alienbot | d7decbee41ee4b8d4e39a35763a8c9a639e61113835354d08f1a0cf56635116c

Analysis

max time kernel
784011s
max time network
148s
platform
android_x64
resource
android-x64-20230824-en
resource tags

androidarch:x64arch:x86image:android-x64-20230824-enlocale:en-usos:android-10-x64system
submitted
25-08-2023 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7decbee41ee4b8d4e39a35763a8c9a639e61113835354d08f1a0cf56635116c.apk
Size

2.3MB
MD5

619c1a75736196cc2860e3975becf951
SHA1

a463890ffb01fe52da49e9869fe8f4088a8990de
SHA256

d7decbee41ee4b8d4e39a35763a8c9a639e61113835354d08f1a0cf56635116c
SHA512

06a7685f3cf411b4054b3e86064f477e0db3b7f852c5e18c1ed089d13dd71b3f19c8b6e794362fbd11da34ceda4fcafcac0233eb764e471c7616a06102faf342
SSDEEP

49152:YaRR9t0mnFiz8aA4chhBBGm0uZPjErQfRhQPIyHdXBHNGmYLxaJzZj36QfbLKmxt:PZiA7BvZPjErQfRe9HdXBHNGmYLwJzh/

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://girisapi5698.pw

rc4.plain

Extracted

Family

alienbot

http://girisapi5698.pw

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4998-0.dex	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.matrix.loan

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.matrix.loan
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.matrix.loan

Removes its main activity from the application launcher 8 IoCs

stealth trojan

Processes:

com.matrix.loan

pid	Process
4998	com.matrix.loan
4998	com.matrix.loan
4998	com.matrix.loan
4998	com.matrix.loan
4998	com.matrix.loan
4998	com.matrix.loan
4998	com.matrix.loan
4998	com.matrix.loan

Acquires the wake lock. 1 IoCs

Processes:

com.matrix.loan

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.matrix.loan

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.matrix.loan

ioc	pid	Process
/data/user/0/com.matrix.loan/app_DynamicOptDex/SJ.json	4998	com.matrix.loan

com.matrix.loan
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
PID:4998
- getprop ro.miui.ui.version.name
  2⤵
  PID:5161
- getprop ro.miui.ui.version.name
  2⤵
  PID:5215
- getprop ro.miui.ui.version.name
  2⤵
  PID:5348
- getprop ro.miui.ui.version.name
  2⤵
  PID:5382
- getprop ro.miui.ui.version.name
  2⤵
  PID:5426
- getprop ro.miui.ui.version.name
  2⤵
  PID:5456
- getprop ro.miui.ui.version.name
  2⤵
  PID:5492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.matrix.loan/app_DynamicOptDex/SJ.json

Filesize
238KB

MD5
69183f45a49ce910fd079eb0c3137e51

SHA1
1f959588023c849efc22cc53af80f13157b1bb49

SHA256
d9d3e1508775a281478aeb0961a077913d6d6389fa3c033c79f9d52d947c030a

SHA512
65f193419a51097421dbe62d0886f755a55922b1d4759993bc6338c5f1e337e6f20ec15d5c97098c4a790ba8fada3941ee44ae105c9a412b246dc43f1244dd48

Download Submit
/data/data/com.matrix.loan/app_DynamicOptDex/SJ.json

Filesize
238KB

MD5
688ba7510f022d0194352001df848ca7

SHA1
618880f3032c42be58d3f90dababb1724d091731

SHA256
db5b8e862278eaca1568299cbeed3d5b21de8e065f76116988035239dc8808f2

SHA512
3f39637bb8da82724ba793aebe16d9776d08e646031c480662328e9b3ae9d2b12945a7bf1991f748d26dab9886c9862121c7c1098ea79ee12d1d34b59f2e8333

Download Submit
/data/data/com.matrix.loan/app_DynamicOptDex/oat/SJ.json.cur.prof

Filesize
427B

MD5
0b3e142357e8bc4f8f33bcff0f9a8a06

SHA1
5e495f3169f40aa395c8608efa012e5d7ca017cd

SHA256
b27a81955ee332a079fd8e08ae46ea9913f2baa2d5965b0f5605066a73fde880

SHA512
d45221e2c70bdc76f4112ee8b510b50e57a823341792137d2db679af0ae34a75b1173755d685ee2e7b8bf4a60f9c55ea2d8972582f51f235ffe9fef37715d437

Download Submit
/data/user/0/com.matrix.loan/app_DynamicOptDex/SJ.json

Filesize
483KB

MD5
ca99eaadef4d10c4f8e632887a2efce2

SHA1
252a8a270ff8702532f9f2b1e206e6c0ab2bd351

SHA256
78c531f34a9290f28cbb7ba2fdbd7a92c9c3c8d217321a05a83a193eae5df488

SHA512
30bc73b450c7eeee28f233ca70fafb90a1271d44fed124630b33c634db6491bde8b2789e78b64ca528481d832db4a36964feb6434dddc9872f21ceb42a571eb1

Download Submit