alienbot | f2712d1ccadb309f2b482fd2f7118be4707423f8374dd9dfa56dcdda60819ad4

General

Target

f2712d1ccadb309f2b482fd2f7118be4707423f8374dd9dfa56dcdda60819ad4.apk
Size

1.2MB
MD5

d0ee960194950078ba2ef14203557ccd
SHA1

9fa0428cc7b57e9a6c5a110cd0e18a8e13790808
SHA256

f2712d1ccadb309f2b482fd2f7118be4707423f8374dd9dfa56dcdda60819ad4
SHA512

35c5b5155265bff2d03bd9cb4eb9ad365c23bc967dcafdd8f9b439738182908ad566098468ca0bb8442173d1ac7122624da07e110544a702715535c6a1b86451

Score

10^/10

Family

alienbot

C2

http://xancc4fp.online

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service. 1 IoCs

Processes:

iawhmkptxbtiwoapxkxq.fsxdcqouxqgrqewwnpkuyxjsnsx.myaybhjxsrmfkzmbqomrhdhwqx

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	iawhmkptxbtiwoapxkxq.fsxdcqouxqgrqewwnpkuyxjsnsx.myaybhjxsrmfkzmbqomrhdhwqx

Acquires the wake lock. 1 IoCs

Processes:

iawhmkptxbtiwoapxkxq.fsxdcqouxqgrqewwnpkuyxjsnsx.myaybhjxsrmfkzmbqomrhdhwqx

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	iawhmkptxbtiwoapxkxq.fsxdcqouxqgrqewwnpkuyxjsnsx.myaybhjxsrmfkzmbqomrhdhwqx

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

iawhmkptxbtiwoapxkxq.fsxdcqouxqgrqewwnpkuyxjsnsx.myaybhjxsrmfkzmbqomrhdhwqx/system/bin/dex2oat

ioc	pid	Process
/data/user/0/iawhmkptxbtiwoapxkxq.fsxdcqouxqgrqewwnpkuyxjsnsx.myaybhjxsrmfkzmbqomrhdhwqxg/app_DynamicOptDex/fyrLYM.json	4997	iawhmkptxbtiwoapxkxq.fsxdcqouxqgrqewwnpkuyxjsnsx.myaybhjxsrmfkzmbqomrhdhwqx
/data/user/0/iawhmkptxbtiwoapxkxq.fsxdcqouxqgrqewwnpkuyxjsnsx.myaybhjxsrmfkzmbqomrhdhwqxg/app_DynamicOptDex/fyrLYM.json	5078	/system/bin/dex2oat
/data/user/0/iawhmkptxbtiwoapxkxq.fsxdcqouxqgrqewwnpkuyxjsnsx.myaybhjxsrmfkzmbqomrhdhwqxg/app_DynamicOptDex/fyrLYM.json	4997	iawhmkptxbtiwoapxkxq.fsxdcqouxqgrqewwnpkuyxjsnsx.myaybhjxsrmfkzmbqomrhdhwqx

iawhmkptxbtiwoapxkxq.fsxdcqouxqgrqewwnpkuyxjsnsx.myaybhjxsrmfkzmbqomrhdhwqx
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
PID:4997
- iawhmkptxbtiwoapxkxq.fsxdcqouxqgrqewwnpkuyxjsnsx.myaybhjxsrmfkzmbqomrhdhwqx
  2⤵
  PID:5078
- /system/bin/dex2oat
  2⤵
  - Loads dropped Dex/Jar
  PID:5078

/data/user/0/iawhmkptxbtiwoapxkxq.fsxdcqouxqgrqewwnpkuyxjsnsx.myaybhjxsrmfkzmbqomrhdhwqxg/app_DynamicOptDex/fyrLYM.json

MD5
4853fe10ce205a2c9e09cb588bbd2696

SHA1
1a8566d421c30bb7bd9feaa24223a266a1166889

SHA256
6aaf7c8dafd625c2e52e3028c8feeb538322e962229f84703891004b5edd4a5a

SHA512
bea270f94eb5d047668cee4df79a825905ddf9529e8859fe6f37e091a80e22f5eb179ea1ba5ce43ba7c4a5fa1a461ec52f84b128c5daff9616e6bbe81ea1376b

Download Submit
/data/user/0/iawhmkptxbtiwoapxkxq.fsxdcqouxqgrqewwnpkuyxjsnsx.myaybhjxsrmfkzmbqomrhdhwqxg/app_DynamicOptDex/fyrLYM.json

MD5
72c75a418409cd61b01b015e1aea626b

SHA1
199b10e865305c28b7c600b49d0bda3e97f2d548

SHA256
ff30800bd0eddd7df8ff3d567e0a14d5cd841b0106cf2660d51669b957d8f59b

SHA512
797597b85a7f9f1fa357b6f9fdc22a350ea017a0a4fd962697dfe1ca733647702006808edfb64af160a97cb28c0206d81b435218dcb6b2c5c35bec65bd48a898

Download Submit
/data/user/0/iawhmkptxbtiwoapxkxq.fsxdcqouxqgrqewwnpkuyxjsnsx.myaybhjxsrmfkzmbqomrhdhwqxg/app_DynamicOptDex/fyrLYM.json

MD5
4853fe10ce205a2c9e09cb588bbd2696

SHA1
1a8566d421c30bb7bd9feaa24223a266a1166889

SHA256
6aaf7c8dafd625c2e52e3028c8feeb538322e962229f84703891004b5edd4a5a

SHA512
bea270f94eb5d047668cee4df79a825905ddf9529e8859fe6f37e091a80e22f5eb179ea1ba5ce43ba7c4a5fa1a461ec52f84b128c5daff9616e6bbe81ea1376b

Download Submit