Analysis
-
max time kernel
1656907s -
max time network
175s -
platform
android_x64 -
resource
android-x64 -
submitted
20-08-2021 08:50
Static task
static1
Behavioral task
behavioral1
Sample
15642e08cce5fe12a41adbf68f05d7f9ecd9ef5c3440d286db67c3e1c5f88ff7.apk
Resource
android-x64
0 signatures
0 seconds
General
-
Target
15642e08cce5fe12a41adbf68f05d7f9ecd9ef5c3440d286db67c3e1c5f88ff7.apk
-
Size
3.2MB
-
MD5
c08173bd7c283a0106bc47bd8859c722
-
SHA1
ffdecd833c8f3b2ef2da97b8ddf0a5642547bba1
-
SHA256
15642e08cce5fe12a41adbf68f05d7f9ecd9ef5c3440d286db67c3e1c5f88ff7
-
SHA512
df20ee94e15b267e3706498943f5f785deec8c084f1cf2bba3d6f1bfe3b8796fcd4fe6731c2e05143f135e12fea1413d0872562538805985de37278d3fc86b8e
Score
10/10
Malware Config
Extracted
Family
alienbot
C2
http://34.89.218.199
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/rapid.satoshi.tooth/app_DynamicOptDex/rsfjZgn.json 3677 rapid.satoshi.tooth /data/user/0/rapid.satoshi.tooth/app_DynamicOptDex/rsfjZgn.json 3677 rapid.satoshi.tooth -
Reads name of network operator 1 IoCs
Uses Android APIs to discover system information.
description ioc Process Framework API call android.telephony.TelephonyManager.getNetworkOperatorName rapid.satoshi.tooth -
Uses reflection 11 IoCs
description pid Process Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE 3677 rapid.satoshi.tooth Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3677 rapid.satoshi.tooth Acesses field javax.security.auth.x500.X500Principal.thisX500Name 3677 rapid.satoshi.tooth Invokes method dalvik.system.CloseGuard.get 3677 rapid.satoshi.tooth Invokes method dalvik.system.CloseGuard.open 3677 rapid.satoshi.tooth Invokes method android.security.NetworkSecurityPolicy.getInstance 3677 rapid.satoshi.tooth Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3677 rapid.satoshi.tooth Invokes method dalvik.system.CloseGuard.get 3677 rapid.satoshi.tooth Invokes method dalvik.system.CloseGuard.open 3677 rapid.satoshi.tooth Invokes method android.security.NetworkSecurityPolicy.getInstance 3677 rapid.satoshi.tooth Invokes method android.security.NetworkSecurityPolicy.isCleartextTrafficPermitted 3677 rapid.satoshi.tooth