alienbot | 67130f843ebf484c6a87002c8b52218864184e07bcc50227175df52bd23ca001

Analysis

max time kernel
610107s
max time network
144s
platform
android_x86
resource
android-x86-arm-20220310-en
submitted
02/06/2022, 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67130F843EBF484C6A87002C8B52218864184E07BCC50227175DF52BD23CA001.apk
Size

1.8MB
MD5

3b114ad5d6dc3c7b7a800e25994f14f4
SHA1

5993356afbad23bf175837b75b573384ef224da9
SHA256

67130f843ebf484c6a87002c8b52218864184e07bcc50227175df52bd23ca001
SHA512

b0a1feb00a672a72bde9eac30e6a97eb1adc86c5c45e34bb56a0b4f5dde5f276f07223d67be02ba58e63ab7f66f20a88d38618644751c3aa7be466df4c287d56

Score

10^/10

alienbot banker evasion infostealer trojan

Malware Config

Extracted

Family

alienbot

http://keepgoingadamim.gripe

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_DynamicOptDex/DtsSBt.json	5126	fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr
/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_DynamicOptDex/DtsSBt.json	5204	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_DynamicOptDex/DtsSBt.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_DynamicOptDex/oat/x86/DtsSBt.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_DynamicOptDex/DtsSBt.json	5126	fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr

fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
PID:5126
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_DynamicOptDex/DtsSBt.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_DynamicOptDex/oat/x86/DtsSBt.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_DynamicOptDex/DtsSBt.json

Filesize
678KB

MD5
baa2768f68437e01bd21d1a15118dcd9

SHA1
e6065f205c0209dac6a83e5d0d8597f32ece129f

SHA256
3f767b31af7a63c54777d1a4c65b365751df4e9eb41cc7ec60f443b28d931984

SHA512
caa28b6f3880a7731bf161ba59c1438116588d36edf8c25d6ee9b9b98b5effd8e8edfb5de88483622922d32851a91796812da5f1c3e31dac0588ed5b2370a4c8

Download Submit
/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_DynamicOptDex/DtsSBt.json

Filesize
678KB

MD5
04e645197bc86aeba6c2ff822d66ced6

SHA1
6d9aa7ee96ad05d0bea71cad31995e4e56632d9b

SHA256
347adda0656e33731ce3b0ab4ff8acf10e26a2185561d9427844ed91a85ff427

SHA512
efe03e19a36261a02e52b929b419c2c738ad444daeb1f1bd109a4c64e756c51f0f0764bc362400b4f6528f6cb40f2fe855d8eb1889a1b80f23ee6e167eef10a8

Download Submit
/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_DynamicOptDex/DtsSBt.json

Filesize
678KB

MD5
1a7f28f045ff3fb68055a6e9de931262

SHA1
cc2a9f363812521db8b60d34ba39b806b8314a69

SHA256
c24992f7fc3a0d66072a5ecbcb61ebd038882935a0608eef95e8745ca90f00c1

SHA512
ddd6c9e74ee6a0b918525ed17c8af1193d71da7763896cb1ea078828d62deeafbb85bb785945e2dc1859fb73ab89f7ae24174e5c876079d011d1f68cdf5d97ed

Download Submit
/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_DynamicOptDex/DtsSBt.json

Filesize
678KB

MD5
04e645197bc86aeba6c2ff822d66ced6

SHA1
6d9aa7ee96ad05d0bea71cad31995e4e56632d9b

SHA256
347adda0656e33731ce3b0ab4ff8acf10e26a2185561d9427844ed91a85ff427

SHA512
efe03e19a36261a02e52b929b419c2c738ad444daeb1f1bd109a4c64e756c51f0f0764bc362400b4f6528f6cb40f2fe855d8eb1889a1b80f23ee6e167eef10a8

Download Submit
/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
6a64b86fb768a5f33acda896a07f61cf

SHA1
35bdb14f4c75eb27b3d85a619dce880588934611

SHA256
435da1d090ddd73fb9a8b9689a04f1060e42ced9a98c857c76d93486a8d2a408

SHA512
b67a17c3e80d386e6cc250e1dcdc32f0a7fb69db595928e9fd897bf8c5386c3dccfc59e37dff63c054a499a9ed0f6fb0c9251870b87095b0b83b748b9ec14111

Download Submit
/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
54eb95123036513b6ca5360fc2a7e261

SHA1
b3bad5f67941b4beeedd8addb70a8f951b86fdf7

SHA256
9e73f601dcb7eff5dfcf5448ef37f3fcb07b38bab8c416077790c77cdb32d00b

SHA512
97ed6f9821dc352bd3c25368af944c6dcdcf56793d07e7df5cc4996c13899622447d4d0d9d16a04951ddbc8baaa08486c3ec0fb582833b417689ef5300dec1a8

Download Submit
/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_webview/Web Data-journal

Filesize
1KB

MD5
1a9fcfe35e2651111609d1e5c386cdcc

SHA1
559321aa6c99fd8057e9c73b361aa8e54c2e5b23

SHA256
e7302d2371fa435e4adb6ed10a017d9d7b05837692251579f209be4348c394ce

SHA512
59cbfb6d51d9eb2c6fd2dd768d795bcbbff8e7415c3151996591ae0f581488a4ba0679115f76a20e80870c5319209749262fee774ec17c8cfcb7ae27c830a968

Download Submit
/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/app_webview/metrics_guid

Filesize
36B

MD5
a9d3559d77ef524507d24f191c2e1a30

SHA1
30c6dd39dfd0852fd9230c563fe8a848d47fafdd

SHA256
680e7cf7a497db60129149b16232fe202a01f25a24d08f68f18da13776499686

SHA512
29ec000094859d10dfd4a76507b8cb045b9f7cd4d63f3cf639d8130d320c58656ca1af45c76bb0c031979f0fcaba11d8f86e6d8fffb19cd9b712dd7fe303f4c2

Download Submit
/data/user/0/fpfjrkdyuhonyrbxbe.qdgumajrwfhrmtr.nylsioxr/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit