{ "id": "096a3d15-a671-4de6-8d71-8274b247c750", "created_at": "2026-04-06T00:21:53.522718Z", "updated_at": "2026-04-10T13:11:32.930033Z", "deleted_at": null, "sha1_hash": "e7bf204138be6c5baf226b37f7e251176b0268be", "title": "BankBot, the Prequel", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3276590, "plain_text": "BankBot, the Prequel\r\nBy Dario Durando \u0026 David Maciejak\r\nPublished: 2017-04-26 · Archived: 2026-04-05 14:27:15 UTC\r\nFor us at FortiGuard, it always sounds like a bad idea for people to share malware source code,\r\neven if it is for academic or educational purposes. For example, on GitHub we can currently find more than 300\r\ndistinct repositories of ransomware, which gives you some idea about the attention that this form of malware receives.\r\nAlthough ransomware has the highest profile in the threat landscape at the moment, that does not mean that other\r\nthreats have disappeared. Android is the most wide spread OS on mobile devices, covering around 80% of the market.\r\nSo it does not surprise us that mobile malware is also on the rise, even if it isn’t getting the same attention.\r\nOver the last few weeks, one specific banking malware targeted at the Android platform, known as BankBot, has been\r\nspreading significantly, even on a controlled and secured platform like Google Play. After some digging, we found out\r\nthat this malware was developed on top on an existing malware that first surfaced in December 2016, which we call\r\nBankBotAlpha.\r\nFirst appearance\r\nBankBotAlpha was specifically designed for Android. It was first advertised back on December 19, 2016 on a Russian\r\nforum as a new initiative to build an Android banker from scratch, more or less like a DIY tutorial.\r\nAs the entire code of the Android application, as well as the complete C\u0026C panel in PHP, is currently online and\r\navailable for anyone to download, it did not take long for multiple variants to appear in the wild. In fact, the same thing\r\nhappened when the source code of GMBot was leaked last year in February. Just like with Ransomware, there are\r\nalways repercussions when malware code is shared publicly.\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 1 of 27\n\nFigure 1: Russian version of the post advertising the new Android banker\r\nFigure 2: English translation of the post advertising the new Android banker\r\nAs stated above, this post was shared in mid-December of last year. It was posted by a user named “maza-in,” who\r\nseems to have joined that forum in June 2013. He claims to be a skilled coder with more than 10 years of experience in\r\nthe field.\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 2 of 27\n\nFigure 3: maza-in profile from the forum\r\nFigure 4: maza-in signature from the C\u0026C panel\r\nIn spite of the claim that it was shared as a “tutorial,” and very well received by the community of that forum, we can\r\ndefinitely say that this malware was shared for malicious intent, in part because the antivirus cross-scanning result was\r\nalso provided, and continues to be updated quite often within the thread.\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 3 of 27\n\nFigure 5: Antivirus detection at the time BankBotAlpha was released\r\nVariants proliferate quickly\r\nThe first version that hit our radars was detected on December 26, 2016. Other variants followed quickly, ultimately\r\nhitting Virus Total as of January 5, 2017. Currently, we have detected 141 variants under the internal package name\r\n“com.example.livemusay.myapplication”. For the end user, it will appear in different forms, often impersonating well-known application icons or names, as shown in Table 1, below.\r\nMMS Flash Player 11\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 4 of 27\n\nAdoby Flash Player (yes with a ‘y’)\r\nPlay Market Update\r\nGame Launcher\r\nMy Application\r\nKate Mobile\r\nTable 1: Some of the BankBotAlpha faces\r\nAnalysis\r\nOnce unzipped, the application is comprised of two packages: the first is the standard android.support package, while\r\nthe second, and most interesting, is called “com.example.livemusay.myapplication”. This is where the real malicious\r\ncode lies.\r\nIn this article, we are going to analyze the sample\r\n“fded59978a3f6ab2f3909d7c22f31dd001f54f6c1cafd389be9892f41b4a5976”.\r\nFunctionalities\r\nWe encountered this malware under a number of different aliases, but the most frequent one was “MMS Flash Player\r\n11.” However, the permissions required by the APK are very suspicious for an application with such a name.\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 5 of 27\n\nFigure 6: Permissions required by BankBotAlpha\r\nFigure 7: Classes of BankBotAlpha\r\nThe first time it is run, the application asks the user to grant it device admin privileges.\r\nFigure 8: Request for DevAdmin rights\r\nAfter this action, the app hides itself from the main menu, and starts acting in the shadows.\r\nThe malware sets up a broadcast receiver for SMS in order to handle received messages and extract the information\r\nneeded from them. Moreover, it is cautious enough to delete SMS from both the “inbox” and “sent” folders.\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 6 of 27\n\nFigure 9: Parse and Delete sent SMS\r\nAnother precaution that the author of the malware took was making sure that the vibration and sound alarm for the\r\nphone is set to 0, which stands for RINGER_MODE_SILENT. This option is used both when communicating via SMS\r\nand when using calls to communicate using USSD codes.\r\nFigure 10: Set the phone to Silent mode\r\nThe malware also has the capability of sending SMS, and uses this feature to communicate information about the\r\ncorrupted device back to its CC. The malware collects information like IMEI, Bank applications present on the device,\r\nOS version, presence of root, etc.\r\nFigure 11: retrieval of the IMEI\r\nAll the data collected, both about the device and about the banking apps on it, are sent to the CC. It can be relatively\r\nhard to find information about it, as culprits try to hide it (at least from a static point of view), so it is usually necessary\r\nto analyze the traffic generated by the application. Fortunately, the author of BankBotAlpha was kind enough to leave\r\nthe information needed, graciously formatted in the class b.\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 7 of 27\n\nFigure 12: networking Constants\r\nThe CC address is not the only hardcoded constant in the apk. While some other banking malware we have seen prefer\r\nto download the list of targeted banking applications from the CC to possibly avoid static analysis, BankBotAlpha\r\nhardcodes the list in its StartWhile class. Here is a screenshot, but you can also find the complete list at the end of this\r\narticle.\r\nFigure 13: Target Banking apps\r\nPractical test\r\nIn order to test the malware, we decided to run one of the applications listed as targets. Our choice was the APK with\r\npackage name “ua.privatbank.ap24”, which is the official application for PrivatBank, the largest commercial bank in\r\nUkraine.\r\nThe source code comes out of the box with only two phishing templates.\r\nThe first is for PrivatBank (located on the CC at /inj/privatbank.php).\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 8 of 27\n\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 9 of 27\n\nFigure 14: PrivatBank phishing page\r\nThe second is Visa QIWI Wallet, an e-wallet based on a Visa Prepaid Account, with over 11 million consumer accounts\r\naround the world. It was first established in Russia in April 2008.\r\nFigure 15: VIsa QIWI Wallet (/inj/ru.mw.php) phishing page\r\nOnce the app is run, the malware takes control and becomes the main activity in the user’s screen, showing a phishing\r\npage like the one above, designed to look like the bank’s original page. The differences are not extremely hard to spot,\r\nbut someone not being careful could be fooled. Once the user inputs their credentials, they are sent to the CC, where\r\nthey are saved on a database.\r\nThe network capture shown in Figure 16 is related to sample\r\n“14a9da2c16c4714ebb5647ec5bd23a1de361b779d80f5e5f5350ea9b128f3c40”, as the CC for the original sample\r\nanalyzed had been taken down at the time this article was written.\r\nWe then attempted to run other applications in the target list, but without much success. As stated previously, only two\r\nof them were working in our test cases (“ua.privatbank.ap24” and “ru.mw”). For the other cases, the malware simply\r\nrecords the fact that these banking apps are installed on the device and then sends the bank identifier information via\r\nSMS (look in annex, below, for the complete identifier list).\r\nThis is in line with the fact that the author shared this malware as some kind of tutorial. It includes two working\r\ninjections, possibly presented as examples. However, it is just a matter of creating the right phishing pages for the other\r\napps to be injectable (as has been done for the dozens of successive BankBot versions that can now be found in the\r\nwild.) The injection claims to work in versions up to Android 6.0 (Marshmallow).\r\nThe credentials are leaked using a standard HTTP POST request directly to the CC PHP script, located at\r\n/private/add_inj.php\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 10 of 27\n\nFigure 16: Network Capture of the stolen credentials\r\nThe botherder also has an option for a global view of the bots through an online panel, shown below.\r\nEach entry refers to an infected device, and has a status of either online, offline, or kill (most probably for cleaned\r\ndevices.) The malicious apps send heartbeats every few seconds to update their status, allowing the panel to have a\r\nsemi real-time and accurate view of the entire botnet.\r\nThis view not only provides details of the phones (OS version, model, IMEI), but also the operator (brand, country), as\r\nwell as some operational information like accessing debug logs, date of infection, privilege access on the device, and\r\nstolen bank identifier.\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 11 of 27\n\nThe control panel is not only used to monitor the botnet, but can also be used to run some commands directly on the\r\nbots. According to the CC, there are currently four possible actions:\r\nRequest root rights\r\nSend SMS\r\nUSSD Request\r\nRequest permission to read/send SMS (Android 6.0 or more)\r\nWe estimate that there are currently about 1000 infected devices, based on the number of CCs we found, and the\r\naverage number of bot pages we saw on each CC. Most of these devices are located in Russia, but some are located in\r\nthe US and China.\r\nBankBot Alpha Vs  BankBot     \r\nFrom our analysis of both BankBotAlpha and BankBot, it is very clear that the latter is a derivation of the former. The\r\nstrings found in the samples are identical, the commands issued by the CC to the bot are the same, and even the typos\r\nand grammar errors made in the code are consistent. Many samples of BankBot even share part of the package name\r\nwith BankBotAlpha (com.example.livemusay.*****)\r\nHowever, BankBot packs more features than the alpha version, with AV detection, a higher number of banking apps\r\ncontrolled, messaging applications monitored,  sometimes even obfuscation.\r\nThese added functionalities are relatively easy to implement, and make it much easier to create a threatening banking\r\nmalware.\r\nConclusion\r\nThe alpha application we analyzed here is not an extremely polished malware. However, it is a functioning and easy-to-improve starting point for people who want to create something actually dangerous. Its descendant, BankBot, has\r\nproven itself to be a real threat, and has even been found in the official Google Play Store.\r\nSo, be careful out there when you are installing applications on your device, even if they are from trusted application\r\nmarketplaces, and always check the permissions required.\r\nFortinet detects this malware as “Android/Bankbot.AA!tr”.\r\nFortiGuard Labs will follow up on this and keep you updated on this android banking malware.\r\n-= FortiGuard Lion Team =-\r\nANNEX\r\nFile listing from the CC HTTP Root\r\n|   .htaccess\r\n|   header.php\r\n|   index.php\r\n|  \r\n+---images\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 12 of 27\n\n|   |   header.jpg\r\n|   |   icon1.png\r\n|   |   icon3.png\r\n|   |  \r\n|   +---country\r\n|   |       ad.png\r\n|   |       ...\r\n|   |       zm.png\r\n|   |      \r\n|   +---icons\r\n|           bank_off.png\r\n|           bank_on.png\r\n|           boton-verde-oscuro-hi.png\r\n|           fe.png\r\n|           inj_off.png\r\n|           inj_on.png\r\n|           kill.png\r\n|           log-512.png\r\n|           log_off.png\r\n|           log_on.png\r\n|           offline.png\r\n|           online.png\r\n|           se.png\r\n|           setting.png\r\n|           se_.png\r\n|           V.png\r\n|           X.png\r\n|          \r\n+---inj\r\n|   |   crypt.php\r\n|   |   privatbank.php\r\n|   |   ru.mw.php\r\n|   |  \r\n|   +---privatebank\r\n|           1.png\r\n|           2.png\r\n|           3.png\r\n|           4.png\r\n|           bg.png\r\n|           index.html\r\n|           main.js\r\n|           style.css\r\n|          \r\n+---js\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 13 of 27\n\n|       custom.js\r\n|       footable.js\r\n|       footable.min.js\r\n|       jquery-1.10.2.js\r\n|       jquery-1.10.2.min.js\r\n|       jquery-2.1.4.min.js\r\n|       jquery.js\r\n|       jquery.spincrement.js\r\n|      \r\n+---private\r\n|   |   add_inj.php\r\n|   |   add_log.php\r\n|   |   commands.php\r\n|   |   command_go_modul.php\r\n|   |   config.php\r\n|   |   crypt.php\r\n|   |   kliets.php\r\n|   |   set_data.php\r\n|   |   tuk_tuk.php\r\n|   |  \r\n|   +---logs\r\n+---styles\r\n|       btn.css\r\n|       index.css\r\n|       login.css\r\n|       modul_form.css\r\n|       modul_form_log.css\r\n|       modul_form_set.css\r\n|       style.css\r\nBankBotAlpha includes a static, embedded list of applications to target, as you can see in the Table 2, below. Most of\r\nthem target Russian speakers.\r\nPackage Name Identifier\r\nru.sberbankmobile,\r\nru.sberbank_sbbol\r\n|SberB_RU|\r\nru.alfabank.oavdo.amc, ru.alfabank.mobile.android |AlfaB_RU|\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 14 of 27\n\nru.mw |QIWI|\r\nru.raiffeisennews |R-CONNECT|\r\ncom.idamob.tinkoff.android |Tinkoff|\r\ncom.paypal.android.p2pmobile |paypal|\r\ncom.webmoney.my |webmoney|\r\nru.rosbank.android |RosBank|\r\nru.vtb24.mobilebanking.android |MTS BANK|\r\nru.simpls.mbrd.ui |VTB24|\r\nru.yandex.money |Yandex Bank|\r\nru.vtb24.mobilebanking.android |MTS BANK|\r\nru.simpls.mbrd.ui |VTB24|\r\nru.yandex.money |Yandex Bank|\r\nua.com.cs.ifobs.mobile.android.sbrf |SberB_UA|\r\nua.privatbank.ap24 |Privat24|\r\nru.simpls.brs2.mobbank |RussStandart|\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 15 of 27\n\ncom.ubanksu |UBank|\r\ncom.alseda.ideabank |Idea_Bank|\r\npl.pkobp.iko |Iko_Bank|\r\ncom.bank.sms |Bank_SMS|\r\nua.com.cs.ifobs.mobile.android.otp |OTP SMART|\r\nua.vtb.client.android |VTB_ua|\r\nua.oschadbank.online |OschadBank|\r\ncom.trinetix.platinum |PlatinumBank|\r\nhr.asseco.android.jimba.mUCI.ua |UniCreditBank|\r\nua.pentegy.avalbank.production |aval_bank_ua|\r\ncom.ukrgazbank.UGBCardM |UKRGASBANK|\r\ncom.coformatique.starmobile.android |UKRSIBBANK|\r\nTable 2: Targeted Android banking applications\r\nIOC\r\nCC domain list:\r\n45.77.41.26\r\n104.238.176.73\r\n000001.mcdir.ru\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 16 of 27\n\n111111111.mcdir.ru\r\n12321a.mcdir.ru\r\n217.23.12.146\r\n22222.mcdir.ru\r\n321123.mcdir.ru\r\na193698.mcdir.ru\r\na195501.mcdir.ru\r\nadminko.mcdir.ru\r\natest.mcdir.ru\r\ncclen25sm.mcdir.ru\r\nprobaand.mcdir.ru\r\nfirta.myjino.ru\r\nfirto.myjino.ru\r\nranito.myjino.ru\r\nservot.myjino.ru\r\ns.firta.myjino.ru\r\njekobtrast1t.ru\r\nkinoprofi.hhos.ru\r\nHash list:\r\n014b273b42bb371a1b88edda2cc2d9a47bfb6c34d87bfff32557cc227c8d3f64\r\n019bf3ab14d5749470e8911a55cdc56ba84423d6e2b20d9c9e05853919fc1462\r\n02aff7c44f1ef2e96d1ea9bd14adb469d37365d2b91f13adf428002339dee00a\r\n0451ac4b5845e742b03a23a0f1c85688653d04cc7b5879c01d68ec42ce5758f6\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 17 of 27\n\n046fe1acffd89c2929fba99465158a1eeb30c02ea59d6034b2e375aea3569b35\r\n0b9b7e25399dbf4b7e16e4b3bf9979bf8d3f0cac2b730701dcc1295c4e7576e8\r\n122f1859032a58ab347c0cdddf315cc7f3683709c203104c413eb7db0cfc052e\r\n12c75843a2cf483c8854773b802fad797e3c1d46f1bdf801414fc6c760b8ad7b\r\n13bb819c17d9db933b2a2486350b335ebfc20be2c3ec948ba4aae6e768e67df1\r\n13e7690e89eac59c9e1a06dff81f55603a48553dd83a4ff9cfe1a05aa5d26f44\r\n14a9da2c16c4714ebb5647ec5bd23a1de361b779d80f5e5f5350ea9b128f3c40\r\n1d0b4b2c0e12cc1ae1d8395c01a45e367d434d1363522e51a735e823268ec70d\r\n1d488c3f3a04db47e9af623056d3039d95d7ab5c492c247ab1acae27353ddb3f\r\n1dcea6c3fe308d22da40a1f5f1939a79a93b0b1d9d3c5c1885ed55a8d81b475b\r\n1e2f6904168eebe5770ef4f490dbb053ffa13112ea98275f5f2d6a26daacae20\r\n1fcdee284dd14992c9500637abe6be907bd8ac11c4b8c32c214d36989a1998f2\r\n2093705f6130db51277a04bcc0d30086dfae6cc8c94e5c40ede5e8cedb5e0521\r\n2475a424be782ddfa80e3c8db75f9028e908cdc13537a33b1157cbab534921a0\r\n255bc9d2199f1654ca6118cec38919fb3e690dab0ee84e8f42043a91c9cbcfbb\r\n257c03064976d0536d2f405d186225c0a9b48edaad522349b236c9c595078e04\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 18 of 27\n\n2594e148067d5963c69e3594d907f319a812d389d71f1a35dac5ebcdfb186d1e\r\n279a82ed1c2501fb3d667e4c845529891e995131c1bd87a4297a7da436d42f6c\r\n28395799cede44c64f14bf92990a0110e8afad4fb3c244724faca726e9172bc3\r\n2b03f8995d4aed1928c89e7dd881d59e1c2bdcabbf59c82d46cb5c57ed3846b2\r\n2c2ac6e7611705ddc749f8575dd030417f80da59fea8fe530315691faf1b5dd4\r\n2f557ca63e87b91a3b1f0b8e03f68d3b931ba0dffdcb4f624800dbff1a21e4ea\r\n31808cb01ae67a87bde9a27d289be247df32a67585cb8f42054aaaaf0bfa1e1a\r\n362384e508c1e26290dba89d16ec79101e7ccaec391cbc0d8f8003990b62d797\r\n38b8690cb65fd3dbac4c39f4fde70f5b2a326fb5c1d89fd532de1c86e569d909\r\n3a2f18f9e57404ff6e63e5cbae309ae6d618e9732d577979321d534afbf3a330\r\n3a6f3149fa1ae595727ff5732a979396216a81eb9190f1be63f1014d25811f60\r\n3dd20cd345dfec0f8851dbf14ca3ed5d7bb9c122263ae6cfdb4a0d01a0c31f28\r\n3f20b90add74be19a62c3fbf375b2f9de3aa2a6f26a4f9edab51c3213e2b24a7\r\n400e6e3a530d83abf70ee39b718485b1bef0e256281dbad34f66d27d4c710dd5\r\n40f7d6790a198634cc36a291f78c4ba9c46ffc2ac5ee45752e7fee271a628483\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 19 of 27\n\n45144171577b294c8f08f7551bea05b147dc8d0c4fd95a854df015641b188a05\r\n49d9138f4f365bf4932ca03fbad3b2e524b27b1a3409efaa3e34f17155f32307\r\n4a2608365256347666229d296c0d3a1daaee71eedf9df6add33375ffe263d484\r\n4c763edeeecc69ad29dd794916ea6aa8a31361f1867f73dac95086e86ed532a9\r\n52743d338743b99c2c2e2ac2c9f460f036e74f6de0bdec07bd0020b7fa9f1443\r\n536c1a9ed03d1b1fe3f8ca26d017d4e4530da801cae0566015da7276eae40484\r\n53d5fa215848299411b1f93df8a1e5cd89718b43c982a80fcd20bf48ea916af1\r\n544272c83bfc201f2a6a5e0debd50d0d93b754215c0fe9cef59a28bbea0bd0d3\r\n556670c40522b32fe8f8b2cafc033b9961ed699b783cb73f6d6c2ae60cf56fab\r\n5e86a0527cec17ba9efa899bfc009c21e10a3172b9a6e25c25ac78e3c83dcf13\r\n5fc5411164769553c1ff006d1b2f01dbd629740e69a1a19c31f13ad6596cf837\r\n616b30b36e22c978276589f753a4c4e2e44464f7067dd7abda4655ae0da037d7\r\n6264dfd9f22abb21767c01dcc29ed8443121331d965e96f88896ae35caadd391\r\n6321bf41add70f8e5ef4a99b4e1a41cff9e8291d50ddddfc30ffc4de5e5f4546\r\n6630f7eed091b5ac21fb75717e1a8999e868110fc31c7a9b0721a1adae06852e\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 20 of 27\n\n68f5185dc8b7669bd4bb2b1ffd1ee7ca71fd89f350ce6f00274ac23db9b8e906\r\n69288ee3144abce1877dbd142d04fe6ca5341033574ce537d45e32d6cd7c8c90\r\n6951917e9039a893f172f36e86864592bd5fd020ae11af7e7318e947c8302e69\r\n6a6b4d209a92c4cec6bbef08461ec10dd5a824a2d1076ac37fc248da55e987a4\r\n6b45ec0fbb9a9e07cbbfbdc2f3069b9c0ef92e0bb2e7b2ab521ebd6a669fb6b0\r\n6b8dcf9f82c638bf0e3c06a61ab1ad5a0bbb2d91a2f0dabc1baa722cb5a85b30\r\n6ed80a4abea6773a0670ac2ed3bced5d97746931e3eb73555af5a2b0ddde2152\r\n701c9ae96a3a79a790eec35ba2633b5688505422c9657a1334f448f40f968aa8\r\n7173b8c3356f80c632ca6dc3afef8d67910f5a7d4430d21adbc62a931f9cb5d9\r\n71df5796450854fde135e46c1ef5f25648b479672f0951b53ecc46c07f866dff\r\n72f914c39d84c606ed4ec45344ecbf2a846b8ecae9993299a337cdb4661bc69a\r\n73e1b464745d546ee839e44291f5d02c6b5ac8948b22d396958ef6c10f3a0a41\r\n747f89698bf9bc50a557e8d1be26ae3b031630068f7f4925b0a345ce1c30e159\r\n7601db56e0188db6a535fa94ae4fa69493e3fbcb4653afde0a3c9c1f8bc39886\r\n765a848126a8ec8c938c36af950ff99021625e25ed5c12797211d739a76b4edd\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 21 of 27\n\n7778afff4e6dac8be86c3d03bd31a32d301c0884cecbd4ccc9f4987ce8e70b90\r\n786012c2700a2e9babfb0644bdd9ddd7b1389ad45dcca64aa1a12c9b38590299\r\n7bd0ca163d00ecd510259efe932d9cccc1657c7d784f8b8fc520c84b22b77864\r\n7d5e00a4f3d2ffad23645c02d7a83c9b1f86e1ab3686d129149d43c339022f17\r\n82bae10a608a1ea65e3a97ce860333cfcc71951f521d2c3260df12ffab09aa1e\r\n8423d54f6e046bb21ae040fc06c97d16b9966997cb7454bbd17340af02a0aeb1\r\n893aa50362fe3b4c6c4d105940e3abd04edb1775e15fbc963afbdea1ef19cad5\r\n89aef428588d419ceb63404e5453264266a8e7a338bc98e698e4f2874c3318ec\r\n8afd2301d127da97bd41b1b9125c626df0c2b5131d8f015a858831341e30cef7\r\n8ea14afc9bc7120f3147b0458431c2c9b7e9f3208a157c3fc7232460d8c10fb6\r\n8f46ef5d64f7093c7a212ad21467bf4197bc2d59225bab73e6ff96c91c9e6099\r\n930897cc0b1f075fa433f2bb3e717f6e43f1a066cb86443eacb1375fcf0ffc26\r\n95030dfabbd56e09f4511cae95b85eb6c8e0ca18136a9e700e641e0de5542590\r\n959b8e5d73f4efdec1fa1b758ed1cae1905844d94912768c4ff01bdbd7c31f3d\r\n96b9e277715f66e36c90b4c62243218056b4938064d65a369eed057b26a843da\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 22 of 27\n\n98971f6fbac6c4a6246c32c33cf0ac8acbcac9b7472c0c0bd492b4d7700f76b0\r\n99967f152df5a5fdf854daad19a0e8a23254bd22224e11e69dd10dfbb420dd8c\r\n9f3965042c5521ce1eba68f417e9be91cb0050cd8ed5f054a7ad60afc8a4e111\r\na17c243babfd1a3d95085ef9f51bb7797b6571c918bc1eb1b811ce1248f4c2a2\r\na183a4c35b0bdc68c2ff1a4b700faf0abf127fb04deaffc9aea34d038fd43ac0\r\na33e9fd4b4a0732fd124f94a3b59d4ea287fc6287b4b03da27cf8ea52bce740d\r\na55664c8965eb9c2e04903e58f83a7a36b33a0d17bb14fc3c2fd6ed1744924de\r\na795e583e712acf21309c4748ef1791c6b1ca77ae4b6ae88ec54ba0bb0b42538\r\naef07d547a4bc320ef6f3c2b4bbab0145b1bfcd1e8f749bcd7e876e071f91a38\r\nafc1f1060f04bebe238cb7f66005e640f0bf284cafa83f30e635683d9019894c\r\nb276ecfb7eb22668ba8d1b5d0ab61080d1baef911c29d61baaccd81402244a64\r\nb4f61f5c241eebb52d308a90e2030de0bbdc59fb407e027e2dc36c575a1b4d83\r\nb69a1e6582f54259b323f5121ebda786bc8be4a8880960dca80a6519fb94a857\r\nb74826d70cb4ef075c6f3af6dce77606cd64d9548909785dec4ad192c2ac7984\r\nb8a5c8f9878070f866d5c015171678e486ea48a9f791dc6f5f287a8d58f682b3\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 23 of 27\n\nbae80b05455373a822256c2a48e4ba6bc4d6ec142691a72983f7300524e83eff\r\nbb506ecf976c59391442dd49095b6f2f7f99b9fc01d1eaf1ffed14ebfcce8aed\r\nbb9a87192bb0824b6df9b1bb5cd280eb11984407886e6259efe8b957a1b8cd87\r\nbdb99a14badc84f1319ae3d37a5a96a9d6f9b26bbacb2fb04ac40a64f03bcab9\r\nbf37316194d6deaf3b98fe96119c1ed5d883401dd5cbdf88367a6c4ec366792d\r\nc2fdad416a46bc3c84a35e0f5b984f22cf74e79fd6be5241bc85847b8e57bf71\r\nc35cec60511bba57ca75f3b2d981768c6603a86298ca8c56474fdbbb3910f165\r\nc666f79fcbed515831d738f5b60758cff680b6051274e26da5a61d6229e7adfb\r\nc7b15c36ac4d49f0a7a61638a4e909f47fc1a3b806e7284390c336dba621e874\r\nc9dd2b3261b68b56fbc4417c75ada218f064d1f434488a883ba7fbb9f3f0c813\r\nca65ba7d1fcfe3e494a208819d1889d7c84d198bc0d54ceed980cf2db29b1a54\r\ncb9fdcfdc81b1e2ee7f8bd3ad59a21cb17f4c8d9e2e05eee7e26889090966fe2\r\ncd14b3cb20dfcb58d57450bebc17d94c271faa85f290cfd04c3e982aacb62df1\r\ncfcdba58bd0182cfd48d12738f9ce562c0b443238eca0395f718fe9d1656e5f8\r\ncfe5e58c7c96ba65e635094ab92636d0cd18315b5048cc99beca6eaacba8a83d\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 24 of 27\n\nd015d61a217aff14fcaa172aef88e385d70887401ba76596582e06f893f38009\r\nd104c0bfe94444db3201ae021dfae2299ce8a93ab233aed02315353ede52ae15\r\nd17a6cd7e586993ab2a2eaaf5c72aac131375820b564182e7f4f7a119144a9d5\r\nd33254e1fa2c171b9da14e74cc6aac3c16ffaaf5bc530f00644599620427d912\r\nd37c2c264628170594298413b92b3c9313426ab525748ff372e0e7fe4969ec0d\r\nd85f02e5ce5e6777bdb323ab8b757300f4c9f9235187eff2287c774fba27473c\r\nd924aa111e104926a156118a6dce6bfad5db4e725ee7a12eb67c202e8b0843b6\r\ndad2b929bd1fc883937f7b6ea55285e67cda6448576da4d29661f16255adc49e\r\ndb9950901b0c322bdd5184cd705ab17df0d90a4e7ac7d50096ed28993d5ce835\r\ndc0db894c882c01a9b4b0a956fe7f787d3091995360ae7496a3a9739c1c7089c\r\ne0d64ce4f8e44e00cc6ffe41b0e487775b7dcae156589b684ee71e69cad05677\r\ne323ecf3576269bb49956c2e9a45ee523352c9abce4f72b6c86417df5da15f3f\r\ne88e520fb2e8079230954f82ad23bdc0a645baa9674a656b50d9e2dd3fb28149\r\ne8c4f9b67a298bbe40706d6952a9a4e25efffeec67d6200d3a3906da25dde5bb\r\ne8de6fcc72cb88c8da32c089a0d86105c4598557244975ecd3828234efcc318a\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 25 of 27\n\nebac993de97346b9c16f946bf8036f50b1a53c6829e3db4fb894677c8bcf3c21\r\nebfb87fd05173af8192057082f2c3e3e794b8c1c39ee613efb905f00279b48b6\r\necb5180e59d9ac9baca174ae5733f674fdffddc425b24856de63baaaccc3dd37\r\necb5951d4c3b86e760622f9c21e0539708d638fad7e4b0fc79e5f7fd655d219b\r\nf232d979d09bac8875a8700e90366c706d1458230a3f08d098b233bde4e1a8a2\r\nf4672da546b51b2978e10ff97fbc327665fb2c46ea96cea3e751b33b044b935d\r\nf5fe9e98039aef962de479411e14bada4b8b0a7ab8d6728f16c3e0e75875178c\r\nf66c28cdc349bd227113520e06913afd0c5b511760e9145c47f8f3e32f9844b8\r\nf7b47f5ff1810e2951a304a44b47a4571e4916d85e6c337165d9744aed5e1828\r\nf8ce46a5b4c5b9f98d8dfa003710337c0177aedfc8b97b9eb6451ba4a7355ffe\r\nf910ec2481d93ed6c9f0191f39863713f3a99ebad4b6c0c8134c8becf32b1b73\r\nfa0a0c0cecf3cab941be06c76826205abcdb4ff40a275b67a0171b8cc44c4395\r\nfb129bac929b6fc9010252a68081e312c797b6b2c1277c751b1ee96976a2fc25\r\nfc8c10250e37ae833122e8d69d732a3fa868e9305c333b7ca2119d0c129ef720\r\nfded59978a3f6ab2f3909d7c22f31dd001f54f6c1cafd389be9892f41b4a5976\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 26 of 27\n\nfe0b4188b3ac6af7ccdb51dcd1577081b9080454fec9fa15fd10fd9a4513216c\r\n     \r\nSource: https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nhttps://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html" ], "report_names": [ "bankbot-the-prequel.html" ], "threat_actors": [ { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434913, "ts_updated_at": 1775826692, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7bf204138be6c5baf226b37f7e251176b0268be.pdf", "text": "https://archive.orkl.eu/e7bf204138be6c5baf226b37f7e251176b0268be.txt", "img": "https://archive.orkl.eu/e7bf204138be6c5baf226b37f7e251176b0268be.jpg" } }