Malware Analysis Report

2025-01-19 05:05

Sample ID 220603-g9sdgabga6
Target 7DCB987D39106EBB91CDE38CDB87E43377963014722A4D49B2C49370AD54AE82.apk
SHA256 7dcb987d39106ebb91cde38cdb87e43377963014722a4d49b2c49370ad54ae82
Tags
alienbot banker infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7dcb987d39106ebb91cde38cdb87e43377963014722a4d49b2c49370ad54ae82

Threat Level: Known bad

The file 7DCB987D39106EBB91CDE38CDB87E43377963014722A4D49B2C49370AD54AE82.apk was found to be: Known bad.

Malicious Activity Summary

alienbot banker infostealer trojan

Alienbot

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Loads dropped Dex/Jar

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-03 06:30

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Reported

0001-01-01 00:00

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-03 06:30

Reported

2022-06-03 07:38

Platform

android-x64-20220310-en

Max time kernel

679479s

Max time network

172s

Command Line

lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei

Signatures

Alienbot

banker trojan infostealer alienbot

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json N/A N/A
N/A /data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json N/A N/A

Processes

lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 216.58.214.8:443 tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 telegram.org tcp
US 188.114.96.0:443 tcp
NL 142.251.39.104:443 tcp
NL 172.217.168.206:443 tcp
NL 172.217.168.202:443 tcp
NL 142.251.36.2:443 tcp
NL 172.217.168.202:443 tcp
NL 172.217.168.202:443 tcp
NL 142.251.36.10:443 tcp
NL 172.217.168.202:443 tcp

Files

/data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json

MD5 9a50331ca013d3490f29a6d332394abb
SHA1 0a41cedc0a8288a2ba1b8ec2c8fcc48ccc061fcb
SHA256 136a06e4d715455a817a70ab6b8162e187b224e11041a73b5e14e9ea6d8d3551
SHA512 d004b02652ae4c260aaa71fc6a771fd1e4281166e24860f5db34e0bc8f38de826220064325ecde28fd4824d6c0a05b6b8f7dac3e3de5f551c45a645f949d1398

/data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json

MD5 5eec4c66cd3b761348a9a8dc665afd6a
SHA1 f1d8c01316c5d522ff2e1847835a6b5ee8cd50bb
SHA256 ee39b5b0bd3584c8e5ee8ac84e97887323f7cb7fb336b3c54fac18b7e8f20747
SHA512 319cfba47d0111c02de98454c64931d1e7827aa8a2912d6d836f52d6bf0ef710ed9ca4ef8aa51eab18e1467ada87a1ca7c072bbacde4d04607a7317146e396be

/data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json

MD5 5eec4c66cd3b761348a9a8dc665afd6a
SHA1 f1d8c01316c5d522ff2e1847835a6b5ee8cd50bb
SHA256 ee39b5b0bd3584c8e5ee8ac84e97887323f7cb7fb336b3c54fac18b7e8f20747
SHA512 319cfba47d0111c02de98454c64931d1e7827aa8a2912d6d836f52d6bf0ef710ed9ca4ef8aa51eab18e1467ada87a1ca7c072bbacde4d04607a7317146e396be

/data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/oat/Kyk.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral3

Detonation Overview

Submitted

2022-06-03 06:30

Reported

2022-06-03 07:23

Platform

android-x64-arm64-20220310-en

Max time kernel

678579s

Max time network

170s

Command Line

lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei

Signatures

Alienbot

banker trojan infostealer alienbot

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json N/A N/A
N/A /data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json N/A N/A

Processes

lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp
N/A 224.0.0.251:5353 udp
NL 142.251.36.8:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.10:80 play.googleapis.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 telegram.org tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 216.58.208.104:443 tcp

Files

/data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json

MD5 9a50331ca013d3490f29a6d332394abb
SHA1 0a41cedc0a8288a2ba1b8ec2c8fcc48ccc061fcb
SHA256 136a06e4d715455a817a70ab6b8162e187b224e11041a73b5e14e9ea6d8d3551
SHA512 d004b02652ae4c260aaa71fc6a771fd1e4281166e24860f5db34e0bc8f38de826220064325ecde28fd4824d6c0a05b6b8f7dac3e3de5f551c45a645f949d1398

/data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json

MD5 5eec4c66cd3b761348a9a8dc665afd6a
SHA1 f1d8c01316c5d522ff2e1847835a6b5ee8cd50bb
SHA256 ee39b5b0bd3584c8e5ee8ac84e97887323f7cb7fb336b3c54fac18b7e8f20747
SHA512 319cfba47d0111c02de98454c64931d1e7827aa8a2912d6d836f52d6bf0ef710ed9ca4ef8aa51eab18e1467ada87a1ca7c072bbacde4d04607a7317146e396be

/data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json

MD5 5eec4c66cd3b761348a9a8dc665afd6a
SHA1 f1d8c01316c5d522ff2e1847835a6b5ee8cd50bb
SHA256 ee39b5b0bd3584c8e5ee8ac84e97887323f7cb7fb336b3c54fac18b7e8f20747
SHA512 319cfba47d0111c02de98454c64931d1e7827aa8a2912d6d836f52d6bf0ef710ed9ca4ef8aa51eab18e1467ada87a1ca7c072bbacde4d04607a7317146e396be

/data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/oat/Kyk.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e