Overview

overview

10

Static

static

7

5cd54a0f28...95.apk

android-9-x86

10

5cd54a0f28...95.apk

android-10-x64

10

5cd54a0f28...95.apk

android-11-x64

10

closebutton.html

windows7-x64

1

closebutton.html

windows10-2004-x64

1

core_wrapper.js

windows7-x64

1

core_wrapper.js

windows10-2004-x64

1

lynx_core.js

windows7-x64

1

lynx_core.js

windows10-2004-x64

1

nd

ubuntu-18.04-amd64

slardar_bridge.js

windows7-x64

1

slardar_bridge.js

windows10-2004-x64

1

slardar_sdk.js

windows7-x64

1

slardar_sdk.js

windows10-2004-x64

1

template.js

windows7-x64

1

template.js

windows10-2004-x64

1

Analysis

  • max time kernel
    871098s
  • max time network
    158s
  • platform
    android_x86
  • resource
    android-x86-arm-20230824-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20230824-enlocale:en-usos:android-9-x86system
  • submitted
    26/08/2023, 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5cd54a0f2838f2878d425ee26b9b4fd22f37be3fd8b4f134001693ee32200595.apk

  • Size

    2.2MB

  • MD5

    f68a4728fde34ae60672262edade7ca6

  • SHA1

    4d20dc6f801a493ddda69379eb7ac92b9e314a2b

  • SHA256

    5cd54a0f2838f2878d425ee26b9b4fd22f37be3fd8b4f134001693ee32200595

  • SHA512

    e0c6c1206ffacd35f78526d851b757c25869badcfaf7d56e03ba0f25fd1c2c1254735f1e85977667290603132aef2d5f83cbd26b4245815dba7658b7e7d4a058

  • SSDEEP

    49152:h+EjtDfa6yOv+tR93hFj3/5HjExQvRIHBX5JNOey5jqXxZFtI09KlPXQkXlcC3d3:njtwR93hdv5HjExQv2HBX5JNOey5uXxI

Score
10/10
alienbotcerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://190.14.37.178

rc4.plain

Extracted

Family

alienbot

C2

http://190.14.37.178

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 2 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Removes a system notification. 1 IoCs
    evasion

Processes

  • com.inspire.what
    1⤵
    • Makes use of the framework's Accessibility service.
    • Removes its main activity from the application launcher
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    PID:4234
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.inspire.what/app_DynamicOptDex/RuSGrDZ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.inspire.what/app_DynamicOptDex/oat/x86/RuSGrDZ.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4266

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.inspire.what/app_DynamicOptDex/RuSGrDZ.json
    Filesize

    238KB

    MD5

    5c6e4313c75d445a13b78cd2d2f7b5e0

    SHA1

    8a5230ffa37bf0ae3188724fe6020c9007cf5049

    SHA256

    5c41e5fa7e3250f21cd71b958ef7d8a64443240965de36075bed2591c0ab74ad

    SHA512

    7c2093660f4c7d01c66800dc12a40b7d873a0d2daa993029b018cb84555463819bba57341e30857d61f52db7516f02ab6003ed13c5bf9fbea4adcb6743ae56ab

    Download Submit

  • /data/data/com.inspire.what/app_DynamicOptDex/RuSGrDZ.json
    Filesize

    238KB

    MD5

    0a3f7b5135f9014a3bd5ada3797ab1e5

    SHA1

    7683f41ed510008f292e58a162da80b7a78fdd0c

    SHA256

    2a730e940b403afdfc254de8a1a62c264021d345bf534ac356188fa7d62a90eb

    SHA512

    b947d2959b80ea9a5427f9d41bb5bb1a729df5c339d09dada427e9c7a586789e97a88a554b151f39f9fc10ae124d446d5ff6e4dd2a0c40b92adf3ccba95c1bd4

    Download Submit

  • /data/data/com.inspire.what/app_DynamicOptDex/oat/RuSGrDZ.json.cur.prof
    Filesize

    455B

    MD5

    e4c3f9e35c9d682b848dfc13727bae84

    SHA1

    1d544bb2459dbcf7b8667833adf7af4f5ccec49d

    SHA256

    aa97c1bbcfde3a176c21776aa18dec2be86f204debde7a30802dff930362350c

    SHA512

    57d9e9fb079ad98774c4564f2305efce7bb485b851024e4bce343160021b6f0a6d0ed6bb2fc02d227fb58764aede367b7fcc4e1e5682e6f25b854fed048fb162

    Download Submit

  • /data/user/0/com.inspire.what/app_DynamicOptDex/RuSGrDZ.json
    Filesize

    483KB

    MD5

    4fe15394467b1e38b1e9c567e094ac53

    SHA1

    cc2954bd92e7dd19feb6093e83c0658fd29c1280

    SHA256

    4cc052412b063509eca891398d261ad057555262b998fa16645a8e8c1515799c

    SHA512

    6a0d3e9437dc4675b4f2c8d7b4ebd9cbf8c4487482b07a45a7cdcafe5cd4849965c3dc0faa298ebd9ff0c0c2d11be6fddd3854b4048dd5757b63210dfb2ceac7

    Download Submit

  • /data/user/0/com.inspire.what/app_DynamicOptDex/RuSGrDZ.json
    Filesize

    483KB

    MD5

    731bcf534eb246386e8f12a82070eff6

    SHA1

    e8b43df4402a57f31374884b423fe7b46bd6530d

    SHA256

    047615749c3439f5dd7f1120750f36674e2b6b1ab06be3af71f84b4ae0647e00

    SHA512

    292adc4b9be2e5fe46a0a48960589c2306104b1a1e1be4eeb79b4df87de95c795b1735ed8ecef22f53d304e39b20e283c77b2210e4f54e437fb0f3fd93cce9cf

    Download Submit