alienbot | bfff778183267993da2ccf95f9fb3556dcacd90210da907b032e49b37656d300

Analysis

max time kernel
682480s
max time network
162s
platform
android_x86
resource
android-x86-arm-20220310-en
submitted
03/06/2022, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BFFF778183267993DA2CCF95F9FB3556DCACD90210DA907B032E49B37656D300.apk
Size

2.5MB
MD5

08a551f7207bcc6545db870d9b23b08a
SHA1

cb651a07e16322b7190fc414769032af7b34953c
SHA256

bfff778183267993da2ccf95f9fb3556dcacd90210da907b032e49b37656d300
SHA512

7a09f875a4e33b3327e98a3883cc51bc8fc309b8b953396a6a703f37d8d017f4dc33ed94e320c9030ae218d9a49ee8bcf052413f9f1b2a8f59e1b33dfe4e9fe5

Score

10^/10

alienbot banker evasion infostealer trojan

Malware Config

Extracted

Family

alienbot

http://perohi21.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_DynamicOptDex/bmgdfwe.json	5307	rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb
/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_DynamicOptDex/bmgdfwe.json	5361	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_DynamicOptDex/bmgdfwe.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_DynamicOptDex/oat/x86/bmgdfwe.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_DynamicOptDex/bmgdfwe.json	5307	rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb

rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
- Removes a system notification.
PID:5307
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_DynamicOptDex/bmgdfwe.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_DynamicOptDex/oat/x86/bmgdfwe.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:5361

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_DynamicOptDex/bmgdfwe.json

Filesize
722KB

MD5
7f7d53087effcde4134c5c2a7829028b

SHA1
433d8289be279ecccfde49ebe3d9dd282b040145

SHA256
f5ec8fd4aeff5bb519624cf326fdc1fff64ef906174a944f2d06adcc20c4f95f

SHA512
01285ba1636f0566382786442960ffee8472d0843963b115eee5fdd920dd7625ad543f4c661720608c0fe4cfe65255d248861a2bc52f637d264f9b3134d1e7a6

Download Submit
/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_DynamicOptDex/bmgdfwe.json

Filesize
722KB

MD5
e36136b02dec19a75a64ee8669d57cda

SHA1
602c3548d6c51ad0b8b147dccd7a70f5c674917e

SHA256
b69cafa97e2ccf94b01dd354720d856d657eaf58ff2a64fd5423e98839f2abbe

SHA512
bc050b9acc96a04bd5b1080ba24de31c82741f1ed8421fb6358d4b7268dce18584d110f3576207a16612dd46a235ecce94f58e5e03ce6fab8af7ff73611c5d19

Download Submit
/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_DynamicOptDex/bmgdfwe.json

Filesize
722KB

MD5
60f954f93ee28a5d7a272a0cd42d2dde

SHA1
298a93dd203b8e55bca261fcec0afb849a51e49a

SHA256
9826e99aa4e79bd3fa3fbdf02bab66daad249f711c4b91fdfde9f3537b9be530

SHA512
ab7ee2a5f0b0f87c2f3cdad7255dc90119a2a1c44e48dd938b0365acef14356488ada52c92d08b84a7ea40218f1310f4d0cbe5bb225aea6ddb20620eb34149ad

Download Submit
/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_DynamicOptDex/bmgdfwe.json

Filesize
722KB

MD5
e36136b02dec19a75a64ee8669d57cda

SHA1
602c3548d6c51ad0b8b147dccd7a70f5c674917e

SHA256
b69cafa97e2ccf94b01dd354720d856d657eaf58ff2a64fd5423e98839f2abbe

SHA512
bc050b9acc96a04bd5b1080ba24de31c82741f1ed8421fb6358d4b7268dce18584d110f3576207a16612dd46a235ecce94f58e5e03ce6fab8af7ff73611c5d19

Download Submit
/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
7a6626a90ab12f07e2e600495382b5d9

SHA1
6206289a09217dbc34398f166a9582f1c611dc10

SHA256
d06951323f863e787011c4a1dc84dc90a408c4abace2a76436d74f6bc4cb90c9

SHA512
f576156c2fc40ece8ac70f967e47459bba4ebc0ff0564fb9ce9021cbbd7b2455629373e5976a4ef412c8ccc49938de7dc8282c2011eefbfd05afc95aa0042ddf

Download Submit
/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
b412b78cc2446d5de5f24f8028dfeee8

SHA1
19f547d142f704ccf4ace02f6ebfd704ba779746

SHA256
33901ae2147d56f768a2f11c61cba778a2402b2fac13ccb79ca0031537a2bff5

SHA512
1eb649841ff66e32203f7733ed8b9ea9f5edbe3648a78fb965baea58150d1dc17e7402ca259e88310815f1ec1e28dcfacfc0c6a17c9d14f966b9de1eb4e3b03b

Download Submit
/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_webview/Web Data-journal

Filesize
1KB

MD5
db918d94b2ed27f789475e29938f33a1

SHA1
6b3f9751e7fe82b901afd211a97f74a446e663bd

SHA256
b07d76fb76625c763a0885c9d204dac61f5170881d58f916dcf1eb378b96ed6d

SHA512
88e0ad0c7151be7a78644a2d969590fc3b94c3961cb589d7e977e7fd3659c73836124a2e0066e4d4a6e7641b5299d92b6a3bba1785d596e0220eaa7bb910aea6

Download Submit
/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/app_webview/metrics_guid

Filesize
36B

MD5
f5235784357e7493d9e1757ac14ae32b

SHA1
e1037f35744b2ad77a0c8164e221f1f556ff23e6

SHA256
cffa898b483c0367a3b31dfd3c07aa7aa9f20356b83447c987d0a6211676c332

SHA512
8f020ab113b6a324bade71130e1f797a6c47007cd81cac5dc511a05ecd7ae3e8dd2d54d03e056fd68224b34b1706753419579d5ffca76d08b567340e02f2831d

Download Submit
/data/user/0/rllidtt.wboceuqtzq.bwnsrjtnyggeybdokasofwmgrb/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit