Hunting the Android/BianLian botnet
Show in Graph
Image Description
Common Information
Type Value
UUID 8a4a7590-aef1-402c-a316-10f1820124b8
Fingerprint f4535ff81746e580b8206cf97ee3d9894f3c4673362a01de345f3971b036af2a
Analysis status DONE
Considered CTI value 2
Text language
Published Sept. 19, 2022, 5:21 p.m.
Added to db April 16, 2024, 6:50 p.m.
Last updated Aug. 31, 2024, 12:01 a.m.
Headline Hunting the Android/BianLian botnet
Title Hunting the Android/BianLian botnet
Detected Hints/Tags/Attributes 172/3/128
Source URLs
Redirection Url
Details Source https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Hunting-the-Android-BianLian-botnet.pdf
URL Provider
Details Provider Source level domain
Details virusbulletin.com www.virusbulletin.com
Attributes
Details Type #Events CTI Value
Details Domain 30 
fortinet.com
Details Domain 247 
www.virusbulletin.com
Details Domain 1 
zhgggga.in
Details Domain 1 
8nocetkasshbfx3pvhftizbpbsxvlhjy75pl3uwg.zip
Details Domain 6 
at.ing
Details Domain 17 
com.bankaustria.android
Details Domain 4 
de.comdirect.app
Details Domain 1 
ings.pin
Details Domain 10 
mobile.santander.de
Details Domain 2 
samsung.settings.pin
Details Domain 2 
com.sdktools.android.bot
Details Domain 188 
com.android
Details Domain 2 
com.teamviewer.host.market
Details Domain 9 
com.samsung
Details Domain 1 
com.teamviewer.host
Details Domain 52 
android.app
Details Domain 6 
android.intent.action.call
Details Domain 57 
com.google.android
Details Domain 95 
ip-api.com
Details Domain 768 
www.youtube.com
Details Domain 29 
vimeo.com
Details Domain 4 
crax.tube
Details Domain 1 
edwardevans12343.top
Details Domain 1 
saarahguerra8934.top
Details Domain 1 
rupertholmes11123.top
Details Domain 17 
www.threatfabric.com
Details Domain 2 
pentest.blog
Details Domain 144 
www.fortinet.com
Details Domain 65 
blog.cyble.com
Details Domain 13 
www.avira.com
Details Domain 622 
en.wikipedia.org
Details Domain 4127 
github.com
Details Domain 1 
mainservice.java
Details Domain 3 
cryptax.medium.com
Details Domain 53 
developer.android.com
Details Domain 1373 
twitter.com
Details Domain 1 
scamalytics.com
Details Domain 6 
gist.githubusercontent.com
Details Domain 1 
loacm6zsj26yd4kz7w6ag5dahfvreufrqhcuvxncxy4t52cxugifrkad.onion
Details Domain 2 
loa5ta2rso7xahp7lubajje6txt366hr3ovjgthzmdy7gav23xdqwnid.onion
Details Domain 1 
newdb5ge5dz5schqawxsxuomspxsyb5xqk65v4j2fdeynds4vsgstrad.onion
Details Email 6 
aapvrille@fortinet.com
Details File 1 
messageholder.ini
Details File 1 
8nocetkasshbfx3pvhftizbpbsxvlhjy75pl3uwg.zip
Details File 14 
ing.dib
Details File 30 
com.db
Details File 1 
phototan.db
Details File 13 
pwcc.db
Details File 2 
samsung.settings
Details File 3 
injects.sys
Details File 20 
android.settings
Details File 30 
android.sys
Details File 1 
security.settings
Details File 1 
botnet_lsx3iscd6mo2gkp.html
Details File 1 
alien_the_story_of_cerberus_demise.html
Details File 30 
www.avi
Details File 1 
mainservice.java
Details File 1 
dream.html
Details File 1 
plpanel1.json
Details File 1 
dors.json
Details File 3 
helloworld.json
Details File 1 
helloworld.js
Details Github username 1 
jaredrummler
Details Github username 1 
nbg0x1
Details Github username 5 
cryptax
Details Github username 3 
rednaga
Details Github username 1 
tomcatx34
Details md5 1 
9a7f81631389d52b9af03fdef60b1b89
Details md5 1 
ce23e15edaeeff01829638dacce6e765
Details md5 2 
4fe02ee186816abcfcca6eaaed44659d
Details md5 1 
684a2f118b77318c118954abaef9b15d
Details sha256 1 
ac32dc236fea345d135bf1ff973900482cdfce489054760601170ef7feec458f
Details sha256 1 
5e9f31ecca447ff0fa9ea0d1245c938dcd4191b6944f161e35a0d27aa41b102f
Details sha256 1 
84bb0570a862f4a74054629ae6338a4938ffc0fdad100b66fae3a279ab25df6b
Details sha256 1 
9b2af95f9f69ce03db5c03b13f4f9f69051bb490c968a1c7ca6a9b80d20fdf94
Details sha256 1 
9c7b234d0d46169dcefb9f5b22c5df134b1a120b67666c071feaf97a6078d1a1
Details sha256 1 
7927146c3db630d5a75dca2d97c26e2406f1183df50fdc29d7f40f8ad667ab02
Details sha256 1 
b2398fea148fbcab0beb8072abf47114f7dbbccd589f88ace6e33e2935d1c582
Details sha256 1 
46aeb04f2f03ebe7c716fc6e58a5dea763cd9b00eb7a466d10a0744f50a7368f
Details sha256 1 
fd11256379366a6f08945064a9d2b88f8fb5bdfb16be997dad4f26689715b519
Details sha256 1 
dccba11f9a832dbe4e2dcd60c23426906397727d7e4a5b8c06a20840bbe25558
Details sha256 3 
5b9049c392eaf83b12b98419f14ece1b00042592b003a17e4e6f0fb466281368
Details sha256 1 
9288b05329780d1ce5c9fcbeb7fb53cd4dff3c83fbf5d8c7ae88d59e213afb75
Details sha256 1 
a3b826de0c445f0924c50939494a26b0d99ef3ccac80faacca98673625656278
Details sha256 3 
3ef8349d4b717d73d31366dfbe941470e749222331edd0b9484955a212080ad8
Details sha256 1 
92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0
Details sha256 1 
2cc727c4249235f36bbc5024d5a5cb708c0f6d3659151afc5ae5d42d55212cb5
Details sha256 1 
ffeb6ebeace647f8e6303beaee59d79083fdba274c78e4df74811c57c7774176
Details sha256 2 
30937927e8891f8c0fd2c7b6be5fbc5a05011c34a7375e91aad384b82b9e6a67
Details sha256 2 
e4d70de608d9491119bacd0729a5a2f55ce477227bd7b55d88fa2086486e886d
Details sha256 1 
89e5746d0903777ef68582733c777b9ee53c42dc4d64187398e1131cccfc0599
Details Url 12 
http://ip-api.com/json
Details Url 1 
https://www.youtube.com/watch?v=ednqtcs2a5w
Details Url 1 
https://vimeo.com/670533534
Details Url 1 
https://crax.tube/watch/alien-android-
Details Url 1 
https://www.youtube.com/watch?v=9jmfqp7
Details Url 2 
https://www.youtube.com/watch?v=ntdu_pt94iq
Details Url 1 
https://www.threatfabric.com/blogs
Details Url 1 
https://pentest.blog/android-
Details Url 1 
https://www.threatfabric.com/blogs/.
Details Url 1 
https://www.fortinet.com/blog/threat-research/new-wave-
Details Url 1 
https://blog.cyble.com/2021/09/30/a-new-variant-of-hydra-banking-
Details Url 1 
https://www.avira.com/en/blog/avira-labs-research-reveals-hydra-banking-trojan-2-0.
Details Url 1 
https://en.wikipedia.org/wiki/virtual_network_computing.
Details Url 1 
https://github.com/jaredrummler/androidprocesses.
Details Url 1 
https://github.com/nbg0x1/androidmalware-
Details Url 1 
https://cryptax.medium.com/android-bianlian-payload-
Details Url 1 
https://cryptax.medium.com/creating-
Details Url 1 
https://developer.android.com/training/monitoring-device-
Details Url 1 
https://www.fortinet.com/blog/threat-research/deep-analysis-of-android-
Details Url 1 
https://github.com/cryptax/misc-code.
Details Url 1 
https://www.youtube.com/watch?v=kd5g6ekbk04
Details Url 1 
https://github.com/rednaga/apkid.
Details Url 1 
https://cryptax.medium.com/multidex-trick-
Details Url 1 
https://vimeo.com/701915988.
Details Url 1 
https://twitter.com/prodaft/status/1096458491852664840.
Details Url 1 
https://scamalytics.com/ip/isp/zemlyaniy-dmitro-
Details Url 1 
https://cryptax.medium.com/bianlian-c-c-domain-name-
Details Url 1 
https://www.fortinet.com/blog/threat-research/android-bianlian-botnet-mobile-banking.
Details Url 1 
https://gist.githubusercontent.com/dezertir6666/9a7f81631389d52b9af03fdef60b1b89
Details Url 1 
https://gist.githubusercontent.com/tomcatx34/ce23e15edaeeff01829638dacce6e765/raw/d
Details Url 1 
https://gist.githubusercontent.com/sezginbarankorkmaz/5b45d619b4eb14c57d55ce620d
Details Url 1 
http://loacm6zsj26yd4kz7w6ag5dahfvreufrqhcuvxncxy4t52cxugifrkad.onion/api/mirrors
Details Url 1 
https://gist.githubusercontent.com/ferrari458italy/4fe02ee186816abcfcca6eaaed44659d/raw/helloworld.js
Details Url 1 
https://gist.githubusercontent.com/monopolyofficial/e0656a5a4d04af06e2af9ed83aa0c8
Details Url 2 
http://loa5ta2rso7xahp7lubajje6txt366hr3ovjgthzmdy7gav23xdqwnid.onion/api/mirrors
Details Url 1 
https://gist.githubusercontent.com/haluktatar2222/684a2f118b77318c118954abaef9b15d/raw/helloworld.json
Details Url 1 
http://newdb5ge5dz5schqawxsxuomspxsyb5xqk65v4j2fdeynds4vsgstrad.onion/api/mirrors