alienbot | 35bc5fb59d33e48cc86b9df91ad92d7bd826e7cbfaeb65ceb901318b0652ceb7

Analysis

max time kernel
677104s
max time network
177s
platform
android_x86
resource
android-x86-arm-20220310-en
submitted
03-06-2022 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35BC5FB59D33E48CC86B9DF91AD92D7BD826E7CBFAEB65CEB901318B0652CEB7.apk
Size

1.8MB
MD5

b1bd9844707d455e9e2710aacfc30b68
SHA1

215f3e25bb47c47f55bea88adf51e77f97ad6295
SHA256

35bc5fb59d33e48cc86b9df91ad92d7bd826e7cbfaeb65ceb901318b0652ceb7
SHA512

0b172b2acfab85a968a83a09ad45046e1831e96196ffb66f32f49bbfeb9f64c0dbd5ef13efefe2453fbbe9ad9b4bff6100b38b3987de7b282feacfb4dfdadf97

Score

10^/10

alienbot banker evasion infostealer trojan

Malware Config

Extracted

Family

alienbot

http://konusuyonyapraam.cyou

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

wizoejwr.bbxjeugyx.izjmksif

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	wizoejwr.bbxjeugyx.izjmksif
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	wizoejwr.bbxjeugyx.izjmksif

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

wizoejwr.bbxjeugyx.izjmksif/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/oat/x86/EXDbJ.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	Process
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json	5275	wizoejwr.bbxjeugyx.izjmksif
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json	5350	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/oat/x86/EXDbJ.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json	5275	wizoejwr.bbxjeugyx.izjmksif

Removes a system notification. 1 IoCs

evasion

Processes:

wizoejwr.bbxjeugyx.izjmksif

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	wizoejwr.bbxjeugyx.izjmksif

wizoejwr.bbxjeugyx.izjmksif
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Removes a system notification.
PID:5275
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/oat/x86/EXDbJ.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5350

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json

Filesize
728KB

MD5
767867387b8491f8fdd2ee21944d57ac

SHA1
33836774734c6b9e096bb1e9613c718440fffd95

SHA256
bf25e086a66e00fd017ca7d7a28a7d877b91f0c66a9662745df5a83e8c718c25

SHA512
6046fea407ffff3fe2b9f504ffc505ea5b91be91d8cf6d8f133a6e5a7366dddc633e4f18a7cdeebcb5997f6d0af8d80aa2c01531c2e6b804244367ea86808c40

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json

Filesize
728KB

MD5
657b6faea43f6b7842eb496a0a8f78e5

SHA1
b7e35c8024136114d84d48e20b6f98298fb20418

SHA256
b197c2a988d33367a894747f9c0b00e8d101b1cfaef8367431ad915a84f97e80

SHA512
2396d2e6af19460c90a7f2497d3255e424a9a166c4a051acf7328607174e445675ba732d210e9ca397d9246a35b18a8f29184810f94e07fca457d43f9e1dc82f

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json

Filesize
728KB

MD5
6463b91ef25392aa6939c1f3920340bf

SHA1
3496ef6292cc6375ae9e825e5d90b210e99862be

SHA256
bffb9b5a3f3fad0d36987224b886363b2debfaabd6c5ecd522ff89a7b725762d

SHA512
064155c9dbe294bfe96269d1bda453446f15bdbab63612a3875de25614263e77b3159e810dc58fc0e5c7c5e309303872e6ecbd053509b7ffbfdef89e082634ae

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json

Filesize
728KB

MD5
657b6faea43f6b7842eb496a0a8f78e5

SHA1
b7e35c8024136114d84d48e20b6f98298fb20418

SHA256
b197c2a988d33367a894747f9c0b00e8d101b1cfaef8367431ad915a84f97e80

SHA512
2396d2e6af19460c90a7f2497d3255e424a9a166c4a051acf7328607174e445675ba732d210e9ca397d9246a35b18a8f29184810f94e07fca457d43f9e1dc82f

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/EXDbJ.json.x86.flock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/oat/EXDbJ.json.cur.prof

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/oat/x86/EXDbJ.odex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_DynamicOptDex/oat/x86/EXDbJ.vdex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
f3590dfbc056ece650fbdf271b06311f

SHA1
cbfb7437a8c73d4f384355beef5e3ae39e92f2b0

SHA256
5ec2a4b54f8f70b5bacdf67a261633cc89bc5f61fd8686142db2d447e3cc91d0

SHA512
734fdd8ee9dde00e1be2ea84b49f78be99fd82055faad8eacb1b1e334754e8c5ae6d87105185de4850a64adbeb1f3797f4e4282854eea3c667794088da6d6ede

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
4cb1fcb33ff75a45a71df333721a6486

SHA1
598b986efa296ca9f6d597bd4984fa1c50f0db67

SHA256
4ae84ddcd228eae4922dc0677d4c8b36900c3bb75772e708f28d80b149d2c7cf

SHA512
d2aebefb91d77f507ef8c4b876713444a2795392299ade981571f4b6c23b71e56d9679d6fc9fe6b10a89304be7d902dabbe0a4c1e669a3b3792c3a652282d21b

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/Web Data-journal

Filesize
1KB

MD5
dfd749ce863bda4b6ed49b2f819482ca

SHA1
7a5d818a28c79965cfe4c6e03c4ad8d608a8f28f

SHA256
e434f564604597e291a0efee874779dfbbd08c67d20870e96c21a0a908ea441f

SHA512
c429c958aa6bd434f80a0c9e9e1d13dcbe3fd0172ec1b829ffe981d7e47ee3c31c00037485616d2ea89e38b6a7a9322d7baab7a14f6191f09b768bb86bb600cc

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/metrics_guid

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/metrics_guid

Filesize
36B

MD5
58656f52487db51c38191795c92b3ae2

SHA1
ce1a63ae747971fb30b7b5ed000c62ec29d47e53

SHA256
e1c09eec9a35410a493d16f4a1b9a786fd59cb5a2f7c1eab2893b832922554bb

SHA512
fe1ee8dcf2af69411291783b879ebc2d15d346f75cc16a3af1cbf76e1bdda40023b35c559362a01c71f5cb1306f58e8efc1e374dffccc49072eb22cff7b3a460

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/variations_seed_new

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/variations_stamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/app_webview/webview_data.lock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/wizoejwr.bbxjeugyx.izjmksif/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit