alienbot | 1c8e57fec1fcda155912dcab99e33e0b0bd7fc7a582543bddf77c57e5db3bc96

Analysis

max time kernel
685975s
max time network
160s
platform
android_x86
resource
android-x86-arm-20220310-en
submitted
03/06/2022, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1C8E57FEC1FCDA155912DCAB99E33E0B0BD7FC7A582543BDDF77C57E5DB3BC96.apk
Size

2.5MB
MD5

e0a9474a9398bd8bf0129eb063979099
SHA1

03901f3a238e40c43f5d0d68ab0dc92d2e8f63ad
SHA256

1c8e57fec1fcda155912dcab99e33e0b0bd7fc7a582543bddf77c57e5db3bc96
SHA512

53754d4ce5fe8d15a20575f8cf96370727de5127b3bb561e5aaf05956ef216a6c70fa15ce7c59e3d3cf773b3286eb85665fbf98f8950a341d27273a382307784

Score

10^/10

alienbot banker evasion infostealer trojan

Malware Config

Extracted

Family

alienbot

http://perohi21.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_DynamicOptDex/UmuFFP.json	5056	pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex
/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_DynamicOptDex/UmuFFP.json	5085	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_DynamicOptDex/UmuFFP.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_DynamicOptDex/oat/x86/UmuFFP.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_DynamicOptDex/UmuFFP.json	5056	pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex

pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Removes a system notification.
PID:5056
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_DynamicOptDex/UmuFFP.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_DynamicOptDex/oat/x86/UmuFFP.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5085

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_DynamicOptDex/UmuFFP.json

Filesize
696KB

MD5
eb09e2b0d70b91fa126b94c28b45a29a

SHA1
bfe56c2465365a2c789b96ebf8670377571791df

SHA256
ffcf7b638c8ba81eb11aa3fd71391704b9ff4d4d24a43eca8a00f3032aca41bb

SHA512
6890aa0fff9ca17ffaeb4f6d0f9bffbcd6003f79cfd03e4234ce11a66b3394f8eb9a3a305d61c35b120ddc8b476359046dba1feb9e26fa07d71e4dbd4d6e8f26

Download Submit
/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_DynamicOptDex/UmuFFP.json

Filesize
696KB

MD5
dd6e772c89c17ea3a4a879450bee1c69

SHA1
b0376104640d469c94bbbd8acb7d926154b891e3

SHA256
d4e16b92e28bc7c45b3a1a0ebc72158ea24c0711d27648dba2c1f4bd6b42c6b2

SHA512
9ab8ff81fab53cb6ce3bfbd85c11d3f0cc92f8dc2a1af5db0f159cf48933a14a8acf99f6da30908e6b0a6b6ecfa87a02aeb8c0b233d03f0bc62d6c7b1941d1ea

Download Submit
/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_DynamicOptDex/UmuFFP.json

Filesize
696KB

MD5
999c7609d2c7749249098bebbfcae678

SHA1
a8896cd9255d4f9168233ae6295d1f0eaed2db01

SHA256
97babc0619d5049156990dfdbf877fb94f03f5147179b38bdcc06891b70f3464

SHA512
f3ae942e3e11b8c4b42b3fa300a86a17e2b99e20eac13acb6eb6575d1108b9762b78e3c97799d785fcceddb2fe37e3509d0dd2e4a4a60bb24b35e8fbe003ad65

Download Submit
/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_DynamicOptDex/UmuFFP.json

Filesize
696KB

MD5
dd6e772c89c17ea3a4a879450bee1c69

SHA1
b0376104640d469c94bbbd8acb7d926154b891e3

SHA256
d4e16b92e28bc7c45b3a1a0ebc72158ea24c0711d27648dba2c1f4bd6b42c6b2

SHA512
9ab8ff81fab53cb6ce3bfbd85c11d3f0cc92f8dc2a1af5db0f159cf48933a14a8acf99f6da30908e6b0a6b6ecfa87a02aeb8c0b233d03f0bc62d6c7b1941d1ea

Download Submit
/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
38109988c63642227a0e28071febd8bc

SHA1
b994ae0887221509fbbb8e7623c13f754b78e210

SHA256
761404a0f321d596aa0db8d1d11d1b3b72b89e8c62a1d2db17fee302e80d8f53

SHA512
00d3e53e16b8de104614bf31c70d69f6ee43adbc7e6ce3d5cee5035f5d9d8f7ab18c530f0d410e6f2d587ff80688c32008cf2ae71e637ca87a6fabc50cf92cf9

Download Submit
/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
7a662964e542f91cdb6a6ea01aba09ba

SHA1
9715e01ecd08365c84b955e088b4ea563b899138

SHA256
84220368080a4c1fb25a27b42898003f64e6aa43e7f0c67ef0f8eb42de78ed90

SHA512
d636b67402c31b9778c57e90c78ba6ae88379d612af055771032d27b6c969c50d6fdeefe74d609e379629ef4b93fc7a4d2753a8e0316b7323906374725006867

Download Submit
/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_webview/Web Data-journal

Filesize
1KB

MD5
bd5e93d6d84ebaeb281a5101818610b6

SHA1
b9c55bd8772d26f5586799b76f6fb866e82da072

SHA256
d58f7a0d475514c554c809899dd16098a2097ffc355008afe44dae3ceaaa7428

SHA512
17460b48a709930d96d0581b471d2b63f25255b806a23b4232fc6f1009a93e714d2c03f8562dd95d4d8b88f46d2856ba5527f69ec5d9cb897836a3814b2729c5

Download Submit
/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/app_webview/metrics_guid

Filesize
36B

MD5
11c18c35df0d342f496ffdb52e533f0a

SHA1
2c4c8425864515ad07da57f2c09d497ce83b25d0

SHA256
a8f0155097c6ae16ea2b4ec6665d996c4f9675536e4297431f27709755643a02

SHA512
47ce288dd74b8a5478740680035d20c5415780f368aaeef33907d59909966eb68c97bc74968c90fd6259dd30a5f04e9fd3ff37ea38bed717525911fb4bc53d1c

Download Submit
/data/user/0/pkquuhla.cnwfsecopyezly.bwgckasbsenxfarex/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit