alienbot | a44b03ea43c561095e1d0c6385ba00d86e02ee8ad33c0dac1d6b9d5f073ae9cb

Analysis

max time kernel
680616s
max time network
155s
platform
android_x86
resource
android-x86-arm-20220310-en
submitted
03/06/2022, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A44B03EA43C561095E1D0C6385BA00D86E02EE8AD33C0DAC1D6B9D5F073AE9CB.apk
Size

2.0MB
MD5

d4fd334971337b0296ec3141c80499b0
SHA1

4bac68cba4c1a2744f3a0d1505f287bb13f75e71
SHA256

a44b03ea43c561095e1d0c6385ba00d86e02ee8ad33c0dac1d6b9d5f073ae9cb
SHA512

654edeccd100c0c89619d2f262ec9eb780ece5c7e80074e16fff0876c5a3307cbd9a3f04fd4af8556608ba823fc3efe52966dc07c8f5e82619381de91c791cc2

Score

10^/10

alienbot banker evasion infostealer trojan

Malware Config

Extracted

Family

alienbot

http://dreambufadfuxla.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_DynamicOptDex/APSqP.json	5141	cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq
/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_DynamicOptDex/APSqP.json	5187	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_DynamicOptDex/APSqP.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_DynamicOptDex/oat/x86/APSqP.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_DynamicOptDex/APSqP.json	5141	cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq

cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
PID:5141
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_DynamicOptDex/APSqP.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_DynamicOptDex/oat/x86/APSqP.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5187

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_DynamicOptDex/APSqP.json

Filesize
663KB

MD5
840776009386597ed595a2e54db83cf4

SHA1
13636149ed38a11d7131e009b75c6f5dd8256865

SHA256
f702f7a7eec6aa74e660ceb99a337f923337d5c08d2915c71d9365ee84506f56

SHA512
a576eae97c358783465a9434833485b4e73188e9a309606e80fd89ce8c3ebc0d6e05f33afef11642b1924acd3c9ce796f0539c63cf25df6920c2ff48972fbd11

Download Submit
/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_DynamicOptDex/APSqP.json

Filesize
663KB

MD5
a5b4a0e001486ffbfb098ad41b42aca8

SHA1
c14748fcc292923e46f460e1aa0fc61056f7535f

SHA256
3e8a1200bf40f1b349d9ba37a0079546f76df09a93a6957446b397bac443f98b

SHA512
1ea8824625a457ccec2eccf9b17781a71c582a05634793ae6eae2d8b4dc08ab74e151a1028c0b9742c6dd94abee76cb1edefffceede73d408ca241aa738a9a9b

Download Submit
/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_DynamicOptDex/APSqP.json

Filesize
663KB

MD5
e27813f601a80dbd14487b837d226dea

SHA1
6ed6e7695a1d9929795360648d549f7ffc0fd8fa

SHA256
2bf21c1b5227dcf320b4b36fd71167e3bfc0dce7b9094d26e104ce2978c1619d

SHA512
e865975560465c2f02b2c2b2a886e46625e9f92afee2bb47c8633fccbd3e9f98d5edac2f4aa3e4609676f2b9d1bd420e2423bd8422f006d98b842ad94e8d6538

Download Submit
/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_DynamicOptDex/APSqP.json

Filesize
663KB

MD5
a5b4a0e001486ffbfb098ad41b42aca8

SHA1
c14748fcc292923e46f460e1aa0fc61056f7535f

SHA256
3e8a1200bf40f1b349d9ba37a0079546f76df09a93a6957446b397bac443f98b

SHA512
1ea8824625a457ccec2eccf9b17781a71c582a05634793ae6eae2d8b4dc08ab74e151a1028c0b9742c6dd94abee76cb1edefffceede73d408ca241aa738a9a9b

Download Submit
/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
1ab0b99d2955648376d2484828331ff4

SHA1
f184c343128bfb18828a99a2e91ad390f8193dca

SHA256
d4a5327b6233788c50f9610e779df1033ea2dfb002769d27c9793e1d294f7e77

SHA512
8bda07e785b93e10d92d042d589e2e03224085ed4d111817c63edb6cbd6d694bc2b80559c0874b83d08eeb6383800a8b95c7f9194f4ae8f04d5591030fa903a4

Download Submit
/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
6d7083e49a485364dd525061c36212ef

SHA1
80f926248aece376db2ceb7268aeb4eb38799676

SHA256
da45722c5ca5124e8249eb2bbf8084cbdc09c89c31f6d53828f8fa288135897f

SHA512
ba7b33b1d571d9fe9576c6be3a5bf405bca0529472bbd41827d7c1843f87e7fae4d36327822868b952fa855880f64e4b21ae985c1712bf615ef12b2f6b8c66aa

Download Submit
/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_webview/Web Data-journal

Filesize
1KB

MD5
2c230aca0bd41ece95f8488031dd189d

SHA1
dcb874cccb5f946bcd82cfdb2c4a12579e79c5ff

SHA256
1363b15e947c153390b5245b816896f973b18698d46d8c6963b65ad2f9b65ac2

SHA512
d1345b7fa3f6fb3a13def1fa8ceb70f7792e9d312a7a863fca91651d7b1a0b3b6acdf2841d4b3c549a301fee09b9c17291344dab19725b6af9ed5b0df7a70d2a

Download Submit
/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/app_webview/metrics_guid

Filesize
36B

MD5
46d081a4bfc7b7134df94b82a162156a

SHA1
74499b1aea01c051356f4c8bdf3e3ab5e10631e0

SHA256
c204c0f505991f7046401231d199dde0db7af295de2e7ad77b6ffb63c8f413f2

SHA512
32eec651c8531384ae2b6dfa3ef71aca7b5ae150fec2452dfd85e4554f31cb7104836c92e85e2de300f6a7dfb658d8cf8c16efe2a09f8e9dd653713a15f72dd1

Download Submit
/data/user/0/cgiritcdrcrlgexjqzundrw.rmrzmqycqjiaagb.xmpuqzpefasgunqucqaphmdoasq/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit