alienbot | 0e8082b726164376cc6eb6cc013fa8e4d6400960949ac3805cb40af93d725d73

Analysis

max time kernel
149s
max time network
156s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
04/12/2024, 22:06 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e8082b726164376cc6eb6cc013fa8e4d6400960949ac3805cb40af93d725d73.apk
Size

3.4MB
MD5

66fd97bf9913de7f9d7f57bc94dbfe79
SHA1

fa57844951fc91de94b12a984b68a1e336e44394
SHA256

0e8082b726164376cc6eb6cc013fa8e4d6400960949ac3805cb40af93d725d73
SHA512

631e3dd756b818dd753658288d93903d2cfe9686f3e5eafe12913f0daa893d4dc2cb8e8499638b270274019ba42950aac4c21cf93828803b1f74553dc75a5548
SSDEEP

98304:GAOarn/diY/W9ovGZDLBIEga6dQpcYwAWfFCUet+Ff96rkvubokjz:GAOarcY/W2vGZvBI2SdPfFZFlbvuTz

Score

10^/10

alienbot cerberus banker collection credential_access discovery evasion execution infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://servicesc.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Alienbot family
alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus
Cerberus family
cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-2.dat	family_cerberus

Removes its main activity from the application launcher 1 TTPs 7 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5096	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
5096	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
5096	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
5096	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
5096	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
5096	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
5096	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json	5096	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
/data/user/0/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json	5096	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr

msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Performs UI accessibility actions on behalf of the user
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:5096

Network

DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.200.46
DNS

ssl.google-analytics.com

Remote address:

1.1.1.1:53

Request

ssl.google-analytics.com

IN A

Response

ssl.google-analytics.com

IN A

216.58.201.104
DNS

servicesc.xyz

Remote address:

1.1.1.1:53

Request

servicesc.xyz

IN A

Response
DNS

t.me

Remote address:

1.1.1.1:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
GET

https://t.me/alissssssxxxxxx

Remote address:

149.154.167.99:443

Request

GET /alissssssxxxxxx HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 04 Dec 2024 22:07:09 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3649
Connection: keep-alive
Set-Cookie: stel_ssid=8f06026533bdc4073b_10917031144255024691; expires=Thu, 05 Dec 2024 22:07:09 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000
GET

https://t.me/alissssssxxxxxx

Remote address:

149.154.167.99:443

Request

GET /alissssssxxxxxx HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 04 Dec 2024 22:07:09 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3649
Connection: keep-alive
Set-Cookie: stel_ssid=dc3fb84599f03a88ed_1277689426527855006; expires=Thu, 05 Dec 2024 22:07:09 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000
GET

https://t.me/alissssssxxxxxx

Remote address:

149.154.167.99:443

Request

GET /alissssssxxxxxx HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 04 Dec 2024 22:07:38 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3649
Connection: keep-alive
Set-Cookie: stel_ssid=8234103c41c92b1570_15754401979445629470; expires=Thu, 05 Dec 2024 22:07:38 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000
GET

https://t.me/alissssssxxxxxx

Remote address:

149.154.167.99:443

Request

GET /alissssssxxxxxx HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 04 Dec 2024 22:07:38 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3648
Connection: keep-alive
Set-Cookie: stel_ssid=41c55b703af7bc1da1_11434336782571565870; expires=Thu, 05 Dec 2024 22:07:38 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000
GET

https://t.me/alissssssxxxxxx

Remote address:

149.154.167.99:443

Request

GET /alissssssxxxxxx HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 04 Dec 2024 22:07:47 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3648
Connection: keep-alive
Set-Cookie: stel_ssid=aedcab68f71e145d4f_13184376655285649871; expires=Thu, 05 Dec 2024 22:07:47 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000
GET

https://t.me/alissssssxxxxxx

Remote address:

149.154.167.99:443

Request

GET /alissssssxxxxxx HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 04 Dec 2024 22:07:47 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3648
Connection: keep-alive
Set-Cookie: stel_ssid=471ced979b8a033431_10021183062817399991; expires=Thu, 05 Dec 2024 22:07:47 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000
GET

https://t.me/alissssssxxxxxx

Remote address:

149.154.167.99:443

Request

GET /alissssssxxxxxx HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 04 Dec 2024 22:08:11 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3646
Connection: keep-alive
Set-Cookie: stel_ssid=afe9776984094d00cd_14291004042954977868; expires=Thu, 05 Dec 2024 22:08:11 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000
GET

https://t.me/alissssssxxxxxx

Remote address:

149.154.167.99:443

Request

GET /alissssssxxxxxx HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 04 Dec 2024 22:08:11 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3648
Connection: keep-alive
Set-Cookie: stel_ssid=65a795a561dae36bf2_623721161318678697; expires=Thu, 05 Dec 2024 22:08:11 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000
GET

https://t.me/alissssssxxxxxx

Remote address:

149.154.167.99:443

Request

GET /alissssssxxxxxx HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 04 Dec 2024 22:08:27 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3648
Connection: keep-alive
Set-Cookie: stel_ssid=3edfa06db627c217f3_8112247820457232675; expires=Thu, 05 Dec 2024 22:08:27 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000
GET

https://t.me/alissssssxxxxxx

Remote address:

149.154.167.99:443

Request

GET /alissssssxxxxxx HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 04 Dec 2024 22:08:27 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3648
Connection: keep-alive
Set-Cookie: stel_ssid=85b523b945e5bd37f7_6547584111120694762; expires=Thu, 05 Dec 2024 22:08:27 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000
GET

https://t.me/alissssssxxxxxx

Remote address:

149.154.167.99:443

Request

GET /alissssssxxxxxx HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 04 Dec 2024 22:08:41 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3646
Connection: keep-alive
Set-Cookie: stel_ssid=1b6d8819aefaa1b3a9_14229800232998331825; expires=Thu, 05 Dec 2024 22:08:41 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000
GET

https://t.me/alissssssxxxxxx

Remote address:

149.154.167.99:443

Request

GET /alissssssxxxxxx HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 04 Dec 2024 22:08:41 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3647
Connection: keep-alive
Set-Cookie: stel_ssid=94483930141273f53b_11135564281215761108; expires=Thu, 05 Dec 2024 22:08:41 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000
GET

https://t.me/alissssssxxxxxx

Remote address:

149.154.167.99:443

Request

GET /alissssssxxxxxx HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 04 Dec 2024 22:09:08 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3648
Connection: keep-alive
Set-Cookie: stel_ssid=9da022cf8ae09b0e4f_17420449717631265536; expires=Thu, 05 Dec 2024 22:09:08 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000
GET

https://t.me/alissssssxxxxxx

Remote address:

149.154.167.99:443

Request

GET /alissssssxxxxxx HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 04 Dec 2024 22:09:08 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3648
Connection: keep-alive
Set-Cookie: stel_ssid=41c10de0937f6ecfdd_1188251581849192371; expires=Thu, 05 Dec 2024 22:09:08 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000
GET

https://t.me/alissssssxxxxxx

Remote address:

149.154.167.99:443

Request

GET /alissssssxxxxxx HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 04 Dec 2024 22:09:24 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3648
Connection: keep-alive
Set-Cookie: stel_ssid=29bbadc8697e380015_3264419814597649386; expires=Thu, 05 Dec 2024 22:09:24 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000
GET

https://t.me/alissssssxxxxxx

Remote address:

149.154.167.99:443

Request

GET /alissssssxxxxxx HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
Host: t.me
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 04 Dec 2024 22:09:24 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3648
Connection: keep-alive
Set-Cookie: stel_ssid=0679e3d0a991744ddf_446254654769070363; expires=Thu, 05 Dec 2024 22:09:24 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Content-Encoding: gzip
Strict-Transport-Security: max-age=35768000

216.58.212.238:443

tls, https

914 B
40 B
1
1
142.250.180.14:443

tls, https

914 B
40 B
1
1
216.58.212.206:443

tls, https

914 B
40 B
1
1
142.250.200.46:443

android.apis.google.com

tls

4.9kB
8.6kB
21
24
172.217.169.74:443

tls, https

2.3kB
40 B
1
1
216.58.201.104:443

ssl.google-analytics.com

tls

1.4kB
6.3kB
10
9
149.154.167.99:443

https://t.me/alissssssxxxxxx

tls, http

6.7kB
77.7kB
58
78

HTTP Request

GET https://t.me/alissssssxxxxxx

HTTP Response

200

HTTP Request

GET https://t.me/alissssssxxxxxx

HTTP Response

200

HTTP Request

GET https://t.me/alissssssxxxxxx

HTTP Response

200

HTTP Request

GET https://t.me/alissssssxxxxxx

HTTP Response

200

HTTP Request

GET https://t.me/alissssssxxxxxx

HTTP Response

200

HTTP Request

GET https://t.me/alissssssxxxxxx

HTTP Response

200

HTTP Request

GET https://t.me/alissssssxxxxxx

HTTP Response

200

HTTP Request

GET https://t.me/alissssssxxxxxx

HTTP Response

200

HTTP Request

GET https://t.me/alissssssxxxxxx

HTTP Response

200

HTTP Request

GET https://t.me/alissssssxxxxxx

HTTP Response

200

HTTP Request

GET https://t.me/alissssssxxxxxx

HTTP Response

200

HTTP Request

GET https://t.me/alissssssxxxxxx

HTTP Response

200

HTTP Request

GET https://t.me/alissssssxxxxxx

HTTP Response

200

HTTP Request

GET https://t.me/alissssssxxxxxx

HTTP Response

200

HTTP Request

GET https://t.me/alissssssxxxxxx

HTTP Response

200

HTTP Request

GET https://t.me/alissssssxxxxxx

HTTP Response

200

224.0.0.251:5353

3.7kB
11
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

142.250.200.46
1.1.1.1:53

ssl.google-analytics.com

dns

70 B
86 B
1
1

DNS Request

ssl.google-analytics.com

DNS Response

216.58.201.104
1.1.1.1:53

servicesc.xyz

dns

59 B
124 B
1
1

DNS Request

servicesc.xyz
1.1.1.1:53

t.me

dns

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json

Filesize
723KB

MD5
a974446e49181fbf30c4614737abc596

SHA1
42a9e894f2652854067d90ddaa3adafee7967dc7

SHA256
3687b59d4b8a3ecaa164f5f04301303ce0192fdc2c296df20b3dc209cc3d2776

SHA512
dfa34829c2271969d7ae9a9ea67371abac312fc0db6518b43b2ff69dc8aa3c1532f2f0d3e51c130699301be6c28b363a4f1f11f040d3f1e27ed1ef194d11e060

Download Submit
/data/data/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/jeSk.json

Filesize
723KB

MD5
076e71f327de667a8c616f0ad4dae1ba

SHA1
171b0aaab6aa53e564c5328ee1af5fb416327399

SHA256
83c6d3e8bef45f67a9dcdc5f648cea621fb08d45da0421fbb383b14187cc1042

SHA512
0f2ddab6850803912b2c05fb960e8d8e5c2effc047321e28e54bef6194750be8625c0670fbd48c83ca03e901cb35a0bb200d19b199a64206ee7383d09613ff0a

Download Submit
/data/data/msqqqwokejyfwim.bzsotef.ftonpdptfkkfhcjxkrr/app_DynamicOptDex/oat/jeSk.json.cur.prof

Filesize
382B

MD5
0684c2b92ec9f3b3bbb6e8d249cc0968

SHA1
4db21b52e6aca05113cf871dba93392bfd19d2ab

SHA256
1669a85385fce88f5f27c39ef9df853119f13b8e31b10dfbacd33cedf185de58

SHA512
dd7c5b46dc812d2eda0e16dde8721a769b620aaa6e89d7f67ada32b2ce7cf34f3ceae83d36631d18768317764ce7a824c0988968b992813898eab388aa2ba331

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.