General

  • Target

    eeb4c044d192be3356e3c56e529df1d276c5a22bd49c57d0bab2e1d6766ee269.bin

  • Size

    2.2MB

  • Sample

    230711-a1psnafb2v

  • MD5

    333b58218b974e7f707a7a1c1d504b70

  • SHA1

    d38a10df3a999005de7e4a9164a9c63c13136b5c

  • SHA256

    eeb4c044d192be3356e3c56e529df1d276c5a22bd49c57d0bab2e1d6766ee269

  • SHA512

    829988652bead533d62ee32d06a21c366fbc568b0d356ccb48b8b9ccaabdad7307d8bedb9c8de7c53dcd995010c740b400987566502f8491b3fb2ccfb7e749c7

  • SSDEEP

    49152:b1iN0uaMMl3FAbvIwiNfjELQvFaHJXldG34H+yBjNuS4PxGp/ZfrqgHfrye5vc8R:b0NmMKGbyNfjELQvYHJXrH+ojNuS4Pk1

Malware Config

Extracted

Family

alienbot

C2

http://girisapi5818.pw

rc4.plain

Targets

    • Target

      eeb4c044d192be3356e3c56e529df1d276c5a22bd49c57d0bab2e1d6766ee269.bin

    • Size

      2.2MB

    • MD5

      333b58218b974e7f707a7a1c1d504b70

    • SHA1

      d38a10df3a999005de7e4a9164a9c63c13136b5c

    • SHA256

      eeb4c044d192be3356e3c56e529df1d276c5a22bd49c57d0bab2e1d6766ee269

    • SHA512

      829988652bead533d62ee32d06a21c366fbc568b0d356ccb48b8b9ccaabdad7307d8bedb9c8de7c53dcd995010c740b400987566502f8491b3fb2ccfb7e749c7

    • SSDEEP

      49152:b1iN0uaMMl3FAbvIwiNfjELQvFaHJXldG34H+yBjNuS4PxGp/ZfrqgHfrye5vc8R:b0NmMKGbyNfjELQvYHJXrH+ojNuS4Pk1

    • Alienbot

      Alienbot is a fork of Cerberus banker first seen in January 2020.

    • Cerberus

      An Android banker that is being rented to actors beginning in 2019.

    • Cerberus payload

    • Renames multiple (130) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (156) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (168) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Makes use of the framework's Accessibility service.

    • Acquires the wake lock.

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Removes a system notification.

    • Target

      closebutton.html

    • Size

      981B

    • MD5

      c8efa039f4f84b2705a8e3a3b31da61c

    • SHA1

      669749429feda1599c4ee980cfd67fbb1a54c1a4

    • SHA256

      494693c2ac56ecac1a2588c25631e1bf71211fb0f06108649a983c879315b1aa

    • SHA512

      db6c9817469c937a41eedbbbdaeb21a0860fa5228258978fe59d29c75ab1497b8d1a0ceaae2b236206d6935e186deaf0d83a73791658fa68a985dfc5c314aed2

    Score
    1/10
    • Target

      core_wrapper.js

    • Size

      5KB

    • MD5

      2558e92bdb03c3e4685d4320a7cbe715

    • SHA1

      9feff7ec75024ba6d9753ea233ffbe0b7bc04bf7

    • SHA256

      99a17d18531953e748103eb021738a42eb9fe675532a4d42441d3bc34e048bc8

    • SHA512

      83409561241255be24558f6b238f1687ea7f703d6950a8ad54ff4c50aa9c62af490b74e9b60379ff074b92942bf4752a653a19c4da2b554ac59ecfa0f5fad9f3

    • SSDEEP

      96:MIn5NKjaILnYJX+myXjfaw17BLyHjLAHIIJUU/AUYYg8InG+d:N5NKjDrYJX+my7aw17UHjLAHIIJUUAW8

    Score
    1/10
    • Target

      lynx_core.js

    • Size

      179KB

    • MD5

      e7cfc2c0ca21ac6ed87869dbaf29afda

    • SHA1

      b4db4af75b92b08408c8f0b9d9ac5ddd32d80b1d

    • SHA256

      015c037a7efc9b28b6a55c6b1c18c1b71fed16e3ee1e630dd45906864ad709ec

    • SHA512

      a51e1247a451d0f12872455d2425771a7ba335c79630ccb7e423c4cdbfb48be7b6402c7283602c812930d46f562999edef809e5215516c5f4e89bf3037d2455f

    • SSDEEP

      1536:te01PJrNd3xF5KPIL0B/8kX9RHytxM9+Wn3Ocm3RzC4+KmbDEyJ7NRIY36Sq+HzM:3RJrZztUKC4+HIfSqL414T

    Score
    1/10
    • Target

      nd

    • Size

      6KB

    • MD5

      f6c6587ac2127318e57df26f29f9d92e

    • SHA1

      b68b68ee5b2aa52d0e93a795ee83d0084eb3b4f1

    • SHA256

      5a2c00182af9b6062876f1ebf9076a4f53bd78da5d59bcc8a9e51ffc0eb93a59

    • SHA512

      3465e098e7c9f00873375c156d97417c6ae0328fbaab33796e498edf05f6b917cb2de31eea6a9b2b76c0c4798aca0aadb6b211e5c06563d637ce5220b3e30700

    • SSDEEP

      96:BxEnFiv6dMo0mqOoLR9ooXo7GUGcbhWVevATWJ4:YnFi6eo0mqOovooXo7G2bhB8v

    Score
    1/10
    • Target

      slardar_bridge.js

    • Size

      3KB

    • MD5

      cc0a24c68fce308319dbb627a0836a35

    • SHA1

      a19813e37b11803b940d9cc636aa9fa6510e42de

    • SHA256

      751c84bc61085dd3baecfe3a51dd3d2f175ca3c5bd61f0c6bdac0817120a4e79

    • SHA512

      576f30fca86a1bae7f4fd401c893685472395c39beef7cd0a5b1fe2010d594b77541187e6bf94e50cb477e4c8761af1fd557ddb0a61d2890436d1b7b79e10181

    Score
    1/10
    • Target

      slardar_sdk.js

    • Size

      51KB

    • MD5

      adc5dbfdfc9c87ce72f6f73f1809fd7b

    • SHA1

      3b4233e9e367096cca64ba489172329af9887c4c

    • SHA256

      5ca3eec94dec06c18431512cbcdcf3d920ce25cbc2774b498f8a1f41d1216027

    • SHA512

      55e0a7f94f9e7816722b4cfa91f395bf5e418274f0a06b696dbd237f95e45e6da271fd10df21981548dec0fe008c23850eeeeace7752aad2a528dff740c1526b

    • SSDEEP

      768:x8Z9bbDO4P6/JkK3eqB/jYYzVpKmeu8E3B/6d0:xOW/mK3/jY2

    Score
    1/10
    • Target

      template.js

    • Size

      131KB

    • MD5

      dc81f87fea004f156041a43a941d1283

    • SHA1

      f9877561bcf371421a8672453f5f492a4595813d

    • SHA256

      54f4fdc9885db4ad3e66e623b5e79e2f9ca0b842cb8facd3c38e108cee1cc6d6

    • SHA512

      efe4c1bcd913ab08307032f75f7f03db48fa2b4ee0a18c33cd2463cf0a49d81f9d766c0d628fe170e94e43fef3d488a6a3fb1309b78bc40b0c2ee3aac24febcb

    • SSDEEP

      3072:NUhk+e1Iif77WeCtQC13g/gpMmlOFsy4rU1vxC/u:keCtQC6/ywFB4KE/u

    Score
    1/10

MITRE ATT&CK Enterprise v6

Tasks