This is malware. don't open it on your computer. This, is malware. This, is...pretty good malware.
Basically, it's a quite powerful and quite ugly and super non counter-intuitive banking bot for Android. And it does, actually, work. Maybe. I place it here for educational purposes alone.
As a reminder, sandbox or VM this shit, because it's literally impossible to scan for malware, insofar as it is already malware. Here, for funsies, are Virustotal results for the loader:
https://www.virustotal.com/gui/file/d54f768bb576774f41cca6cf85269e9d63698306155f2b1ea2abbcd962241d02/detection
https://anonfile.com/P2t2M6jcoc/Mod_Anubis_2.5_10.01.2020_zip
Here's Anubis 2.5
https://anonfile.com/Lfn4Mcj2oc/Anubis_Loader_loader_maza_rar
And Here's the Maza loader!
If you enjoy, say sup. I got other cool stuff to post.
Basically, it's a quite powerful and quite ugly and super non counter-intuitive banking bot for Android. And it does, actually, work. Maybe. I place it here for educational purposes alone.
The loader is ordinary, nothing unusual, the package name needs to be encrypted in md5
. Bankbot functionality:
- admin rights
- sending SMS
- SMS interception / hidden SMS interception
- receive all SMS on the phone
- get all installed applications
- USSD
- show message
- Push
- auto Push
- geolocation
- web injections including cryptocurrency, work on 4-9 versions
- map grabber (5 types)
- injection (grabber) launch by interval
- get all contacts
- spam on all contacts of the bot or on your database of numbers
- access to the file system (rat) downloading photos, audio recordings, text formats.
- screen stream (rat) - from version 5.0 and higher
- sound stream (rat)
- open url in browser
- open url in bot activity
- call forwarding
- cryptoclocker
- remote launch of installed applications
- search for files by signatures
- sound recording (2 types )
- keylogger (does not apply to the browser)
- Socks5 module - from version 5.0 and higher
- get the IP of the bot
- Automatically disables Google Protect, works after the update 01/13/2020
- The problem with falling asleep bots was fixed
- Automatic removal of the bot (no confirmation on the side of the bot is needed), there are no traces.
- Display the model of mobile phone.
- Step-by-step receipt of data from the injection (everything drops in turn, login, pass,
card number, then date, then color). In cases where you enter the map online,
you will almost certainly get the card , the holder is usually afraid to enter CVV.
- All permissions are taken 1 time and quietly, unlike the old version with 5 windows.
- Removing applications from the phone on command from the admin panel.
- Auto-delete applications on a schedule. Pour links to antiviruses, the bot cleans the
phone from them after the specified time after installation.
- Scheduled keylogger activation.
- Launching injections on schedule. After the specified time, the application is searched, the
necessary one is launched.
- Advanced panel for sorting, searching for bots.
- The panel in Russian
- Blocking push messages of any applications
- admin rights
- sending SMS
- SMS interception / hidden SMS interception
- receive all SMS on the phone
- get all installed applications
- USSD
- show message
- Push
- auto Push
- geolocation
- web injections including cryptocurrency, work on 4-9 versions
- map grabber (5 types)
- injection (grabber) launch by interval
- get all contacts
- spam on all contacts of the bot or on your database of numbers
- access to the file system (rat) downloading photos, audio recordings, text formats.
- screen stream (rat) - from version 5.0 and higher
- sound stream (rat)
- open url in browser
- open url in bot activity
- call forwarding
- cryptoclocker
- remote launch of installed applications
- search for files by signatures
- sound recording (2 types )
- keylogger (does not apply to the browser)
- Socks5 module - from version 5.0 and higher
- get the IP of the bot
- Automatically disables Google Protect, works after the update 01/13/2020
- The problem with falling asleep bots was fixed
- Automatic removal of the bot (no confirmation on the side of the bot is needed), there are no traces.
- Display the model of mobile phone.
- Step-by-step receipt of data from the injection (everything drops in turn, login, pass,
card number, then date, then color). In cases where you enter the map online,
you will almost certainly get the card , the holder is usually afraid to enter CVV.
- All permissions are taken 1 time and quietly, unlike the old version with 5 windows.
- Removing applications from the phone on command from the admin panel.
- Auto-delete applications on a schedule. Pour links to antiviruses, the bot cleans the
phone from them after the specified time after installation.
- Scheduled keylogger activation.
- Launching injections on schedule. After the specified time, the application is searched, the
necessary one is launched.
- Advanced panel for sorting, searching for bots.
- The panel in Russian
- Blocking push messages of any applications
As a reminder, sandbox or VM this shit, because it's literally impossible to scan for malware, insofar as it is already malware. Here, for funsies, are Virustotal results for the loader:
https://www.virustotal.com/gui/file/d54f768bb576774f41cca6cf85269e9d63698306155f2b1ea2abbcd962241d02/detection
https://anonfile.com/P2t2M6jcoc/Mod_Anubis_2.5_10.01.2020_zip
Here's Anubis 2.5
https://anonfile.com/Lfn4Mcj2oc/Anubis_Loader_loader_maza_rar
And Here's the Maza loader!
If you enjoy, say sup. I got other cool stuff to post.
