alienbot | dba7f022b4cce63f1717f461af490637f8f634f75b839ec318bb6866dac94750

Analysis

max time kernel
613376s
max time network
117s
platform
android_x86
resource
android-x86-arm-20220310-en
submitted
02-06-2022 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DBA7F022B4CCE63F1717F461AF490637F8F634F75B839EC318BB6866DAC94750.apk
Size

2.0MB
MD5

12258242e922d3d8ee08825f62caf147
SHA1

d9cf92de75b867fbfb79f96d48a35ed760fe40e2
SHA256

dba7f022b4cce63f1717f461af490637f8f634f75b839ec318bb6866dac94750
SHA512

f9cc0733d1e23532ed0b691ba1be794af18d823a782b69a7be492df1eb5cd4512b8839fc13521352d4cb92b8e901d95fed58bf51965144628eaf6adba45b171b

Score

10^/10

alienbot banker evasion infostealer trojan

Malware Config

Extracted

Family

alienbot

http://ukalasey4.com

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/rPwDcm.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/oat/x86/rPwDcm.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	Process
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/rPwDcm.json	5073	saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/rPwDcm.json	5108	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/rPwDcm.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/oat/x86/rPwDcm.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/rPwDcm.json	5073	saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi

Removes a system notification. 1 IoCs

evasion

Processes:

saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi

saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Removes a system notification.
PID:5073
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/rPwDcm.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/oat/x86/rPwDcm.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/oat/rPwDcm.json.cur.prof

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/oat/x86/rPwDcm.odex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/oat/x86/rPwDcm.vdex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/rPwDcm.json

Filesize
669KB

MD5
d52a6da47a4955b10dab9633c65ce78a

SHA1
54003ee8f4a2a80ffa52eb237f82028ad8417ec8

SHA256
38e865990c9053cdf2779aa05197a52df15ba686f85c6f7ae5558184bee1e256

SHA512
5595de98ffe624c966999471fdd2a6110aac82732760c143bc64f3663fac99c8b5ceee73506a7c5c2a86764da7751ad0f7d4b3cdb79a344106dbc529537bde58

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/rPwDcm.json

Filesize
669KB

MD5
2e8cef20b2f5413ec81bb56efac5df33

SHA1
df1efcd0993f583f701d477086e16c923bababef

SHA256
43e09e150daa063922cb75072597e7ad5d5fcb8e34f59691a5d9d479cec727b1

SHA512
3dd4a88b48e02dcf0b4752ae704dbff2bc3aaceba771e5cc323318323f98ac52eb33e67243b8be0fa4b35ab69d5311294a6689ebd83fa3a9b4d38cf5c138f2d7

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/rPwDcm.json

Filesize
669KB

MD5
3d5a3e387f66ec962dd3c89b2a70ef72

SHA1
107c19bfc9318464648aff868ffe055f9dc63ed5

SHA256
404ec5a5a6910a0e3bba84f7a4eb42d98912560aba1a28b40f82b6cf7c039927

SHA512
69fc439aa018607873649a564f2299928aa4009ad1b983726d7b9438640bae97e1ec91e60f287fc3b3cbe0ad857aae182208c81799858a49fc62b7fd77888847

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/rPwDcm.json

Filesize
669KB

MD5
2e8cef20b2f5413ec81bb56efac5df33

SHA1
df1efcd0993f583f701d477086e16c923bababef

SHA256
43e09e150daa063922cb75072597e7ad5d5fcb8e34f59691a5d9d479cec727b1

SHA512
3dd4a88b48e02dcf0b4752ae704dbff2bc3aaceba771e5cc323318323f98ac52eb33e67243b8be0fa4b35ab69d5311294a6689ebd83fa3a9b4d38cf5c138f2d7

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_DynamicOptDex/rPwDcm.json.x86.flock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
b9c6e042c3c6f6f35c2466d77019b7af

SHA1
bf493aa9aa0de6f19787de32bbcf5811e7bc2430

SHA256
88cb5767b2dbcf14eda1d0849d0a3b272d2e2c3a86a5c0e6359d39ed8be7628e

SHA512
93888ce4a74f3a9b22db6418647471a6c76deec30207ed381a16614a44545498a48a299687e90d5d87281c1ba6ef73eb463f2b41b5b015fd81e14615dfde9c5c

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_webview/Web Data-journal

Filesize
1KB

MD5
63a0b2fc5eeb8179d27ee19adcd063a7

SHA1
399b7865a0d343ff7e61c271aca4d5fd49d2ec42

SHA256
dba74076bcac8a4b153d891de279859b32bc1254f963d028f6df6d57ad10ccba

SHA512
2653d535927d77cc4669fb14b76a8abf89c61ed512129d80ce8a2879831b378cf0fb916e60d91ad499b86103029593b98b2afc0bcea27e5219851baeeee4b7d0

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_webview/metrics_guid

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_webview/metrics_guid

Filesize
36B

MD5
d6ae3e64f37c07463968de1c7cb6297e

SHA1
016f377cf584cd4ce3cb6d040d5ad0cf0a91a084

SHA256
2dd0a7b71b974a69803db6c4d6fea1bdfaf9a038b5eafeb4e93f73b780a81750

SHA512
cc4ff640c4a2d5f83c94343d72814ec03d947f4b83110d0077517e82549ff4d4163aefb0dd526ce1dd2d9308561e3e74bc8b7bc501cdcefa9eef7debf9e02625

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_webview/variations_seed_new

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_webview/variations_stamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/app_webview/webview_data.lock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/cache/.com.google.Chrome.mGJucg

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/saoucydedyery.wkg.ycrorpyjoshzrmjbqbbybyi/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit