alienbot | 34a019fa671da69f8a53c116110bee127a39cc517e71b9f2bf819d23a09e976c

General

Target

multi.apk
Size

2.4MB
MD5

25dbb2e7c15f00d01a222c78cc96cb6d
SHA1

579f99a4c4bb7b5d3b4d5dde87400424a7004d44
SHA256

34a019fa671da69f8a53c116110bee127a39cc517e71b9f2bf819d23a09e976c
SHA512

d10c3ae03f1936287c17c28bfa2f2d90f7e078dcaf55c26500355a81a3dbd2834aa621ffbf70ab255d4da82df94b1af752d382eb67190d57c09b3ce2a1e8706a

Score

10^/10

alienbot banker infostealer obfuscation stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://akpli.club

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Removes its main activity from the application launcher 3 IoCs
stealth trojan

Processes:

burst.save.avoid

pid process

3611 burst.save.avoid
3611 burst.save.avoid
3611 burst.save.avoid

pid	process
3611	burst.save.avoid
3611	burst.save.avoid
3611	burst.save.avoid

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

burst.save.avoid

ioc	pid	process
/data/user/0/burst.save.avoid/app_DynamicOptDex/qhRl.json	3611	burst.save.avoid
/data/user/0/burst.save.avoid/app_DynamicOptDex/qhRl.json	3611	burst.save.avoid

Uses reflection 42 IoCs

obfuscation

Processes:

burst.save.avoid

description	pid	process
Invokes method java.lang.Object.getClass	3611	burst.save.avoid
Invokes method android.content.res.AssetManager.addAssetPath	3611	burst.save.avoid
Invokes method android.app.ContextImpl.getAssets	3611	burst.save.avoid
Invokes method java.lang.Object.getClass	3611	burst.save.avoid
Invokes method android.content.res.AssetManager.open	3611	burst.save.avoid
Invokes method java.io.FilterInputStream.read	3611	burst.save.avoid
Invokes method java.io.FilterInputStream.read	3611	burst.save.avoid
Invokes method java.io.BufferedInputStream.read	3611	burst.save.avoid
Invokes method java.lang.Object.getClass	3611	burst.save.avoid
Invokes method java.io.BufferedInputStream.close	3611	burst.save.avoid
Invokes method java.lang.Object.getClass	3611	burst.save.avoid
Invokes method java.lang.String.getBytes	3611	burst.save.avoid
Invokes method java.lang.Object.getClass	3611	burst.save.avoid
Invokes method java.io.FileOutputStream.write	3611	burst.save.avoid
Invokes method java.lang.Object.getClass	3611	burst.save.avoid
Invokes method java.io.BufferedInputStream.close	3611	burst.save.avoid
Invokes method java.lang.Object.getClass	3611	burst.save.avoid
Invokes method java.io.FilterOutputStream.close	3611	burst.save.avoid
Invokes method android.app.ActivityThread.currentActivityThread	3611	burst.save.avoid
Acesses field android.app.ActivityThread.mPackages	3611	burst.save.avoid
Invokes method java.lang.reflect.Field.get	3611	burst.save.avoid
Invokes method java.lang.Object.getClass	3611	burst.save.avoid
Invokes method java.lang.ref.Reference.get	3611	burst.save.avoid
Invokes method java.lang.ref.Reference.get	3611	burst.save.avoid
Acesses field android.app.LoadedApk.mClassLoader	3611	burst.save.avoid
Invokes method java.lang.reflect.Field.get	3611	burst.save.avoid
Acesses field android.app.LoadedApk.mClassLoader	3611	burst.save.avoid
Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE	3611	burst.save.avoid
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3611	burst.save.avoid
Acesses field javax.security.auth.x500.X500Principal.thisX500Name	3611	burst.save.avoid
Invokes method dalvik.system.CloseGuard.get	3611	burst.save.avoid
Invokes method dalvik.system.CloseGuard.open	3611	burst.save.avoid
Invokes method dalvik.system.CloseGuard.get	3611	burst.save.avoid
Invokes method dalvik.system.CloseGuard.open	3611	burst.save.avoid
Invokes method dalvik.system.CloseGuard.get	3611	burst.save.avoid
Invokes method dalvik.system.CloseGuard.open	3611	burst.save.avoid
Invokes method dalvik.system.CloseGuard.get	3611	burst.save.avoid
Invokes method dalvik.system.CloseGuard.open	3611	burst.save.avoid
Invokes method dalvik.system.CloseGuard.get	3611	burst.save.avoid
Invokes method dalvik.system.CloseGuard.open	3611	burst.save.avoid
Invokes method dalvik.system.CloseGuard.get	3611	burst.save.avoid
Invokes method dalvik.system.CloseGuard.open	3611	burst.save.avoid

burst.save.avoid
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Uses reflection
PID:3611

burst.save.avoid
2⤵
PID:3669

getprop
2⤵
PID:3669

burst.save.avoid
2⤵
PID:3754

getprop
2⤵
PID:3754

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads