General

  • Target

    8a15f942dc320c465a63dd156.bin

  • Size

    1.1MB

  • Sample

    230701-hpz39afh34

  • MD5

    211e769d65e671f1cf41594745a7a131

  • SHA1

    69c91093a7f1dfb4b437d5c8992abdb581f7392c

  • SHA256

    8a15f942dc320c465a63dd15614dbdb659b267a29539f807c93f2ac66f5f0fe6

  • SHA512

    3d3e24ccf1ab8ff897ac411c476e9fb3f6043faa7f719ccccc87635088c0226d9e84322367b473758dc8e8b7b42ad40af317771b5e2fd2ab58854982c4c9bff6

  • SSDEEP

    24576:6c/SkDrBOiNZy6COYKcp2W00Y6uk+xFgAK9hUmZimxG7+fAoP1:THDJNZ6OEpLAxFgANmlG7+fAO

Malware Config

Extracted

Family

alienbot

C2

http://185.252.179.5

rc4.plain

Targets

    • Target

      8a15f942dc320c465a63dd156.bin

    • Size

      1.1MB

    • MD5

      211e769d65e671f1cf41594745a7a131

    • SHA1

      69c91093a7f1dfb4b437d5c8992abdb581f7392c

    • SHA256

      8a15f942dc320c465a63dd15614dbdb659b267a29539f807c93f2ac66f5f0fe6

    • SHA512

      3d3e24ccf1ab8ff897ac411c476e9fb3f6043faa7f719ccccc87635088c0226d9e84322367b473758dc8e8b7b42ad40af317771b5e2fd2ab58854982c4c9bff6

    • SSDEEP

      24576:6c/SkDrBOiNZy6COYKcp2W00Y6uk+xFgAK9hUmZimxG7+fAoP1:THDJNZ6OEpLAxFgANmlG7+fAO

    • Alienbot

      Alienbot is a fork of Cerberus banker first seen in January 2020.

    • Cerberus

      An Android banker that is being rented to actors beginning in 2019.

    • Cerberus payload

    • Renames multiple (138) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (166) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (196) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Makes use of the framework's Accessibility service.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

    • Acquires the wake lock.

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Reads information about phone network operator.

    • Removes a system notification.

    • Target

      FAB-blue.svg

    • Size

      1KB

    • MD5

      beeb15f69eb7675da389dd2a7d25e61b

    • SHA1

      9b175d994ff139e6079aa83e8d32cd97f9799ff2

    • SHA256

      3eaad41cf652ff44c03f0100b20dbf00d0bcac736147619fe9dc66050095a1f7

    • SHA512

      5c711726090a1b3791a62fdbd78683caefbb056a900598a67851f1e1a89f0f92ee1e8854c3875a141aa958517be720c45f1c7411089c3adf7367f2e11076d04e

    Score
    1/10
    • Target

      FAB2.svg

    • Size

      1KB

    • MD5

      a5024fe1b8259adff02d901bf33dbcf4

    • SHA1

      bc45a9613897ba56d1784045fc7bd8f575602348

    • SHA256

      61093297596e0335d5f4ed34807ad214dbdbe1c15d08cb51c7777707dc66f5b2

    • SHA512

      ea60da36d50118171c78d99dfdb955b4925c13221b45e755c2542bf9e0a60c355fb8e0f6c0a7189ea74c2d1630cb3c0532cec390cc62ca0254dc5e70ecbf227a

    Score
    1/10
    • Target

      annotation-xml.js

    • Size

      1KB

    • MD5

      25ada2a932649287fc0251fec667fe94

    • SHA1

      6d0552b7a07c631f91985f8f0e82965fb6cfb185

    • SHA256

      80565c71be9d2c725588c5a73485ab1c7cddb35cb6986b60a2d76b9df315f90b

    • SHA512

      d02780654145254929b3da118f31f04621731a66c8d44ed0ea8915daa30426744a24d1828a5d61cebfd83cda3326f6d297c674f866d7fd1df410bf98e80fbb0f

    Score
    1/10
    • Target

      apple.svg

    • Size

      1KB

    • MD5

      386807d5a6de6f8b74bf26897af8e092

    • SHA1

      9184e48a9f8276f32be763a254773c4e5f2017e1

    • SHA256

      be1bdd07dae30ddf977d7f1d34574f6e6d6f9cc68d3b5428315af589a8d15ca2

    • SHA512

      ab99eaf548b8f1b25516a62d814f3d7610a2d6d16c5a9401b96368cccdc5fdc84762eaa6041ff17e59a99a08c5f89b4b97662e080825d5159003d21ca7f767c1

    Score
    5/10
    • Drops file in System32 directory

    • Target

      arrow.svg

    • Size

      407B

    • MD5

      307d6a9e22b99a773d19844db37d9b53

    • SHA1

      eff273c09417599dd35a4d89b48141355a85eda5

    • SHA256

      4b20ca0905f62f5f33380063a9d569286aea83fe8e6a2d8584d5c0d4b6e03f87

    • SHA512

      3cb2e0dd467bb5c4b7eb049b62c5fec2547eac119d2c3756fb225ddf2057c5b1930142714d8a4c0ddb657f3e6c06e937e6ddaa245d6a8e5ddb62e5e6554110ee

    Score
    1/10
    • Target

      bear.svg

    • Size

      2KB

    • MD5

      a3b81d60e065ed84bf23746ff5dd6b39

    • SHA1

      7420fe1744bcc51399be1efc8331d6a808335243

    • SHA256

      7bd2c80b5ed3cbf4a70706e9a07f68eb9be108cfb3046caa02362455d0896096

    • SHA512

      56987ee2776451b55eb99b13fc0981f65e824fcc61852e1a5e481e4e94c4509e058337718960640e6caa52c6a1c5db28b6a14ae5c356abae57689a6b6221f750

    Score
    1/10
    • Target

      bird.svg

    • Size

      1KB

    • MD5

      564073fb36287299158db87208c3ef4b

    • SHA1

      d9ea8d3bbeee99b3acdc1fbd5f779d329783852c

    • SHA256

      888e1f6b188d57d2bb5c86656872193e2dc882672c67ac53a1c6828ee95f40b2

    • SHA512

      77ad8ceaa1784c765eb3ac3cd2d8da442d5bcaa8086e67de4baa929d020ffd90895fe61710f285d6668235188b9520203b86c986154815cf5de82b29c4b3ef1f

    Score
    1/10
    • Target

      boom.svg

    • Size

      589B

    • MD5

      b4ef4359b2f85a6594ce804b36b96876

    • SHA1

      62deac4f0087d7e7486a5c725ae6588407c9f258

    • SHA256

      82dafe3ff2010e88478ffc68934006b9b6dcd6efc8d58d58d8e0f38adc35811e

    • SHA512

      8ddb0dcde339faca1cf95eff030b924e242f6b071f44deec4998c91e04d28b98de20c415070fc15b88fbcc36d04da1cd76259e3d9a448de6ff3e2b976d1dc699

    Score
    5/10
    • Drops file in System32 directory

    • Target

      callout.svg

    • Size

      557B

    • MD5

      e754f3032bf46c6d8d97140622f7cd43

    • SHA1

      c3b07417ea1eb6101ced7ffe4fd1b52822863a6d

    • SHA256

      6a05056f555e8ede6117732f3fa4ba5b538b0bd81fbfa2e665f7109a535e78f5

    • SHA512

      8beeec4db830502e0963276512e50513ac3d47da758e3e4b9567736ce3ef3552ee84c81ecc5657822c70adc921181e95ef1e8ba909c9dfd4828ef41fd2972e8f

    Score
    1/10
    • Target

      callout_11_shadow.svg

    • Size

      2KB

    • MD5

      a43eaf2037b2a882b41912e5bf68e3f4

    • SHA1

      b1b73e482269c1c5370f7a6e4ab5a3b47d2c6373

    • SHA256

      354cbc8433a0fb42c500fa7039f4c7254db20eb9f589f8866846f142c45d94c2

    • SHA512

      5aa4640b5cc83376ae6f61c80bfe6e1aedd2e6eec2337f9478f4a5544cba6b1a09fd46cb4c93a8313d4843a7c42b498f610bf51ca90d476819088e8fd52b2c69

    Score
    1/10
    • Target

      callout_7_overlay.svg

    • Size

      1KB

    • MD5

      13da4f83c32b6af839f40448ad4093dd

    • SHA1

      2dd817cbb6c2198c9b622bf8a4a4bd0f58c5980d

    • SHA256

      22a5b339c8e15d0b1393e540966b414ca577f1e6c2c4682bef22e98f74e5a5d3

    • SHA512

      3c5e37b7638099495ca3773edd1b4c780ceced0db68749c7c7437ad460ae765f1e3f952e146f7851a778f9dd32a5c7cce57ee616c0f015231b0071c9a39013cb

    Score
    1/10
    • Target

      callout_8_overlay.svg

    • Size

      2KB

    • MD5

      65a2809f038ffa4146cf59a57e6bb32d

    • SHA1

      3b5e30bf5de229cbeb085e1ea355288d63ebea51

    • SHA256

      8dc35b01684c284e85275509e698edea94e73f6e328732993a96b881f20eaaff

    • SHA512

      2f792059b6aa0a1dd32924169fb9176e9c6523c6f17b17cbaa2486bb246b6f726e01717b47372d9558501cb2dc5f51c1564b7ce195bcde1769e07b3fb8a7879b

    Score
    5/10
    • Drops file in System32 directory

    • Target

      callout_cloud.svg

    • Size

      4KB

    • MD5

      cd47d4b3192545c91fdddeae5adb3d8a

    • SHA1

      8d389882bb4a501bd8d2c9690a023d0c808213d7

    • SHA256

      8ec8ca9e56edab13c9b45aa0dc21a4970398ba6917efb981e4533cd510c56d58

    • SHA512

      58f8482402652807229c3d5a563c785f4f85d6f768592521b951ade7555826f49f45e41881b1012c0350ee5aa77e0e4daa22f207e0fa3ddf3f06c16e49817ddc

    • SSDEEP

      96:7OKfETG9jU7aGyVS0/K4TL+uhBj0HPDYKnCZB4qdP9:SoZuaGyg01TPhUzMd1

    Score
    1/10
    • Target

      callout_dest_bubble.svg

    • Size

      1KB

    • MD5

      5a1b792bf859e656807fb87228b66416

    • SHA1

      21612430725df233bd8bd7e10ae17a33a7923429

    • SHA256

      07c9841559f933977b9448e4ed5e18e3000666faa8768526136bccebefe8b104

    • SHA512

      e908a8dd836b51193f62b60eda3a5371cb9f2548e0b792e90fe624e012c7d64c20c987ead14f591a1e59b7786eec31221f56148447ba8deb53082c7594462b25

    Score
    1/10
    • Target

      callout_shape_2.svg

    • Size

      4KB

    • MD5

      6dc1e0aa43dd2a582b24b6487605fb76

    • SHA1

      c403b4c464908b8d740d03775742fdc72a6e8327

    • SHA256

      f6ec4c71c9e3ebfc1d23691364cc5736a12c3180ad35e55f4f9dc0fa3ce03669

    • SHA512

      3cced4fb52552f26f35eac6eacf8fc408b6f5e251984f486e203777b0889261db83ea127a97b5e53c246456c819b23b6d6209fec1bb3a6df5f173e66de370ce2

    • SSDEEP

      96:7OKfvMkrs4v9rTicBaUTnpI5kS0nvVfiYPl9Cb7dMM/SAWicJPjiBwlH:SoT44Vp3hrnvVqY99CR/SAWicgwN

    Score
    1/10

MITRE ATT&CK Enterprise v6

Tasks

static1

Score
7/10

behavioral1

alienbotcerberusbankerevasioninfostealerransomwarerattrojan
Score
10/10

behavioral2

alienbotcerberusbankerevasioninfostealerransomwarerattrojan
Score
10/10

behavioral3

alienbotcerberusbankerevasioninfostealerransomwarerattrojan
Score
10/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
5/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
5/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
5/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10