Invokes method java.io.BufferedInputStream.close	3615	time.rhythm.rent
Invokes method java.lang.Object.getClass	3615	time.rhythm.rent
Invokes method java.lang.String.getBytes	3615	time.rhythm.rent
Invokes method java.lang.Object.getClass	3615	time.rhythm.rent
Invokes method java.io.FileOutputStream.write	3615	time.rhythm.rent
Invokes method java.lang.Object.getClass	3615	time.rhythm.rent
Invokes method java.io.BufferedInputStream.close	3615	time.rhythm.rent
Invokes method java.lang.Object.getClass	3615	time.rhythm.rent
Invokes method java.io.FilterOutputStream.close	3615	time.rhythm.rent
Invokes method android.app.ActivityThread.currentActivityThread	3615	time.rhythm.rent
Acesses field android.app.ActivityThread.mPackages	3615	time.rhythm.rent
Invokes method java.lang.reflect.Field.get	3615	time.rhythm.rent
Invokes method java.lang.Object.getClass	3615	time.rhythm.rent
Invokes method java.lang.ref.Reference.get	3615	time.rhythm.rent
Invokes method java.lang.ref.Reference.get	3615	time.rhythm.rent
Acesses field android.app.LoadedApk.mClassLoader	3615	time.rhythm.rent
Invokes method java.lang.reflect.Field.get	3615	time.rhythm.rent
Acesses field android.app.LoadedApk.mClassLoader	3615	time.rhythm.rent
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	3615	time.rhythm.rent
Invokes method dalvik.system.CloseGuard.get	3615	time.rhythm.rent
Invokes method dalvik.system.CloseGuard.open	3615	time.rhythm.rent
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3615	time.rhythm.rent
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3615	time.rhythm.rent
Invokes method android.security.NetworkSecurityPolicy.getInstance	3615	time.rhythm.rent
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3615	time.rhythm.rent
Invokes method dalvik.system.CloseGuard.get	3615	time.rhythm.rent
Invokes method dalvik.system.CloseGuard.open	3615	time.rhythm.rent
Invokes method android.security.NetworkSecurityPolicy.getInstance	3615	time.rhythm.rent
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3615	time.rhythm.rent
Invokes method dalvik.system.CloseGuard.get	3615	time.rhythm.rent
Invokes method dalvik.system.CloseGuard.open	3615	time.rhythm.rent
Invokes method android.security.NetworkSecurityPolicy.getInstance	3615	time.rhythm.rent
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3615	time.rhythm.rent
Invokes method dalvik.system.CloseGuard.get	3615	time.rhythm.rent
Invokes method dalvik.system.CloseGuard.open	3615	time.rhythm.rent
Invokes method android.security.NetworkSecurityPolicy.getInstance	3615	time.rhythm.rent
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3615	time.rhythm.rent
Invokes method patch.ring0.run.main	3615	time.rhythm.rent
Invokes method dalvik.system.CloseGuard.get	3615	time.rhythm.rent
Invokes method dalvik.system.CloseGuard.open	3615	time.rhythm.rent
Invokes method android.security.NetworkSecurityPolicy.getInstance	3615	time.rhythm.rent
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3615	time.rhythm.rent
Invokes method dalvik.system.CloseGuard.get	3615	time.rhythm.rent
Invokes method dalvik.system.CloseGuard.open	3615	time.rhythm.rent
Invokes method android.security.NetworkSecurityPolicy.getInstance	3615	time.rhythm.rent
Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted	3615	time.rhythm.rent

time.rhythm.rent
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:3615

time.rhythm.rent
2⤵
PID:3669

getprop
2⤵
PID:3669

time.rhythm.rent
2⤵
PID:3753

getprop
2⤵
PID:3753

time.rhythm.rent
2⤵
PID:3787

getprop
2⤵
PID:3787

time.rhythm.rent
2⤵
PID:3823

getprop
2⤵
PID:3823

time.rhythm.rent
2⤵
PID:3854

getprop
2⤵
PID:3854

time.rhythm.rent
2⤵
PID:3889

getprop
2⤵
PID:3889

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads