alienbot | 9afb2fd955dcb5668148b0f9c311ff130c996dc549834bc9cfcab2d652fa9adc

Analysis

max time kernel
4168596s
max time network
163s
platform
android_x86
resource
android-x86-arm-20220310-en
submitted
24-05-2022 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9afb2fd955dcb5668148b0f9c311ff130c996dc549834bc9cfcab2d652fa9adc.apk
Size

1.9MB
MD5

5cc2a048c2ae4db2f40b05c81d480ba5
SHA1

1c94950ba4b204721f4da889d9b9035990d638f5
SHA256

9afb2fd955dcb5668148b0f9c311ff130c996dc549834bc9cfcab2d652fa9adc
SHA512

8d934d984d411fd3dc872e89fee358064d9bc44287bc7c8d9c24ae4b1433688d7e849ca2144e14af51344b75b9481c685a9bb79439f69fbe2b368105d4282377

Score

10^/10

alienbot banker evasion infostealer trojan

Malware Config

Extracted

Family

alienbot

http://cokomellatomalarko.top

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

rbrxthoqamnr.daih.uzcgqxwmacponb

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	rbrxthoqamnr.daih.uzcgqxwmacponb
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	rbrxthoqamnr.daih.uzcgqxwmacponb

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

rbrxthoqamnr.daih.uzcgqxwmacponb/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/bW.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/oat/x86/bW.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	Process
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/bW.json	5232	rbrxthoqamnr.daih.uzcgqxwmacponb
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/bW.json	5275	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/bW.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/oat/x86/bW.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/bW.json	5232	rbrxthoqamnr.daih.uzcgqxwmacponb

Removes a system notification. 1 IoCs

evasion

Processes:

rbrxthoqamnr.daih.uzcgqxwmacponb

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	rbrxthoqamnr.daih.uzcgqxwmacponb

rbrxthoqamnr.daih.uzcgqxwmacponb
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Removes a system notification.
PID:5232
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/bW.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/oat/x86/bW.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5275

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/bW.json

Filesize
645KB

MD5
28d1c822b953c7dccbacaeb59b7d41a6

SHA1
2c056408fd9b944a1af96c0e3243cdf239239c18

SHA256
b2883d3454fa18ea21455e1234344fbf3570847885df6d8a32890c97754adaf2

SHA512
91ed37afb46d0b344643f162c542bcd58a439fd8e5e13164d5cc129faa335b8166a78339c3641384ee37bf12699d891e758ea3e93991b24ae7b01bd43f00e0d0

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/bW.json

Filesize
645KB

MD5
9b135a33d7a3e08a51183dde5a3cbbde

SHA1
2665f0f41e23ec9ab8bdf5b7d7eee33337ab24a8

SHA256
14bec07721b620e91648d9db793910c74b6307c63abffcdc0f0b2c7cf31cea43

SHA512
b4d075b1dea1e56b97fb009b60bde9229adaf99d8e69559348af2342f8d327ff40023e06df7b8b2aca1f5b2d074773372a4841a8c3a2e815687660079fc993c0

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/bW.json

Filesize
645KB

MD5
e116b24069a95ef9932cb2da7d16f38c

SHA1
062901e61b46f025603905a254e4cdc054496539

SHA256
07c297d6d1dd3b074ed5047892676b701a715382537d322963d09b4e5748a38f

SHA512
85810c3b75001333311ead3c6b5465cccfdc0487204f324eb173f5651a178f232efb6be645359a365ff484a5a303b55151bbdaf459824104bd28215df9f0083f

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/bW.json

Filesize
645KB

MD5
9b135a33d7a3e08a51183dde5a3cbbde

SHA1
2665f0f41e23ec9ab8bdf5b7d7eee33337ab24a8

SHA256
14bec07721b620e91648d9db793910c74b6307c63abffcdc0f0b2c7cf31cea43

SHA512
b4d075b1dea1e56b97fb009b60bde9229adaf99d8e69559348af2342f8d327ff40023e06df7b8b2aca1f5b2d074773372a4841a8c3a2e815687660079fc993c0

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/bW.json.x86.flock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/oat/bW.json.cur.prof

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/oat/x86/bW.odex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_DynamicOptDex/oat/x86/bW.vdex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
4b19c5642345f84ab7c414dd9c4b8eb0

SHA1
b4ca447df35915bc2ab269a7004d546abdc4bbcb

SHA256
dfc9e81c2fb421a8fd0c906ab119110deb947cca1057ee9314a81bf1a2a7892a

SHA512
9a7e56caa6afa56ca5ceb4c15bf3ae321e3f05094c32d6ee64181f34c0956aced5b6544f690c7ad01f36d619e589045191cb9785c60ffbe91c0e77d497a04b34

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_webview/Web Data-journal

Filesize
1KB

MD5
ebab88f21eb396819465105231d7c099

SHA1
47cc2e1ac8158009b903b67ce46347054b4783d2

SHA256
f4e5afe3e54b19431427698ac8c34678751f99b8e0e1b9fbced54ab393531585

SHA512
e0b43b1f2985d8c350defa256aec7faac3f74a3246e44a5ad292d0926ba612bfe73846d029bc961c8357f9c82674ac273af5cbeebbdf6484af973d4f68848ec5

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_webview/metrics_guid

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_webview/metrics_guid

Filesize
36B

MD5
1ac137c5cda038c11f064a8a4602bc87

SHA1
f7fb86ecad1a8433aef99433981f1748ab2175d6

SHA256
2b2385ff71c22e22f8bbb9598d2a92db09ef02fd35dfe080c170429733bb825d

SHA512
81d9482e3ead886fc88cd6669ea7283f2276b631cfe0f9b74dd8c7b202144b5d53704ed7e40610d2e1ccbee6aa587e3fb8fb814e496a898a879026238e9a2892

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_webview/variations_seed_new

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_webview/variations_stamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/app_webview/webview_data.lock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/rbrxthoqamnr.daih.uzcgqxwmacponb/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit