alienbot | 873abcf92582d1cb09910028d731c7835a17002f5f024ed05d3a004ab20cc00f

Analysis

max time kernel
681242s
max time network
155s
platform
android_x86
resource
android-x86-arm-20220310-en
submitted
03/06/2022, 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

873ABCF92582D1CB09910028D731C7835A17002F5F024ED05D3A004AB20CC00F.apk
Size

2.5MB
MD5

d4a8e0ae01d248aa078851e68537f521
SHA1

42e88e214e26e053285a6f07a36c52640550aaf4
SHA256

873abcf92582d1cb09910028d731c7835a17002f5f024ed05d3a004ab20cc00f
SHA512

5ee2c8f6e2c09ca72dadbc01922d79f1028ad876b929e665c7ae0298e2e25efbc28163ed55595f945c32678372fa7808ec0e7eb78464d958929708e3c6006d11

Score

10^/10

alienbot banker evasion infostealer trojan

Malware Config

Extracted

Family

alienbot

http://sariyenibez.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json	5105	zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr
/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json	5139	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/oat/x86/jwoY.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json	5105	zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr

zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Removes a system notification.
PID:5105
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/oat/x86/jwoY.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5139

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json

Filesize
697KB

MD5
a6a64d35a848fd9f22231d8e5621e899

SHA1
6252c00e009a3a45f8acc25470b7a189b6cd27bf

SHA256
91d2c9cb2018d5b2a03fcf58bf0e0a64f492058b1b5f7d54224c0fe709f5b455

SHA512
77f7b1b0bcd7b4e0831bee9aae69a99f1bcfbca6ec66fd6107424d2287d2f1bf3939c8a0b232f4c96a7d57a7d203db9b836c13c939c409e178fcc97f44dfb421

Download Submit
/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json

Filesize
697KB

MD5
3fa6e1269691621bf38a9a5b477545e3

SHA1
4e176ecbac81bcb08ac4ec0ce4e3a27526e348f2

SHA256
edb4530036d0ad2160ac4f9b3b65cf6224ac58e7ed6d9501585a571d14b26d97

SHA512
858c918b794dc3b4a7eb877ad6e4054352d76240c7b1098046a2d78f6f6cfb38c806300ba54e73a59dc8215d7c653f18d707e5629093b4f80d2094df3c494679

Download Submit
/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json

Filesize
697KB

MD5
8642d9879ea78e39ab29216f82ab6203

SHA1
3cc8f74d0e4069328e4ba9637367aa579f9e5f7e

SHA256
1f384fd4efc61006a34395bdb7f4fd32c94471422fe30c00dd4b6fb960ee4623

SHA512
bdf331ba186bd9cee2ede29980bcc34dbc8bd3e6733825607475e64109737cd7ec9b8e2cbe9f44c70f3a7bc766641e739820d92f4db3b9f8647bcd3ab18d6f2b

Download Submit
/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_DynamicOptDex/jwoY.json

Filesize
697KB

MD5
3fa6e1269691621bf38a9a5b477545e3

SHA1
4e176ecbac81bcb08ac4ec0ce4e3a27526e348f2

SHA256
edb4530036d0ad2160ac4f9b3b65cf6224ac58e7ed6d9501585a571d14b26d97

SHA512
858c918b794dc3b4a7eb877ad6e4054352d76240c7b1098046a2d78f6f6cfb38c806300ba54e73a59dc8215d7c653f18d707e5629093b4f80d2094df3c494679

Download Submit
/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
98918fbd35543d242c2eeed89111464b

SHA1
524d197288e996285175d6f4ceddb7c181381ee8

SHA256
06611f14bb780db5efd3d9a019e85764ad996903682e1267453593b13c65b6e3

SHA512
35ae238ecc8c49a507026d8269b51b33fefa0fd909c61318d4efcd38e07e2becec7228307f2177551a5dec9ebf64f76ec38cb5150babfbd9cb43e669d19bda23

Download Submit
/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
97cc5b9cb5451e1037776427844c6340

SHA1
82a71153c99eb28c518ec231fede9ec0a292c6f0

SHA256
a24af3bce74dd935d821ff19d12abb81c76faf6df9fe521634c02ecf03fd0cda

SHA512
caca8fb049f307cefcd7791fcace2ca08fe70e12d84b957fd63bc327d2824d6a5813edf07381ed1b575a7135de79e6611fb8e88e53d1fba7eda37e0734ca4216

Download Submit
/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_webview/Web Data-journal

Filesize
1KB

MD5
6703fc55720f7f3ad72cbfadb9df819c

SHA1
d8888b2d15b1905f649b8b25be68a414d6ae70f3

SHA256
4d732942f2d11a432c691ab201e7dc21a2a48ddc05309a679dbb19fd55dc159c

SHA512
ccfafb3e74c4a6c601ff4e6e026932b8e34355339b83e61f928792047eda95a5bdbbe13017010c0d2dbd13df2f7b8defe868265397d2ca479a8e58be0e0f51a9

Download Submit
/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/app_webview/metrics_guid

Filesize
36B

MD5
698ef6cd43a8cc664c0e0a2ef8ec32a7

SHA1
7dd55913b6c628b08508133edcd73f861d012a75

SHA256
bb16476c8a1e5b2c0db4b640f96e4b7111e9285977af63e98b83ded1c3a9c7d1

SHA512
2d2a8592cde297cb0f5cef08aaed46c193c0776485d087a9e95faeb9ba3d75fff915fe7f81adc9ad1cd2945fd39896e11542d0e6d933cb72ced5cb59d23dcdca

Download Submit
/data/user/0/zakghedfcnhlgbrxr.ukhyemmjkwz.topeqpkbzjhbr/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit