Rewterz Threat Alert – Anubis Banking Trojan – Indicators of Compromise

April 4, 2019

Analysis Summary

Anubis banking was developed in 2016 and the malware has been utilized as a trojan, keylogger, and ransomware. Recent Anubis malware samples utilize a mobile device’s accelerometer to avoid detection.

Fraudulent system update alerts and push notifications are used to trick the user into disabling security controls to achieve full exploitation of the device, for additional malware installation.

The malware’s logic detects installed financial applications and impersonates them.

Impact

Anubis banking trojan

Indicators of Compromise

URLs

b1k51[.]gdn
b1j3aas[.]life
wechaatt[.]gdn
10as05[.]gdn
ch0ck4[.]life
fatur1s[.]life
b5k31[.]gdn
erd0[.]gdn
b1v2a5[.]gdn
b1502b[.]gdn
elsssee[.]gdn
kvp41[.]life
servertestapi[.]ltd
taxii[.]gdn
p0w3r[.]gdn
4r3a[.]gdn
areadozemode[.]space
selectnew25mode[.]space
twethujsnu[.]cc
project2anub[.]xyz
taiprotectsq[.]xyz
uwannaplaygame[.]space

Malware Hash (MD5/SHA1/SH256)

34D70B6A2C2B1B07128726499FAC19B1
4D51687ADB3B75DD18DD68A70204AE56
FEFACA64DFE0BF6D7081CBBF6A05CCD5
210B717194C265739F055B9D8BF4F5F2
0F996382F01E4502BCA36EF48A87BE86
069BF2F0B21DA3579F7C76EF2B9284D1
5d68069e8d258c796af5011e27c11423
832ABF77D80FD9A204ABBEB7E7CA9E4A
F4A0D659C8F7F79D0CD629296CA95478
3AE09A3D86BC1083A7B67C7827F510B1
69D0286289A18A2BCF8C1BAFD431B2B7
A36FA1C70BB238A83547580ED013F8F7
A1007FCB2F238B1A0E63E6B195446086
F16FE16ACD942AA1AF79BE2BD1C1F923
B534F3CA69BBDE1299CCDDDCB3591E5B
F59D91BCF3CFC8C94E4345C218D9E41C
9515BA4A7D3E9113402DE9F858E001A4
9698340576e27fd11643e6869a192bd0
DF22128F3C66BCC8074538E47DEC7544
A543A7FE67C99EAC11F5E6B8C5F6B5FB
b0ff12e875d1c32bd05dde6bb34e9805
bc53a5857b1e29bef175d64fbec0c186
e6714a332e58e7e92b4eb72c7db8756253538cc0
49dd6e33d64835152152b09b763e3603395b99de
27806e7f4a4a5e3236d52e432e982915ce636da4
4D417C850C114F2791E839D47566500971668C41C47E290C8D7AEFADDC62F84C
6FD52E78902ED225647AFB87EB1E533412505B97A82EAA7CC9BA30BE6E658C0E
AE0C7562F50E640B81646B3553EB0A6381DAC66D015BAA0FA95E136D2DC855F7
CF46FDC278DC9D29C66E40352340717B841EAF447F4BEDDF33A2A21678B64138
DE2367C1DCD67C97FCF085C58C15B9A3311E61C122649A53DEF31FB689E1356F
89f537cb4495a50b082758b34e54bd1024463176d7d2f4a445cf859f5a33e38f
d93e03c833bac1a29f49fa5c3060a04298e7811e4fb0994afc05a25c24a3e6dc
3a3c5328347fa52383406b6d6ca31337442659ae8fafdff0972703cb49d97ac2
138e3199d53dbbaa01db40742153775d54934433e999b9c7fcfa2fea2474ce8d
c1720011300d8851bc30589063425799e4cce9bb972b3b32b6e30c21ce72b9b6
bb932ca35651624fba2820d657bb10556aba66f15c053142a5645aa8fc31bbd0
9a2149648d9f56e999bd5af599d041f00c3130fca282ec47430a3aa575a73dcd
e5ac8b77e264c68a38be42bd16b1253b7cf96a1258444040ed6046c9096ecd08
451b4cf00e36bf164b4e721d02eab366caf85690d243a539eba5a4bbd1f9e5fa
48bd70850a04a26db239e47611ce7e660c2b08b2dd56d81ed7a608e2659e1d7c
7960bb11e52516134774e8a262c6d78e5683ba9814015eb12b076e7d4e188c4b
c5fbf3f7ddf354a99abbb7652254032d11682106d004373b509981c7a77d1bef
f4db61ab1a314955e4134ec6fdcf9bd47ff8141928a1e467c052876327e4ef8b
ab27065953ff7329c261a27149e2ce63e9a170714df7619b011db89eb5f68069
5126bd2a0e6b74178994c17102e4e18ffe1ab6f398a69225913f60eccef7a652
e56acc1eedc47854c89a02b93ae5bd078e91001dd85e2c7739b649beddbee885
aa63ce659eb3054f00656b2a4fa4bbc14f421d7b2ccb99d333f619613d75fc8f
20e838966993b73f2d65df993fb21d85ab186702a6b1732aba1ea3a98a79b22a
f8de1e8ed70f77dd792035e0cdd3e5c026feece6790f6e2266f8d5f37198b8fa
43c26e071d22e3e14efb669705ba9113067894e9035a051b76b3632330ef8884
d7699cb3c4ec67f3cbe04701360da36622408b70b8d5ec413474d2a83b7172d9
a3ad2f7e3fc04db4e1c919f9df4235b8a1728ef4f4d2e5bb30905262719bbde5
453ba4a1d229049b6bd415192cafda79238a4f2b1e4d1450174903284a304d33
c59a2b3bdb8363d9610ed3bc5cd707ee25a2384e3e2e74bd1ad5bd16b69fa014
ee83ac9a851638f77693eea48ba8034c6d15e630ddb9ad19e204bfa3fe881dc6
26827b3db72e07ab7649bb21b89dbb5376fcf76de1849ae41265965f80d5ecf7
501e88a12be8fdba7d25472f08437308c313dd70aaeac4d162bbb6836ff4bc4a
09e897341d910b44884a9e6d9d2f0bc39dcf2a50e0f35062b07c5f946e5c5b66
876fa3268d5f15be13f9e6021133811062b90d6830f25b8b297be98f27d747f0
e02112cf09522ee7231229dabf331bf725531945d56865416355211d45ddb849
1ab4e5a08f4bf5f95b2462ee12da893851a715b5569603fb95d5f2f7bf2293de
38b5f8c4ddcb2b53aaa33d19efdb6ea6e489aafa0e906da57345c3ca5f01ffa7
c17cfc49391472ad0a85e0bde934bf289d1402c86cf8353ce5c9296c350a73d6
ef1ae5f0ed8a8216dda6ed2dec979e799bfd58fb548a8acb941407b950673ae9
db2d7ca6c1317e5697d0bc61f67bc38316888d20ee9dba32f7165bf23f177061
fe26d6a0e3425d9622b2aef7c4199b0d9569f849453b12cb75ba42e5f002dd67
e3b764ba2795af097efc554331bd9c8a804b5a030dfd495cc8169ce331ac5cad
009220919c4ecf5e72f7be4886a454d11b951dbc488656a811cd7517ad4c0c35
804fc95f250dc275e805fdabd862bcc3a2b60796915c3da575722015f64adf4e
15d31751bd91ee0082f75f581f099e2f986a7c7ccc2748cdd8a0adf9320d748a
8a8fe94c0e4f3fcaaf1f49aa27b13908c01a7574d31a84d55683f9cd1854d211
27c4263d9030435a6f107878c0ba50998cf82d5852618b989acab9843df55d62
39de72ff4b93565cd25fa303b8f17dcaabff101c138a0a5282c747d15b70053f
31c33f8102669b5ffc117ebd076646cefb0ae6b7ea12d1779ebd9d64a2de70d3
f532275eb109ffb5ef35ec42c5445b6e9cdaadad099c977aab8841664cdab292
d2ffa12048169cf9eba113dbb47b78708e83d9b5e778276a40100617e0dbbbdc
3c35f97b9000d55a2854c86eb201bd467702100a314486ff1dbee9774223bf0e
e01ed0befbc50eeedcde5b5c07bf8a51ab39c5b20ee6e1f5afe04e161d072f1d
79c29b79f119a453efd27117c641f73cab4aad76f1f94d9ae538c0a4d4f85ca7
dd60d79c08b5eb50de4ec47cb1e52a1a6c1a5abc25a302db9b2ab1685730203d
deb319019ba88acf8e5fb1b594525f28487e111e6fd641c7dbb23551f7925570
074ae028bd3204a7e7e7a510ad0f88c49cb780fa07e91944f111af146c39c91c
5a6f9ac189dc65dad3744005644a251f73ff2a8022a70431bf90945fc7da021b
b012eb5538ad1d56c5bdf9fe9562791a163dffa4
bc87c9fffcdac4eea1b84c62842ce1138fd90ed6
7e025e21d445be9b6b12a9181ada4bab3db5819c
e29c814c2527ebbac11398877beea2bc75b58ffd
16fc9bc96f58ba35a04ade2d961b0108d135caa5
48b93f6e4c6717bb87eb60129cc5ef07733f63e94f19cd2fa8214e89f6a61fdc
4b410fc2a49c822b0d4df3419087d9eb6fea6df7e1b5d21ca575c7b83f1a490f
9bb207a05703406f05f5749299b4c68f0de159be06550588ef1415c181401241
5555a4226d3db9549a6d2b73a988f1ec0e399d766c2cae0727670b4fb0bd6de3
b3a4df38699300c2acb3efb3a29d5eb152e35ed1eb293fedb6d262441463421b
381b86843f3ebd8d4e4cf7aaa9b4b23dc64507d853745d54a65061250ea88b35

Remediation

Block threat indicators at respective controls
Always be aware of the suspicious emails sent by unknown senders
Never click on the link/attachments sent by unknown senders
Keep software and operating systems up to date, as many malware variants prey on older, insecure versions.
Exercise caution even when installing from official stores. Only follow links to applications from trusted sites, and if you’re in any doubt, don’t install.