alienbot | 58189275cb8f04c6347ad2036c22bd0cc1a1c973a384bb99a98fb86782a7acfb

Analysis

max time kernel
2731086s
max time network
138s
platform
android_x86
resource
android-x86-arm-20220621-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20220621-enlocale:en-usos:android-9-x86system
submitted
15-08-2022 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58189275cb8f04c6347ad2036c22bd0cc1a1c973a384bb99a98fb86782a7acfb.apk
Size

3.6MB
MD5

c2346156e936a054e9c2b792825c545f
SHA1

02854f557537b2d9c0a2c7287df639008b034d87
SHA256

58189275cb8f04c6347ad2036c22bd0cc1a1c973a384bb99a98fb86782a7acfb
SHA512

27e5228d8367958f4d0e7f239375a614dede693562a389ab905f9bcfe4eb2b14ee1d37ecf627364c7c5920fd38b0b5406cf119157db9752bd2de59bb2de7cd4c

Score

10^/10

alienbot banker evasion infostealer trojan

Malware Config

Extracted

Family

alienbot

http://0lkoypi8ckkv9e.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service. 3 IoCs

Processes:

com.classic.supposedly

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.classic.supposedly
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.classic.supposedly
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.classic.supposedly

Acquires the wake lock. 1 IoCs

Processes:

com.classic.supposedly

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.classic.supposedly

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.classic.supposedly

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.classic.supposedly/app_DynamicOptDex/EDgPLApafeX.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.classic.supposedly/app_DynamicOptDex/oat/x86/EDgPLApafeX.odex --compiler-filter=quicken --class-loader-context=&com.classic.supposedly

ioc	pid	process
/data/user/0/com.classic.supposedly/app_DynamicOptDex/EDgPLApafeX.json	4749	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.classic.supposedly/app_DynamicOptDex/EDgPLApafeX.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.classic.supposedly/app_DynamicOptDex/oat/x86/EDgPLApafeX.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.classic.supposedly/app_DynamicOptDex/EDgPLApafeX.json	4643	com.classic.supposedly

Reads information about phone network operator.
Removes a system notification. 1 IoCs
evasion

Processes:

com.classic.supposedly

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.classic.supposedly

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.classic.supposedly

com.classic.supposedly
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
PID:4643
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.classic.supposedly/app_DynamicOptDex/EDgPLApafeX.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.classic.supposedly/app_DynamicOptDex/oat/x86/EDgPLApafeX.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4749

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.classic.supposedly/app_DynamicOptDex/EDgPLApafeX.json

Filesize
657KB

MD5
e6e8da1a93ece0ae8a4544468c173cc2

SHA1
c72769b88bc5a18bee91283cc5410c96c3a0682e

SHA256
5705c4a1aa483cb829fbd79c304b04b5b27b5eca82df1431330b63aeb1eab3fe

SHA512
9c57d7713a728838535e577da96e8e934d3e8b9111d78ff5ff16d30a0b2f67106999b5892574a5f8a8f8c452a53826e950743f0785a2cdae037bc2a4a71d8354

Download Submit
/data/user/0/com.classic.supposedly/app_DynamicOptDex/EDgPLApafeX.json

Filesize
897KB

MD5
793a9df1d424676778d6755e3c2c307f

SHA1
242e59afcec985bef4a6239656caaa86bc097924

SHA256
3628cfab0b9b248edf1e06e2f7403b27c26619f13a29d34545e2f8269b421465

SHA512
604c6080decc4f0152f800fe18e19ccc98542000564c62434ef1bca72744cf77f8f7274d421ed987ca4c16945a48327ffa7673901832c4aea1cd628186002c88

Download Submit
/data/user/0/com.classic.supposedly/app_DynamicOptDex/EDgPLApafeX.json

Filesize
897KB

MD5
1a9f03d9f148d4a798b7ac8bd57251f9

SHA1
134f8aaf0bd10ccb23f8534ab3a8d2041bdcd2c6

SHA256
e19721382ee647de087fbbef629759ab6f9e43dafbe5a5aeb8c44e1c68893fa8

SHA512
36d5c86625c9ddecfd437ae7be57889235b917986886d778c9fec0f302c0e6f9e429bc8b4c03632bce4fc43a8b0536fea5f591d74b3442c61383e00cf3c6f78d

Download Submit
/data/user/0/com.classic.supposedly/app_DynamicOptDex/EDgPLApafeX.json.x86.flock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.classic.supposedly/app_DynamicOptDex/oat/EDgPLApafeX.json.cur.prof

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.classic.supposedly/app_DynamicOptDex/oat/x86/EDgPLApafeX.odex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.classic.supposedly/app_DynamicOptDex/oat/x86/EDgPLApafeX.vdex

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.classic.supposedly/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/com.classic.supposedly/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
a1097e142713d6b4c165284d9d12f9d9

SHA1
3e950afed62501f68f088b3ca1b02a4fae7237c0

SHA256
cc7bff6fdf919266f6e44c87680c8ae97f58c3deee4a8f43f576cbf246def10b

SHA512
fa9b20fde9934a7d87c5ffa781be5ccef0de0273edbdc956d42a62713819a66dd54d82bd3e873b29ae9a0805f5a2ae7e404724981eb16fd5639cec6e626b42ce

Download Submit
/data/user/0/com.classic.supposedly/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/com.classic.supposedly/app_webview/Web Data-journal

Filesize
1KB

MD5
c2f833955c9a067b56c65b234551a281

SHA1
545a8b6b7dddba3f3bc752a98dcf85b0120407aa

SHA256
52d01dec3a0dca3dd7a091713a5669f30edd9b700cb3b5bef90d4749b309e906

SHA512
72a85bd68367ea9bed86f1cd5aa4f4f86828647d0ea3d025e72a20857f988adb3178b97dbb81a14bda2425eafddf51d88a8c57f1a41f60ff85f3a7831b3c6621

Download Submit
/data/user/0/com.classic.supposedly/app_webview/metrics_guid

Filesize
36B

MD5
be5000b2cd39497e59dc03c6e27b5a96

SHA1
04495c0a62e1adc72c5e10913c1cea543ae3844e

SHA256
e669d75daa99d495d8ac0133028345ab470d69b4d0ab77078b2789f582f6574f

SHA512
2f8f6228b773ae36060dfdaa4e325472ab34e5ce0994a063b92db11b7283c9c9c565f6b4580d8582c0fa22a2e92ed33f1e6be0caac0be2a89e585f2b73ed1d89

Download Submit
/data/user/0/com.classic.supposedly/app_webview/metrics_guid

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.classic.supposedly/app_webview/variations_seed_new

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.classic.supposedly/app_webview/variations_stamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.classic.supposedly/app_webview/webview_data.lock

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.classic.supposedly/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit