{
	"id": "abc112a5-1c90-4913-b6d0-f21b41429e67",
	"created_at": "2026-04-06T00:12:48.202036Z",
	"updated_at": "2026-04-10T03:30:33.67671Z",
	"deleted_at": null,
	"sha1_hash": "2fa0fc0f17f7a53c9d2fe09595430db6920f9901",
	"title": "Deep Analysis of Anubis Banking Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1120478,
	"plain_text": "Deep Analysis of Anubis Banking Malware\r\nBy Abdallah Elshinbary\r\nPublished: 2020-07-04 · Archived: 2026-04-05 22:25:21 UTC\r\nIntroductionPermalink\r\nAnubis is a well known android banking malware. Although it hasn’t been around for long (since 2017), it had a\r\nhigher impact than many older banking malwares due to its large set of capabilities.\r\nAs most malware families these days, this sample of Anubis is riding on the “COVID-19” pandemic to trick\r\nvictims into installing it. This campaign seems to be targeting Turkey and the app can be downloaded from\r\n\"http://sosyalkampanya2[.]ml/pandemi/Pandemi-Destek.apk\"\r\nAnubis can spread in two different ways, either by malicious websites (like this one) where it downloads the\r\nmalicious app directly or it can spread over google play store (where it appears as a legitimate app) then download\r\nand install the next stage payload (the malicious app).\r\nBehavioral AnalysisPermalink\r\nAfter installation, Anubis forces the user to grant it Accessibility permissions so it can run in the background\r\nand receive callbacks by the system when AccessibilityEvents are fired (such as window change and input\r\nfocus).\r\nAnubis also hides its icon from the app launcher to make it more difficult to remove.\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 1 of 27\n\nGoing insidePermalink\r\nAfter decompiling the APK, we can see that it’s asking for lots of permissions, which means lots of capabilities.\r\nCapabilitiesPermalink\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 2 of 27\n\nAnubis has a large set of capabilities such as (Keylogging, Sound Recording, SMS Spam, VNC, File Encryption,\r\n…).\r\nC2 serversPermalink\r\nA quick search for “http/https” reveals some interesting things. First, Anubis has a hardcoded C2 server\r\n\"http://sosyalkampanya2[.]tk/dedebus/\" , it’s also used as a VNC client.\r\nTo get new C2 servers, Anubis uses a twitter account for this purpose.\r\nInterestingly enough, the twitter account used here was registered back in 2007.\r\nThe way this technique works is that it queries the twitter page (containing Chinese tweets) and searches for the\r\ntext in between those two tags ( “ 苏尔的开始” , “ 苏尔苏尔完” ).\r\nNext it replaces each Chinese character with a corresponding English character.\r\nFinally, the result is Base64-decoded then it’s decrypted using RC4.\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 3 of 27\n\nHere is the RC4 implementation:\r\nThe RC4 key is not dynamically generated, instead it’s using a hardcoded one \"zanubis\" .\r\nData ExfiltrationPermalink\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 4 of 27\n\nAnubis has a list of php endpoints to exfiltrate collected data, each endpoint corresponds to a different log type\r\n(keystrokes, running processes, …).\r\nIt sends a POST request to the C2 server containing the data in an encrypted form.\r\nThe data is encrypted using RC4 with the same key mentioned before then it’s Base64-encoded before it’s\r\nexfiltrated.\r\nReceiving CommandsPermalink\r\nAnubis can receive RAT commands (encrypted):\r\nopendir\r\ndownloadfile\r\ndeletefilefolder\r\nstartscreenVNC\r\nstopscreenVNC\r\nstartsound\r\nstartforegroundsound\r\nstopsound\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 5 of 27\n\nAdditionally, it can receive a long string of commands separated by \"::\" to enable/disable certain\r\nfunctionalities, edit configs or send logs.\r\nExpand to see more\r\n  startinj\r\n  Send_GO_SMS\r\n  nymBePsG0\r\n  GetSWSGO\r\n  telbookgotext\r\n  getapps\r\n  getpermissions\r\nKeyloggingPermalink\r\nAnubis is listening for accessibility events in the background, if the event is \"TYPE_VIEW_TEXT_CHANGED\" , this\r\nmeans that the user is typing something so it gets records.\r\nThe keystrokes are written to a file called \"keys.log\" , this file is sent to the attacker on demand along with the\r\nvictim’s device info. The file’s contents can be erased if the C2 response contains the word \"clear\" .\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 6 of 27\n\nFile EncryptionPermalink\r\nAnubis can also behave like a ransomware and encrypt files at /mnt, /mount, /sdcard, /storage .\r\nThe encryption/decryption key is received from the C2 server along with the required amount to decrypt the files.\r\nThe encryption process itself is just RC4 using the received key. Then it writes the encrypted data to a new file\r\nwith the .AnubisCrypt extension and deletes the original file.\r\nScreen VNCPermalink\r\nThis feature was recently added to Anubis (according to underground forums), it can start a VNC server using\r\nMediaProjection APIs available from Android 5.\r\nDue to Android API restrictions, the attacker can only see the screen of an Android 5+ device but cannot control it.\r\nAs mentioned before, Anubis uses the hardcoded C2 server \"http://sosyalkampanya2[.]tk/dedebus/\" as a\r\nVNC client.\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 7 of 27\n\nIntercepting Calls and SMSPermalink\r\nAnubis can intercept and forward phone calls to the attacker (which can be used for bank verification for\r\nexample), it also tries to mute the phone for android 6.0 and lower.\r\nSMS messages are intercepting using a broadcast receiver that listens for incoming SMS and sends it to the C2\r\nserver in clear text.\r\nTargeted AppsPermalink\r\nAnubis loops through installed applications and compares them against hardcoded packages names (mostly\r\nbanking apps). Once it determines that one of these apps is being used, it can carry out an overlay attack.\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 8 of 27\n\nOverlay attack works by loading a WebView on top of the legitimate app that looks very similar to the original\r\none. It can be used to steal payment data or used as an attack vector for phishing.\r\nThe loading of the WebView is almost instant so that the victim doesn’t get suspicious.\r\nAttempting to Remove AnubisPermalink\r\nAnubis can utilize accessibility events to prevent the victim from uninstalling it.\r\nIt checks if the current open view contains these strings:\r\ncurrent app name (malware app)\r\n\"com.android.settings\" which is the settings app\r\n\"uninstall\" or \"to remove\"\r\nIf that’s the case, the victim is sent back to the home screen.\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 9 of 27\n\nConclusionPermalink\r\nAnubis is a very rich banking malware with lots of features and capabilities. Although there are rumors that Maza-In (the actor behind Anubis) had been arrested by the Russian authorities, we can see that it’s getting new updates\r\n(currently 2.5) and it’s still a common choice of criminals when it comes to Android banking malware.\r\nI have also written a small script for fetching new C2 domains + decrypting sent/received data:\r\nhttps://github.com/N1ght-W0lf/MalwareAnalysis/blob/master/Anubis/c2_emulator.py\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 10 of 27\n\nIOCsPermalink\r\nAPKsPermalink\r\nPandemi-Destek.apk: 8cb941658ed8340b67a38a47162ab8850b89a14eee2899f0761fadd4f648fd5e\r\nhttp://sosyalkampanya2[.]tk/dedebus/\r\nhttps://twitter[.]com/qweqweqwe/\r\nTargeted AppsPermalink\r\nat.spardat.bcrmobile\r\nat.spardat.netbanking\r\ncom.bankaustria.android.olb\r\ncom.bmo.mobile\r\ncom.cibc.android.mobi\r\ncom.rbc.mobile.android\r\ncom.scotiabank.mobile\r\ncom.td\r\ncz.airbank.android\r\neu.inmite.prj.kb.mobilbank\r\ncom.bankinter.launcher\r\ncom.kutxabank.android\r\ncom.rsi\r\ncom.tecnocom.cajalaboral\r\nes.bancopopular.nbmpopular\r\nes.evobanco.bancamovil\r\nes.lacaixa.mobile.android.newwapicon\r\ncom.dbs.hk.dbsmbanking\r\ncom.FubonMobileClient\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 11 of 27\n\ncom.hangseng.rbmobile\r\ncom.MobileTreeApp\r\ncom.mtel.androidbea\r\ncom.scb.breezebanking.hk\r\nhk.com.hsbc.hsbchkmobilebanking\r\ncom.aff.otpdirekt\r\ncom.ideomobile.hapoalim\r\ncom.infrasofttech.indianBank\r\ncom.mobikwik_new\r\ncom.oxigen.oxigenwallet\r\njp.co.aeonbank.android.passbook\r\njp.co.netbk\r\njp.co.rakuten_bank.rakutenbank\r\njp.co.sevenbank.AppPassbook\r\njp.co.smbc.direct\r\njp.mufg.bk.applisp.app\r\ncom.barclays.ke.mobile.android.ui\r\nnz.co.anz.android.mobilebanking\r\nnz.co.asb.asbmobile\r\nnz.co.bnz.droidbanking\r\nnz.co.kiwibank.mobile\r\ncom.getingroup.mobilebanking\r\neu.eleader.mobilebanking.pekao.firm\r\neu.eleader.mobilebanking.pekao\r\neu.eleader.mobilebanking.raiffeisen\r\npl.bzwbk.bzwbk24\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 12 of 27\n\npl.ipko.mobile\r\npl.mbank\r\nalior.bankingapp.android\r\ncom.comarch.mobile.banking.bgzbnpparibas.biznes\r\ncom.comarch.security.mobilebanking\r\ncom.empik.empikapp\r\ncom.empik.empikfoto\r\ncom.finanteq.finance.ca\r\ncom.orangefinansek\r\ncom.orangefinanse\r\neu.eleader.mobilebanking.invest\r\npl.aliorbank.aib\r\npl.allegro\r\npl.bosbank.mobile\r\npl.bph\r\npl.bps.bankowoscmobilna\r\npl.bzwbk.ibiznes24\r\npl.bzwbk.mobile.tab.bzwbk24\r\npl.ceneo\r\npl_pl.ceneo\r\npl.com.rossmann.centauros\r\npl.fmbank.smart\r\npl.ideabank.mobilebanking\r\npl.ing.mojeing\r\npl.millennium.corpApp\r\npl.orange.mojeorange\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 13 of 27\n\npl.pkobp.iko\r\npl.pkobp.ipkobiznes\r\ncom.kuveytturk.mobil\r\ncom.magiclick.odeabank\r\ncom.mobillium.papara\r\ncom.pozitron.albarakaturk\r\ncom.teb\r\nccom.tmob.denizbank\r\ncom.tmob.denizbank\r\ncom.tmob.tabletdeniz\r\ncom.vakifbank.mobilel\r\ncom.vakifbank.mobile\r\ntr.com.sekerbilisim.mbank\r\nwit.android.bcpBankingApp.millenniumPL\r\ncom.advantage.RaiffeisenBank\r\nhr.asseco.android.jimba.mUCI.ro\r\nmay.maybank.android\r\nro.btrl.mobile\r\ncom.amazon.mShop.android.shopping\r\ncom.amazon.windowshop\r\ncom.ebay.mobile\r\nru.sberbankmobile\r\nru.sberbank.spasibo\r\nru.sberbank_sbbol\r\nru.sberbank.mobileoffice\r\nru.sberbank.sberbankir\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 14 of 27\n\nru.alfabank.mobile.android\r\nru.alfabank.oavdo.amc\r\nby.st.alfa\r\nru.alfabank.sense\r\nru.alfadirect.app\r\nru.mw\r\ncom.idamob.tinkoff.android\r\nru.tcsbank.c2c\r\nru.tinkoff.mgp\r\nru.tinkoff.sme\r\nru.tinkoff.goabroad\r\nru.vtb24.mobilebanking.android\r\nru.bm.mbm\r\ncom.vtb.mobilebank\r\ncom.bssys.VTBClient\r\ncom.bssys.vtb.mobileclient\r\ncom.akbank.android.apps.akbank_direkt\r\ncom.akbank.android.apps.akbank_direkt_tablet\r\ncom.akbank.softotp\r\ncom.akbank.android.apps.akbank_direkt_tablet_20\r\ncom.fragment.akbank\r\ncom.ykb.android\r\ncom.ykb.android.mobilonay\r\ncom.ykb.avm\r\ncom.ykb.androidtablet\r\ncom.veripark.ykbaz\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 15 of 27\n\ncom.softtech.iscek\r\ncom.yurtdisi.iscep\r\ncom.softtech.isbankasi\r\ncom.monitise.isbankmoscow\r\ncom.finansbank.mobile.cepsube\r\nfinansbank.enpara\r\ncom.magiclick.FinansPOS\r\ncom.matriksdata.finansyatirim\r\nfinansbank.enpara.sirketim\r\ncom.vipera.ts.starter.QNB\r\ncom.redrockdigimark\r\ncom.garanti.cepsubesi\r\ncom.garanti.cepbank\r\ncom.garantibank.cepsubesiro\r\nbiz.mobinex.android.apps.cep_sifrematik\r\ncom.garantiyatirim.fx\r\ncom.tmobtech.halkbank\r\ncom.SifrebazCep\r\neu.newfrontier.iBanking.mobile.Halk.Retail\r\ntr.com.tradesoft.tradingsystem.gtpmobile.halk\r\ncom.DijitalSahne.EnYakinHalkbank\r\ncom.ziraat.ziraatmobil\r\ncom.ziraat.ziraattablet\r\ncom.matriksmobile.android.ziraatTrader\r\ncom.matriksdata.ziraatyatirim.pad\r\nde.comdirect.android\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 16 of 27\n\nde.commerzbanking.mobil\r\nde.consorsbank\r\ncom.db.mm.deutschebank\r\nde.dkb.portalapp\r\ncom.de.dkb.portalapp\r\ncom.ing.diba.mbbr2\r\nde.postbank.finanzassistent\r\nmobile.santander.de\r\nde.fiducia.smartphone.android.banking.vr\r\nfr.creditagricole.androidapp\r\nfr.axa.monaxa\r\nfr.banquepopulaire.cyberplus\r\nnet.bnpparibas.mescomptes\r\ncom.boursorama.android.clients\r\ncom.caisseepargne.android.mobilebanking\r\nfr.lcl.android.customerarea\r\ncom.paypal.android.p2pmobile\r\ncom.wf.wellsfargomobile\r\ncom.wf.wellsfargomobile.tablet\r\ncom.wellsFargo.ceomobile\r\ncom.usbank.mobilebanking\r\ncom.usaa.mobile.android.usaa\r\ncom.suntrust.mobilebanking\r\ncom.moneybookers.skrillpayments.neteller\r\ncom.moneybookers.skrillpayments\r\ncom.clairmail.fth\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 17 of 27\n\ncom.konylabs.capitalone\r\ncom.yinzcam.facilities.verizon\r\ncom.chase.sig.android\r\ncom.infonow.bofa\r\ncom.bankofamerica.cashpromobile\r\nuk.co.bankofscotland.businessbank\r\ncom.grppl.android.shell.BOS\r\ncom.rbs.mobile.android.natwestoffshore\r\ncom.rbs.mobile.android.natwest\r\ncom.rbs.mobile.android.natwestbandc\r\ncom.rbs.mobile.investisir\r\ncom.phyder.engage\r\ncom.rbs.mobile.android.rbs\r\ncom.rbs.mobile.android.rbsbandc\r\nuk.co.santander.santanderUK\r\nuk.co.santander.businessUK.bb\r\ncom.sovereign.santander\r\ncom.ifs.banking.fiid4202\r\ncom.fi6122.godough\r\ncom.rbs.mobile.android.ubr\r\ncom.htsu.hsbcpersonalbanking\r\ncom.grppl.android.shell.halifax\r\ncom.grppl.android.shell.CMBlloydsTSB73\r\ncom.barclays.android.barclaysmobilebanking\r\ncom.unionbank.ecommerce.mobile.android\r\ncom.unionbank.ecommerce.mobile.commercial.legacy\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 18 of 27\n\ncom.snapwork.IDBI\r\ncom.idbibank.abhay_card\r\nsrc.com.idbi\r\ncom.idbi.mpassbook\r\ncom.ing.mobile\r\ncom.snapwork.hdfc\r\ncom.sbi.SBIFreedomPlus\r\nhdfcbank.hdfcquickbank\r\ncom.csam.icici.bank.imobile\r\nin.co.bankofbaroda.mpassbook\r\ncom.axis.mobile\r\ncz.csob.smartbanking\r\ncz.sberbankcz\r\nsk.sporoapps.accounts\r\nsk.sporoapps.skener\r\ncom.cleverlance.csas.servis24\r\norg.westpac.bank\r\nnz.co.westpac\r\norg.westpac.banknz.co.westpac\r\nau.com.suncorp.SuncorpBank\r\norg.stgeorge.bank\r\norg.banksa.bank\r\nau.com.newcastlepermanent\r\nau.com.nab.mobile\r\nau.com.mebank.banking\r\nau.com.ingdirect.android\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 19 of 27\n\nMyING.be\r\ncom.imb.banking2\r\ncom.fusion.ATMLocator\r\nau.com.cua.mb\r\ncom.commbank.netbank\r\ncom.cba.android.netbank\r\ncom.citibank.mobile.au\r\ncom.citibank.mobile.uk\r\ncom.citi.citimobile\r\norg.bom.bank\r\ncom.bendigobank.mobile\r\nme.doubledutch.hvdnz.cbnationalconference2016\r\nau.com.bankwest.mobile\r\ncom.bankofqueensland.boq\r\ncom.anz.android.gomoney\r\ncom.anz.android\r\ncom.anz.SingaporeDigitalBanking\r\ncom.anzspot.mobile\r\ncom.crowdcompass.appSQ0QACAcYJ\r\ncom.arubanetworks.atmanz\r\ncom.quickmobile.anzirevents15\r\nat.volksbank.volksbankmobile\r\nit.volksbank.android\r\nit.secservizi.mobile.atime.bpaa\r\nde.fiducia.smartphone.android.securego.vr\r\ncom.isis_papyrus.raiffeisen_pay_eyewdg\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 20 of 27\n\nat.easybank.mbanking\r\nat.easybank.tablet\r\nat.easybank.securityapp\r\nat.bawag.mbanking\r\ncom.bawagpsk.securityapp\r\nat.psa.app.bawag\r\ncom.pozitron.iscep\r\ncom.pozitron.vakifbank\r\ncom.starfinanz.smob.android.sfinanzstatus\r\ncom.starfinanz.mobile.android.pushtan\r\ncom.entersekt.authapp.sparkasse\r\ncom.starfinanz.smob.android.sfinanzstatus.tablet\r\ncom.starfinanz.smob.android.sbanking\r\ncom.palatine.android.mobilebanking.prod\r\nfr.laposte.lapostemobile\r\nfr.laposte.lapostetablet\r\ncom.cm_prod.bad\r\ncom.cm_prod.epasal\r\ncom.cm_prod_tablet.bad\r\ncom.cm_prod.nosactus\r\nmobi.societegenerale.mobile.lappli\r\ncom.bbva.netcash\r\ncom.bbva.bbvacontigo\r\ncom.bbva.bbvawallet\r\nes.bancosantander.apps\r\ncom.santander.app\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 21 of 27\n\nes.cm.android\r\nes.cm.android.tablet\r\ncom.bankia.wallet\r\ncom.jiffyondemand.user\r\ncom.latuabancaperandroid\r\ncom.latuabanca_tabperandroid\r\ncom.lynxspa.bancopopolare\r\ncom.unicredit\r\nit.bnl.apps.banking\r\nit.bnl.apps.enterprise.bnlpay\r\nit.bpc.proconl.mbplus\r\nit.copergmps.rt.pf.android.sp.bmps\r\nit.gruppocariparma.nowbanking\r\nit.ingdirect.app\r\nit.nogood.container\r\nit.popso.SCRIGNOapp\r\nposteitaliane.posteapp.apppostepay\r\ncom.abnamro.nl.mobile.payments\r\ncom.triodos.bankingnl\r\nnl.asnbank.asnbankieren\r\nnl.snsbank.mobielbetalen\r\ncom.btcturk\r\ncom.ingbanktr.ingmobil\r\ntr.com.hsbc.hsbcturkey\r\ncom.att.myWireless\r\ncom.vzw.hss.myverizon\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 22 of 27\n\naib.ibank.android\r\ncom.bbnt\r\ncom.csg.cs.dnmbs\r\ncom.discoverfinancial.mobile\r\ncom.eastwest.mobile\r\ncom.fi6256.godough\r\ncom.fi6543.godough\r\ncom.fi6665.godough\r\ncom.fi9228.godough\r\ncom.fi9908.godough\r\ncom.ifs.banking.fiid1369\r\ncom.ifs.mobilebanking.fiid3919\r\ncom.jackhenry.rockvillebankct\r\ncom.jackhenry.washingtontrustbankwa\r\ncom.jpm.sig.android\r\ncom.sterling.onepay\r\ncom.svb.mobilebanking\r\norg.usemployees.mobile\r\npinacleMobileiPhoneApp.android\r\ncom.fuib.android.spot.online\r\ncom.ukrsibbank.client.android\r\nru.alfabank.mobile.ua.android\r\nua.aval.dbo.client.android\r\nua.com.cs.ifobs.mobile.android.otp\r\nua.com.cs.ifobs.mobile.android.pivd\r\nua.oschadbank.online\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 23 of 27\n\nua.privatbank.ap24\r\ncom.Plus500\r\ncom.Plus500(Crypt)+\r\neu.unicreditgroup.hvbapptan\r\ncom.targo_prod.bad\r\ncom.db.pwcc.dbmobile\r\ncom.db.mm.norisbank\r\ncom.bitmarket.trader\r\ncom.bitmarket.trader(Crypt)+\r\ncom.plunien.poloniex\r\ncom.plunien.poloniex(Crypt)+\r\ncom.mycelium.wallet\r\ncom.mycelium.wallet(Crypt)+\r\ncom.bitfinex.bfxapp\r\ncom.bitfinex.bfxapp(Crypt)+\r\ncom.binance.dev\r\ncom.binance.dev(Crypt)+\r\ncom.btcturk(Crypt)\r\ncom.binance.odapplications\r\ncom.binance.odapplications(Crypt)\r\ncom.blockfolio.blockfolio\r\ncom.blockfolio.blockfolio(Crypt)\r\ncom.crypter.cryptocyrrency\r\ncom.crypter.cryptocyrrency(Crypt)\r\nio.getdelta.android\r\nio.getdelta.android(Crypt)\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 24 of 27\n\ncom.edsoftapps.mycoinsvalue\r\ncom.edsoftapps.mycoinsvalue(Crypt)\r\ncom.coin.profit\r\ncom.coin.profit(Crypt)\r\ncom.mal.saul.coinmarketcap\r\ncom.mal.saul.coinmarketcap(Crypt)\r\ncom.tnx.apps.coinportfolio\r\ncom.tnx.apps.coinportfolio(Crypt)\r\ncom.coinbase.android\r\ncom.coinbase.android(Crypt)+\r\ncom.portfolio.coinbase_tracker\r\ncom.portfolio.coinbase_tracker(Crypt)+\r\nde.schildbach.wallet\r\nde.schildbach.wallet(Crypt)\r\npiuk.blockchain.android\r\npiuk.blockchain.android(Crypt)+\r\ninfo.blockchain.merchant\r\ninfo.blockchain.merchant(Crypt)+\r\ncom.jackpf.blockchainsearch\r\ncom.jackpf.blockchainsearch(Crypt)\r\ncom.unocoin.unocoinwallet\r\ncom.unocoin.unocoinwallet(Crypt)+\r\ncom.unocoin.unocoinmerchantPoS\r\ncom.unocoin.unocoinmerchantPoS(Crypt)+\r\ncom.thunkable.android.santoshmehta364.UNOCOIN_LIVE\r\ncom.thunkable.android.santoshmehta364.UNOCOIN_LIVE(Crypt)\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 25 of 27\n\nwos.com.zebpay\r\nwos.com.zebpay(Crypt)+\r\ncom.localbitcoinsmbapp\r\ncom.localbitcoinsmbapp(Crypt)+\r\ncom.thunkable.android.manirana54.LocalBitCoins\r\ncom.thunkable.android.manirana54.LocalBitCoins(Crypt)+\r\ncom.thunkable.android.manirana54.LocalBitCoins_unblock\r\ncom.thunkable.android.manirana54.LocalBitCoins_unblock(Crypt)+\r\ncom.localbitcoins.exchange\r\ncom.localbitcoins.exchange(Crypt)+\r\ncom.coins.bit.local\r\ncom.coins.bit.local(Crypt)+\r\ncom.coins.ful.bit\r\ncom.coins.ful.bit(Crypt)+\r\ncom.jamalabbasii1998.localbitcoin\r\ncom.jamalabbasii1998.localbitcoin(Crypt)+\r\nzebpay.Application\r\nzebpay.Application(Crypt)+\r\ncom.bitcoin.ss.zebpayindia\r\ncom.bitcoin.ss.zebpayindia(Crypt)\r\ncom.kryptokit.jaxx\r\ncom.kryptokit.jaxx(Crypt)\r\nReferencesPermalink\r\nhttps://info.phishlabs.com/blog/bankbot-anubis-telegram-chinese-c2\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/anubis-android-malware-returns-with-over-17000-\r\nsamples/\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 26 of 27\n\nhttps://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis\r\nSource: https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/\r\nPage 27 of 27",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/"
	],
	"report_names": [
		"anubis-banking-malware"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434368,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2fa0fc0f17f7a53c9d2fe09595430db6920f9901.pdf",
		"text": "https://archive.orkl.eu/2fa0fc0f17f7a53c9d2fe09595430db6920f9901.txt",
		"img": "https://archive.orkl.eu/2fa0fc0f17f7a53c9d2fe09595430db6920f9901.jpg"
	}
}