axbanker | 1d556e4aa3bc2ed163350908bfeb608a65233ea373cf54b22726b39fecb3cb7d

General

Target

4ef824a4d877bd5387489c4ef025df31.apk
Size

6.1MB
MD5

4ef824a4d877bd5387489c4ef025df31
SHA1

56e6105a2e4abd42d91af68f1d71f7d62e6624be
SHA256

1d556e4aa3bc2ed163350908bfeb608a65233ea373cf54b22726b39fecb3cb7d
SHA512

09f1af7af9b3efc7bfca8ff77dbc6beca533808702b3d93dc6f51be9d75f53ee62a9f42b5691c57d297d26ee2062ffb2f1330b4346e012ea9313fee2b149fbd0
SSDEEP

98304:y55P4cIZYS/uxnwvHNh/FfwEXyXNzmZmOUErVUl3JzjjaoV53EsrsH:yDPFIyS/LH1fAymAS3Jz6oV+

Score

10^/10

axbanker banker discovery infostealer persistence

Malware Config

Signatures

AxBanker
AxBanker is an Android banking trojan that targets bank customers information distributed through fake bank applications.
banker infostealer axbanker
Axbanker family
axbanker

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.gameram.gameramer

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.gameram.gameramer

com.gameram.gameramer
1⤵
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4268

Network

DNS

semanticlocation-pa.googleapis.com

Remote address:

1.1.1.1:53

Request

semanticlocation-pa.googleapis.com

IN A

Response

semanticlocation-pa.googleapis.com

IN A

172.217.169.42

semanticlocation-pa.googleapis.com

IN A

142.250.178.10

semanticlocation-pa.googleapis.com

IN A

172.217.16.234

semanticlocation-pa.googleapis.com

IN A

172.217.169.74

semanticlocation-pa.googleapis.com

IN A

216.58.213.10

semanticlocation-pa.googleapis.com

IN A

216.58.201.106

semanticlocation-pa.googleapis.com

IN A

142.250.180.10

semanticlocation-pa.googleapis.com

IN A

142.250.187.202

semanticlocation-pa.googleapis.com

IN A

142.250.187.234

semanticlocation-pa.googleapis.com

IN A

142.250.179.234

semanticlocation-pa.googleapis.com

IN A

216.58.204.74

semanticlocation-pa.googleapis.com

IN A

172.217.169.10

semanticlocation-pa.googleapis.com

IN A

216.58.212.202

semanticlocation-pa.googleapis.com

IN A

142.250.200.42

semanticlocation-pa.googleapis.com

IN A

142.250.200.10
DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

216.58.204.78
DNS

icreardstt.co.in

Remote address:

1.1.1.1:53

Request

icreardstt.co.in

IN A

Response

icreardstt.co.in

IN A

65.21.226.29
POST

https://icreardstt.co.in/api/user/step1

Remote address:

65.21.226.29:443

Request

POST /api/user/step1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
Host: icreardstt.co.in
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 89

Response

HTTP/1.1 200 OK

Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
set-cookie: ci_session=91cb4ef30a2f145f22678e966f299784e5dc04d0; expires=Fri, 17-Jan-2025 15:41:34 GMT; Max-Age=7200; path=/; HttpOnly; secure
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-type: text/html; charset=UTF-8
content-length: 68
content-encoding: gzip
vary: Accept-Encoding
date: Fri, 17 Jan 2025 13:41:34 GMT
server: LiteSpeed
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
POST

https://icreardstt.co.in/api/user/step2

Remote address:

65.21.226.29:443

Request

POST /api/user/step2 HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
Host: icreardstt.co.in
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 86

Response

HTTP/1.1 200 OK

Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
set-cookie: ci_session=3979744d63b90169bc94bd6ea4a3346689c2abff; expires=Fri, 17-Jan-2025 15:41:47 GMT; Max-Age=7200; path=/; HttpOnly; secure
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-type: text/html; charset=UTF-8
content-length: 68
content-encoding: gzip
vary: Accept-Encoding
date: Fri, 17 Jan 2025 13:41:47 GMT
server: LiteSpeed
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
POST

https://icreardstt.co.in/new/api/user/step1

Remote address:

65.21.226.29:443

Request

POST /new/api/user/step1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
Host: icreardstt.co.in
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 32

Response

HTTP/1.1 200 OK

Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
set-cookie: ci_session=cbb6f716de9f81c786f25ece8f6da833f3abfe83; expires=Fri, 17-Jan-2025 15:41:51 GMT; Max-Age=7200; path=/; HttpOnly; secure
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
content-type: text/html; charset=UTF-8
content-length: 68
content-encoding: gzip
vary: Accept-Encoding
date: Fri, 17 Jan 2025 13:41:51 GMT
server: LiteSpeed

142.250.200.42:443

tls, https

202 B
40 B
1
1
216.58.204.78:443

tls, https

858 B
40 B
1
1
216.58.204.78:443

android.apis.google.com

tls

3.7kB
7.7kB
12
18
65.21.226.29:443

https://icreardstt.co.in/api/user/step1

tls, http

1.3kB
4.7kB
12
12

HTTP Request

POST https://icreardstt.co.in/api/user/step1

HTTP Response

200
65.21.226.29:443

https://icreardstt.co.in/new/api/user/step1

tls, http

1.8kB
1.9kB
9
8

HTTP Request

POST https://icreardstt.co.in/api/user/step2

HTTP Response

200

HTTP Request

POST https://icreardstt.co.in/new/api/user/step1

HTTP Response

200

224.0.0.251:5353

3.3kB
10
1.1.1.1:53

semanticlocation-pa.googleapis.com

dns

80 B
320 B
1
1

DNS Request

semanticlocation-pa.googleapis.com

DNS Response

172.217.169.42

142.250.178.10

172.217.16.234

172.217.169.74

216.58.213.10

216.58.201.106

142.250.180.10

142.250.187.202

142.250.187.234

142.250.179.234

216.58.204.74

172.217.169.10

216.58.212.202

142.250.200.42

142.250.200.10
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

216.58.204.78
1.1.1.1:53

icreardstt.co.in

dns

62 B
78 B
1
1

DNS Request

icreardstt.co.in

DNS Response

65.21.226.29

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.