alienbot | 8484c2866f4404efae683034430804680ec740b0919e435c3897ee45c3ae3759

Analysis

max time kernel
684307s
max time network
156s
platform
android_x86
resource
android-x86-arm-20220310-en
submitted
03/06/2022, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8484C2866F4404EFAE683034430804680EC740B0919E435C3897EE45C3AE3759.apk
Size

1.8MB
MD5

6f578eab62f3c76e7319284f6b199ed7
SHA1

368f26efd03c9e9c3c2f07d3c84c414c2cf666b5
SHA256

8484c2866f4404efae683034430804680ec740b0919e435c3897ee45c3ae3759
SHA512

398144a369836788e78f36aa928809ffcd04a43ac7168373982c6c5d8cb5db2203982643d1ef32d76f3288cc9ec2f046ebc9dddf4aeb935d519c5ee1606295f6

Score

10^/10

alienbot banker evasion infostealer trojan

Malware Config

Extracted

Family

alienbot

http://cacecarsa2.com

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	nziaryxzmcxobbploy.lufhis.fezdtho
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	nziaryxzmcxobbploy.lufhis.fezdtho

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json	5097	nziaryxzmcxobbploy.lufhis.fezdtho
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json	5132	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/oat/x86/aT.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json	5097	nziaryxzmcxobbploy.lufhis.fezdtho

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	nziaryxzmcxobbploy.lufhis.fezdtho

nziaryxzmcxobbploy.lufhis.fezdtho
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Removes a system notification.
PID:5097
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/oat/x86/aT.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json

Filesize
710KB

MD5
85eadfc5e60acd29888f2c26534bb463

SHA1
1ac2498eea903927f2cd78220599b4fd98ea7306

SHA256
a72322c91ca9540aff284e9e46d2332870221cfd607792fb533a3eef142e9aca

SHA512
c3cb4954ebd89634a20a8c55660acbe6a32dff9a3ac2900d53bb7a66c19d5dbcbcc06f1d1b7fa6d1e7e8a20bd71bcc7c72409b5b1b7dd98c2f71f1bdf4fed6bb

Download Submit
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json

Filesize
710KB

MD5
934b81cac7ceb4caab9b8c4186b614df

SHA1
c3c0709b833348feda77972888dbdc23d38800cb

SHA256
65655dd4a51322a416408aa47625afde37a7136d2cba45f2d7ca021ae15b5525

SHA512
fc0e5c14945734b6d867baa22424a31f2f384c789d907e2d66e65136d6b39fb97264cbdc259c82d58ac058a96ede420563f233f26ec53a235a78195ce7fbafec

Download Submit
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json

Filesize
710KB

MD5
0a427b0077333b0e49a56e98edc0aee7

SHA1
d41d78fb4bd2e32c1c369605921df18391148141

SHA256
008f99b2027c1e528564106d8c461f890d383ae3d0ea94363a0f0ce266928a80

SHA512
28c1febb3d399a1f145b2e32a05fd72113690cd0d868dad619cd4e989a446a7c215e88eb539decef2e4b9a2fa46e36cfb1578175ba9b748659dc6c5be5862b6f

Download Submit
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json

Filesize
710KB

MD5
934b81cac7ceb4caab9b8c4186b614df

SHA1
c3c0709b833348feda77972888dbdc23d38800cb

SHA256
65655dd4a51322a416408aa47625afde37a7136d2cba45f2d7ca021ae15b5525

SHA512
fc0e5c14945734b6d867baa22424a31f2f384c789d907e2d66e65136d6b39fb97264cbdc259c82d58ac058a96ede420563f233f26ec53a235a78195ce7fbafec

Download Submit
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
1c826269979406ac977b8ff8aca488c7

SHA1
dea523c5183bef3a45c6fa7f0257d010db358a51

SHA256
78dad6e3aa6be45a08ff2ee3c3b979b7d2a428443335ea40160f1879b78ed14f

SHA512
6ab480a5a9ec13ed02ffc65cf2dd331fd04474a94579cf22f47f0d33c6ceddb65fcd5e3b86c99491199d23a1c343009b1276090578463cb564fc56d16f0f6030

Download Submit
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_webview/Web Data-journal

Filesize
1KB

MD5
37a3153f04ffb8707a9d3e0d30bbcd14

SHA1
430399ba1c5378faa3b08c308589c895c419b398

SHA256
c76a633a6a4a67b374dbb89f540b0f7ba56666ea98cc759abc46d8518c7088fc

SHA512
01a43c0b9b708d1b08dd5b3ee7beb7244e891c95ec5c5ad5983c80ad6da0527efe8c282baddb88beb942d05e0ad93abf51acc61069543d21af3fae35fff68a80

Download Submit
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_webview/metrics_guid

Filesize
36B

MD5
397422abe0fda418645c985c009d9c15

SHA1
af8c6aafd7cf350e9a3a60ba25e1064e043cab17

SHA256
40b7717e0579c3ceba9594d39a740652ab60eefe80a289296ba47b9495f9a26e

SHA512
311f9166cefea92a1d74e3913ba0d90ece807119a8bcc07b46f197635169c0916bc87ad63b9a81ce041032d41e58a4f747296cb23a9b68b1123de8e8a04d9fea

Download Submit
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit