alienbot | 2a469268fb18f0b009dc5b2bdd47f9ed61f0a3a2de04ba39daccd08a13fb19b2

General

Target

343453ab84e5d94e21658fd2356f30a7.apk
Size

1.6MB
MD5

343453ab84e5d94e21658fd2356f30a7
SHA1

695508970154b12a34e32246ab2cec05a1d112a0
SHA256

2a469268fb18f0b009dc5b2bdd47f9ed61f0a3a2de04ba39daccd08a13fb19b2
SHA512

6fa36f56aa8b94a66a8c31c6455b3694aa1b3d04e900459647ee4311f91b604a10918547e784d69731b3b530e247f77787ea3357b63952bdf2fac9edbf7801a5

Score

10^/10

alienbot banker infostealer trojan

Malware Config

Extracted

Family

alienbot

C2

http://skakkiopiskattkio.info/

http://adkfjsadlkgjasdlkjaslkgjargq0rg.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/CiGgst.json	4543	kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw
/data/user/0/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/CiGgst.json	4586	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/CiGgst.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/oat/x86/CiGgst.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/CiGgst.json	4543	kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw

kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw
1⤵
- Makes use of the framework's Accessibility service.
- Loads dropped Dex/Jar
PID:4543
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/CiGgst.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/oat/x86/CiGgst.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4586

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/CiGgst.json

Filesize
413KB

MD5
41401431ee0fc1d38608557120399ad6

SHA1
9393c24e5cf33782c65ab656bb0a71292ae61743

SHA256
696892a0692c04f7f9030e3cce5661f237bb47b5084960859011d866cce2d1cf

SHA512
67446267de0c3823ddbf6a3872102fe9aa976b64024919bef48a2e51c5e397253dba1125d9494e92a65fd05af3dba08a114746029113508a0afd2180ac1d8bf6

Download Submit
/data/user/0/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/CiGgst.json

Filesize
413KB

MD5
fdb2f4efa95dd8b5ead7527c92f24542

SHA1
501f2094015b630627584daf8a3b0cb7035b5c49

SHA256
d341f67e2cd0a2dad1ff18b7b396356cd06854b09ae37a4d6376003332ff8c32

SHA512
d35478cb35a2dadd295bcb9b85807dcb1df982d737687d52475366a5262c7762c5e870b6dda8cfe0145073be74df0c48a96bd014d49c985e7029cae830208d2b

Download Submit
/data/user/0/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/CiGgst.json

Filesize
413KB

MD5
0a3e50f362ea5a96af43a78c858a06e8

SHA1
1b1adb8720282c4bc994ff742135f58456bb96a4

SHA256
f6e9df21f02962d3832b60c3078c2e7b12db171ee58db48e448cb01380e0ed50

SHA512
cadb1261bb45c979663f4e9a80c20294b43f445a0e4ef104d85d752c8272fe9a05445bac805169b30dd8f052b81cc7847092b290c5730976311275a32c8a075b

Download Submit
/data/user/0/kpnzpybeuzgodgqaaeosx.qbfcmsu.uqpcbfedjuwfceddw/app_DynamicOptDex/CiGgst.json

Filesize
413KB

MD5
fdb2f4efa95dd8b5ead7527c92f24542

SHA1
501f2094015b630627584daf8a3b0cb7035b5c49

SHA256
d341f67e2cd0a2dad1ff18b7b396356cd06854b09ae37a4d6376003332ff8c32

SHA512
d35478cb35a2dadd295bcb9b85807dcb1df982d737687d52475366a5262c7762c5e870b6dda8cfe0145073be74df0c48a96bd014d49c985e7029cae830208d2b

Download Submit

Analysis

Sharing