{ "id": "17e82f9b-cbcd-4dcb-a50b-ed15f3c34c1c", "created_at": "2026-04-06T00:13:29.741018Z", "updated_at": "2026-04-10T13:11:44.80147Z", "deleted_at": null, "sha1_hash": "1325f67027529f59cfc41b115e51671e2f71d7e1", "title": "Decrypting Bankbot communications.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 284616, "plain_text": "Decrypting Bankbot communications.\r\nArchived: 2026-04-05 17:02:50 UTC\r\nThere's has been an increasing lately in the number of Bankbots found in the wild. The latest one, was seen on\r\ngoogle play masked as a \"fun\" application. However, it downloaded a remote payload which contained this\r\nMalware.\r\nBankbot is an Android banking trojan that can be found in underground forums. It can be downloaded without\r\npaying a penny, so it's a choice for many people. This is why we see increasing numbers, with some variations but\r\nmaintaining most of the original schema.\r\nIts functionality covers a wide range:\r\nGet device data\r\nIntercept SMS\r\nOverlay applications\r\nSend stolen data to remote C\u0026C\r\nThis looks like a normal setup for an Android banking trojan. However, these communactions are taking place\r\nunder an 'encrypted' schema thus not allowing us to see them. We are releasing a script to decode them given the\r\npasswords after a few weeks of testing on different bankbots thanks to the encryption routine in the server-side.\r\n(Can be found at the end of the post)\r\nThe script requires 2 parameters, the first one being the password and the second one being the payload. Once we\r\nget this data, it's easy to retrieve the information.\r\nSay this is our example payload:\r\nhttp://blog.koodous.com/2017/04/decrypting-bankbot-communications.html\r\nPage 1 of 2\n\nAnd we are given the password mkleotrghyua then we just have to introduce this data in the script and we will\r\nrecover the original information.\r\nAnd this is it! All comms can be decrypted provided you have the password.  You can now get this script HERE!\r\nIt has another example payload with other key.\r\nDecrypter: https://gist.github.com/ineedblood/01dd714d9dd786f3c05a73aae4dfbaef\r\nSome samples:\r\n74ace3a2af372887852ddf099db153d986326d926c1bfa3f86219213dbb06a18\r\n2dfde3d394b7eaf3a45693dc95f9c5540c9fd2b3bc7e89e9ebc9d12963c00bee\r\nSource: http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html\r\nhttp://blog.koodous.com/2017/04/decrypting-bankbot-communications.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html" ], "report_names": [ "decrypting-bankbot-communications.html" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434409, "ts_updated_at": 1775826704, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1325f67027529f59cfc41b115e51671e2f71d7e1.pdf", "text": "https://archive.orkl.eu/1325f67027529f59cfc41b115e51671e2f71d7e1.txt", "img": "https://archive.orkl.eu/1325f67027529f59cfc41b115e51671e2f71d7e1.jpg" } }