alienbot | 0acfd3af34d9a63890b17708c15eee4e6156194122a884fc19b184c692c9fafa

General

Target

0acfd3af34d9a63890b17708c15eee4e6156194122a884fc19b184c692c9fafa.apk
Size

1.8MB
MD5

f33ddbe58dd4df03fc56ce044a1f57be
SHA1

3046aa24c5489d0b81e141f9953f5e467166b0c8
SHA256

0acfd3af34d9a63890b17708c15eee4e6156194122a884fc19b184c692c9fafa
SHA512

2efea7cfcd6d180e1b6988693713d7a7735b8f301c1de4be24cea2ebf895041caf7f92cf41c20dc8d9555eb492e5de7d997f99f3dfcc5e505f85aadddbbd7e0a

Score

10^/10

alienbot banker infostealer trojan

Malware Config

Extracted

Family

alienbot

C2

http://installerflas678352.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	rjpmscxyoicgj.rcmuksahjbgmzodorjn.pebcsfmlgnqxshaierbhj
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	rjpmscxyoicgj.rcmuksahjbgmzodorjn.pebcsfmlgnqxshaierbhj

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/rjpmscxyoicgj.rcmuksahjbgmzodorjn.pebcsfmlgnqxshaierbhj/app_DynamicOptDex/GOkM.json	5325	rjpmscxyoicgj.rcmuksahjbgmzodorjn.pebcsfmlgnqxshaierbhj
/data/user/0/rjpmscxyoicgj.rcmuksahjbgmzodorjn.pebcsfmlgnqxshaierbhj/app_DynamicOptDex/GOkM.json	5410	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/rjpmscxyoicgj.rcmuksahjbgmzodorjn.pebcsfmlgnqxshaierbhj/app_DynamicOptDex/GOkM.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/rjpmscxyoicgj.rcmuksahjbgmzodorjn.pebcsfmlgnqxshaierbhj/app_DynamicOptDex/oat/x86/GOkM.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/rjpmscxyoicgj.rcmuksahjbgmzodorjn.pebcsfmlgnqxshaierbhj/app_DynamicOptDex/GOkM.json	5325	rjpmscxyoicgj.rcmuksahjbgmzodorjn.pebcsfmlgnqxshaierbhj

rjpmscxyoicgj.rcmuksahjbgmzodorjn.pebcsfmlgnqxshaierbhj
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
PID:5325
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/rjpmscxyoicgj.rcmuksahjbgmzodorjn.pebcsfmlgnqxshaierbhj/app_DynamicOptDex/GOkM.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/rjpmscxyoicgj.rcmuksahjbgmzodorjn.pebcsfmlgnqxshaierbhj/app_DynamicOptDex/oat/x86/GOkM.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5410

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/rjpmscxyoicgj.rcmuksahjbgmzodorjn.pebcsfmlgnqxshaierbhj/app_DynamicOptDex/GOkM.json

Filesize
685KB

MD5
f2ac4379bb38b52475871394b48db674

SHA1
2e7bb605616410ed7b5c9c37ee0f84755625a768

SHA256
87bf52e83f5a3cb3e809f34b7543a0a64acb20426f02c8f2c25c61d8d9560c1c

SHA512
f23eb5b1c20e5552f32bb493fbfb98fe336f2b6c06bfb4527786b48b0ee31a0a5b2afb0b32604efcf3f370fe95181c19b9a0008693753f1e5332a4735d4ec780

Download Submit
/data/user/0/rjpmscxyoicgj.rcmuksahjbgmzodorjn.pebcsfmlgnqxshaierbhj/app_DynamicOptDex/GOkM.json

Filesize
685KB

MD5
3bb6bd00e343793055dbd18336a83adb

SHA1
d05e2d93e1c52d1f423095197b9fe8238161eca4

SHA256
9f110f79b2c6694b91b6ab29edbb3bbc79e6f564147b9f566eec8e460943bc5f

SHA512
1f61663a69c8e0847bd4a6f7074da4b5f72edafa8a8e16649735478c38a9050645c77e4aba39d901c5edcb296094f7711d2a62f4759fdd522adfc349a3f89e39

Download Submit
/data/user/0/rjpmscxyoicgj.rcmuksahjbgmzodorjn.pebcsfmlgnqxshaierbhj/app_DynamicOptDex/GOkM.json

Filesize
685KB

MD5
8c1dc09ec2861470d72124f340c59fe1

SHA1
9ea1f1003c861b323366c9440aff973a681b9c5e

SHA256
57925dfd57b3e9ca9d2c855dc512e027e47af6099dd4dd61605d8688930a9ef8

SHA512
4c79972b69e683156b49fd0cdf74fb3a65356bf338ed6723574b13325131fb6a6a4927ecac76a946ced474c58e02115da9d34c9cf9d06bb756be8c65c8c65540

Download Submit
/data/user/0/rjpmscxyoicgj.rcmuksahjbgmzodorjn.pebcsfmlgnqxshaierbhj/app_DynamicOptDex/GOkM.json

Filesize
685KB

MD5
3bb6bd00e343793055dbd18336a83adb

SHA1
d05e2d93e1c52d1f423095197b9fe8238161eca4

SHA256
9f110f79b2c6694b91b6ab29edbb3bbc79e6f564147b9f566eec8e460943bc5f

SHA512
1f61663a69c8e0847bd4a6f7074da4b5f72edafa8a8e16649735478c38a9050645c77e4aba39d901c5edcb296094f7711d2a62f4759fdd522adfc349a3f89e39

Download Submit

Analysis

Sharing