{ "Event": { "analysis": "1", "date": "2026-03-10", "extends_uuid": "", "info": "[Threat Intel] BeatBanker: both banker and miner for Android", "protected": false, "publish_timestamp": "1773997331", "published": true, "threat_level_id": "3", "timestamp": "1773997331", "uuid": "fc638095-f606-420b-9205-fe1a31b0a4f9", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#c94db5", "local": false, "name": "misp-galaxy:target-information=\"Brazil\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#170059", "local": false, "name": "rectifyq:topic=\"mobile-attack\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773198010", "to_ids": false, "type": "link", "uuid": "b59d7c36-0c6d-494d-be75-c48fe22ea347", "value": "https://securelist.com/beatbanker-miner-and-banker/119121/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773198010", "to_ids": false, "type": "text", "uuid": "67dca213-5ada-4cab-b499-0832d181c01f", "value": "BeatBanker is a sophisticated Android malware campaign targeting Brazil. It spreads through phishing attacks using a fake Google Play Store website. The malware combines a cryptocurrency miner and a banking Trojan capable of hijacking devices and overlaying screens. It employs creative persistence mechanisms, including playing an inaudible audio loop. BeatBanker monitors device status, disguises itself as legitimate apps, and targets cryptocurrency transactions on Binance and Trust Wallet. Recent variants have replaced the banking module with the BTMOB remote administration tool, expanding its capabilities. The threat demonstrates advanced evasion techniques, uses Firebase Cloud Messaging for command and control, and targets multiple browsers for data collection. Victims are primarily located in Brazil, with some samples spreading via WhatsApp." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773198010", "to_ids": false, "type": "text", "uuid": "ecbf5be2-3381-416a-935b-c229c9abc208", "value": "Name: BeatBanker: both banker and miner for Android\nAuthor: AlienVault\nAdversary: \nTags: [\"rat\", \"phishing\", \"cryptocurrency\", \"persistence\", \"btmob\", \"banking trojan\", \"android\", \"beatbanker\", \"overlay\", \"brazil\"]\nTgtd countries: [\"Brazil\"]\nMlwr families: [\"BeatBanker\", \"BTMOB\"]\nAttack_ids: []\nIndustries: [\"Finance\"]" }, { "category": "Payload delivery", "comment": "StarLink No sample in VT\r\nLast check:12/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773276131", "to_ids": true, "type": "md5", "uuid": "4f9fa352-f760-42a2-9955-ff9aca1cc66b", "value": "d3005bf1d52b40b0b72b3c3b1773336b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278324", "to_ids": true, "type": "url", "uuid": "29abb285-bf4d-4eb0-9702-0ba3d5df0af7", "value": "http://pool-proxy.fud2026.com:9000", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278345", "to_ids": true, "type": "url", "uuid": "c12bea09-1e46-4d6d-96e6-b1aa502ceb0c", "value": "http://pool.fud2026.com:9000", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278366", "to_ids": true, "type": "url", "uuid": "7dffb565-a197-47d6-87ec-f711af0d90c9", "value": "https://accessor.fud2026.com/libmine-", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278388", "to_ids": true, "type": "url", "uuid": "5edc129f-0261-4473-bd7d-22e954d49508", "value": "https://fud2026.com/libmine-", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278409", "to_ids": true, "type": "domain", "uuid": "682c0a4e-1a4b-44c3-81fa-69f4daf3a26c", "value": "bt-mob.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278430", "to_ids": true, "type": "domain", "uuid": "aba2a2e9-df32-4fbd-bedd-fe12b7e03dd5", "value": "btmob.xyz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278451", "to_ids": true, "type": "domain", "uuid": "383859d2-0ded-4459-afa3-1b1ea70b7725", "value": "cupomgratisfood.shop", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278472", "to_ids": true, "type": "hostname", "uuid": "d80924a1-29b6-42ee-ba00-c639513ce20f", "value": "accessor.fud2026.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278494", "to_ids": true, "type": "hostname", "uuid": "943294ff-167c-4094-ac25-467e2878cb52", "value": "aptabase.fud2026.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278515", "to_ids": true, "type": "hostname", "uuid": "93a91e81-a50d-4cab-95bf-b2c64a5b1913", "value": "aptabase.khwdji319.xyz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278536", "to_ids": true, "type": "hostname", "uuid": "454c0e9e-5607-4a7e-9e66-9afe9e9707e6", "value": "pool-proxy.fud2026.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278557", "to_ids": true, "type": "hostname", "uuid": "8046590a-62dd-4546-8859-36acc342d342", "value": "pool.fud2026.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278579", "to_ids": true, "type": "domain", "uuid": "a6fe0525-e61b-448c-b072-49eeed393bd0", "value": "fud2026.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773278600", "uuid": "4a815477-5abc-4dec-84b5-c5596d2e08b8", "Attribute": [ { "category": "Payload delivery", "comment": "INSS Reebolso", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773278600", "to_ids": true, "type": "md5", "uuid": "720af48e-3ec4-4c21-affb-68b536fce962", "value": "f6c979198809e13859196b135d21e79b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "INSS Reebolso", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773276130", "to_ids": true, "type": "sha1", "uuid": "a30603d1-ff9f-4b62-a3c2-fafb454d15df", "value": "84c05f590e9a5fe65ed34986900cf59334c7fbf5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "INSS Reebolso", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773276130", "to_ids": true, "type": "sha256", "uuid": "b36da67e-984b-4e4b-8dfc-b1fd6b486398", "value": "bb9c6a6c84f26f5d98332089f90a4bfa735cbcc984a3f49e2ca8124db9d1600f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773275311", "to_ids": true, "type": "ssdeep", "uuid": "8d4b19b5-261c-4465-9c07-2870c6c2868d", "value": "196608:Byt/k+ZDXp97NQtVMgC3101tlokzgO94DThLow1xKeD2smkWo8Fj6FpDDP:It/k+ZDXpvuMgC31wg3DtLZKeCKO6Lj" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773275311", "to_ids": false, "type": "size-in-bytes", "uuid": "d82a64a4-4ef2-4190-b986-e806cf772b73", "value": "9470945" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773275311", "to_ids": true, "type": "vhash", "uuid": "6a027b6c-2948-4817-8f38-b97d4f2ff479", "value": "6d39127e490d797b908d6f0ecb899ff5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773275311", "to_ids": true, "type": "filename", "uuid": "8d5100d7-93ac-4c26-9fc5-eb32e31e2898", "value": "INSS_Reembolso_v5.0.0.apk" }, { "category": "Other", "comment": "Checked: 12/03/2026\nLast-scan\t: 12/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773275311", "to_ids": false, "type": "text", "uuid": "7318b690-f292-4983-93e8-b62426f38d48", "value": "INSS Reebolso\r\nType Description: Android\nMicrosoft: None\nVT Total Detection:12/68\nFirst Submission:2025-09-23T03:42:01.000000+00:00\nLast Submission:2025-11-21T23:36:26.000000+00:00" } ] } ] } }