alienbot | 35bc5fb59d33e48cc86b9df91ad92d7bd826e7cbfaeb65ceb901318b0652ceb7

Analysis

max time kernel
610587s
max time network
156s
platform
android_x86
resource
android-x86-arm-20220310-en
submitted
02-06-2022 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35BC5FB59D33E48CC86B9DF91AD92D7BD826E7CBFAEB65CEB901318B0652CEB7.apk
Size

1.8MB
MD5

b1bd9844707d455e9e2710aacfc30b68
SHA1

215f3e25bb47c47f55bea88adf51e77f97ad6295
SHA256

35bc5fb59d33e48cc86b9df91ad92d7bd826e7cbfaeb65ceb901318b0652ceb7
SHA512

0b172b2acfab85a968a83a09ad45046e1831e96196ffb66f32f49bbfeb9f64c0dbd5ef13efefe2453fbbe9ad9b4bff6100b38b3987de7b282feacfb4dfdadf97

Score

10^/10

alienbot banker evasion infostealer trojan

Malware Config

Extracted

Family

alienbot

http://konusuyonyapraam.cyou

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

wizoejwr.bbxjeugyx.izjmksif

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	wizoejwr.bbxjeugyx.izjmksif
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	wizoejwr.bbxjeugyx.izjmksif

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

wizoejwr.bbxjeugyx.izjmksif/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/oat/x86/EXDbJ.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	Process
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json	5114	wizoejwr.bbxjeugyx.izjmksif
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json	5192	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/oat/x86/EXDbJ.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json	5114	wizoejwr.bbxjeugyx.izjmksif

Removes a system notification. 1 IoCs

evasion

Processes:

wizoejwr.bbxjeugyx.izjmksif

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	wizoejwr.bbxjeugyx.izjmksif

wizoejwr.bbxjeugyx.izjmksif
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Removes a system notification.
PID:5114
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/oat/x86/EXDbJ.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json

Filesize
728KB

MD5
767867387b8491f8fdd2ee21944d57ac

SHA1
33836774734c6b9e096bb1e9613c718440fffd95

SHA256
bf25e086a66e00fd017ca7d7a28a7d877b91f0c66a9662745df5a83e8c718c25

SHA512
6046fea407ffff3fe2b9f504ffc505ea5b91be91d8cf6d8f133a6e5a7366dddc633e4f18a7cdeebcb5997f6d0af8d80aa2c01531c2e6b804244367ea86808c40

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json

Filesize
728KB

MD5
657b6faea43f6b7842eb496a0a8f78e5

SHA1
b7e35c8024136114d84d48e20b6f98298fb20418

SHA256
b197c2a988d33367a894747f9c0b00e8d101b1cfaef8367431ad915a84f97e80

SHA512
2396d2e6af19460c90a7f2497d3255e424a9a166c4a051acf7328607174e445675ba732d210e9ca397d9246a35b18a8f29184810f94e07fca457d43f9e1dc82f

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json

Filesize
728KB

MD5
6463b91ef25392aa6939c1f3920340bf

SHA1
3496ef6292cc6375ae9e825e5d90b210e99862be

SHA256
bffb9b5a3f3fad0d36987224b886363b2debfaabd6c5ecd522ff89a7b725762d

SHA512
064155c9dbe294bfe96269d1bda453446f15bdbab63612a3875de25614263e77b3159e810dc58fc0e5c7c5e309303872e6ecbd053509b7ffbfdef89e082634ae

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json

Filesize
728KB

MD5
657b6faea43f6b7842eb496a0a8f78e5

SHA1
b7e35c8024136114d84d48e20b6f98298fb20418

SHA256
b197c2a988d33367a894747f9c0b00e8d101b1cfaef8367431ad915a84f97e80

SHA512
2396d2e6af19460c90a7f2497d3255e424a9a166c4a051acf7328607174e445675ba732d210e9ca397d9246a35b18a8f29184810f94e07fca457d43f9e1dc82f

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json.x86.flock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/oat/EXDbJ.json.cur.prof

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/oat/x86/EXDbJ.odex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/oat/x86/EXDbJ.vdex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
3bb96fa8257bb68a12418c4daa6f7af6

SHA1
435f1c5d12b7ade6842fae1717cec18ba60f7e3c

SHA256
89f77fdd6e857ebc9c3fdc0aa364a0d06e93c68c42caa6ec5ae1ca66c68a1fbd

SHA512
8f7ed371bd4b795b46c12d858bdbc62c81f9337e19df5ac614dc1b5cbd86ef4b5db6e00aa5bc15db030aa6388d509aa5d699f958a9e2038a5a10fbdd86217886

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/Web Data-journal

Filesize
1KB

MD5
a78b529ebfb9fccea820f193b8145d03

SHA1
2cbe1543b201bc42157a1c7993e0d274f1572030

SHA256
cc825d8f71fdca3b084a088cc9d8986ad21c7d70f1009035c8ceb06ab2806d75

SHA512
7895df3dc965ff005962c79bdec6835307f4151a66bac667e64e59dc1a6e0399e0eb24427c6dc7103bf81dc7dbd5937e306d4cf27dcd9b5cd48403ad612a9014

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/metrics_guid

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/metrics_guid

Filesize
36B

MD5
cb1944c1f51198e5406732c603fc56d4

SHA1
e64f022bee8aacae8ae2f80fa865c4113f90db87

SHA256
ee8daf1c686f1d2216220629813f2fe579e3dbeb3b43dff948706aaf85e40c60

SHA512
e73fd17d130d2bf89e0f834de559c26d53cc8f35b13db426f2fa397f0fc2f85c47d6bd17d30f6b51253e6f831ecf07db1a74f30ccb6757ea4f79d7f9c19e6e17

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/variations_seed_new

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/variations_stamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/webview_data.lock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit