alienbot | 5cd54a0f2838f2878d425ee26b9b4fd22f37be3fd8b4f134001693ee32200595

Analysis

max time kernel
871099s
max time network
162s
platform
android_x64
resource
android-x64-20230824-en
resource tags

androidarch:x64arch:x86image:android-x64-20230824-enlocale:en-usos:android-10-x64system
submitted
26/08/2023, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cd54a0f2838f2878d425ee26b9b4fd22f37be3fd8b4f134001693ee32200595.apk
Size

2.2MB
MD5

f68a4728fde34ae60672262edade7ca6
SHA1

4d20dc6f801a493ddda69379eb7ac92b9e314a2b
SHA256

5cd54a0f2838f2878d425ee26b9b4fd22f37be3fd8b4f134001693ee32200595
SHA512

e0c6c1206ffacd35f78526d851b757c25869badcfaf7d56e03ba0f25fd1c2c1254735f1e85977667290603132aef2d5f83cbd26b4245815dba7658b7e7d4a058
SSDEEP

49152:h+EjtDfa6yOv+tR93hFj3/5HjExQvRIHBX5JNOey5jqXxZFtI09KlPXQkXlcC3d3:njtwR93hdv5HjExQv2HBX5JNOey5uXxI

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://190.14.37.178

rc4.plain

Extracted

Family

alienbot

http://190.14.37.178

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral2/memory/5085-0.dex	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.inspire.what
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.inspire.what

Removes its main activity from the application launcher 8 IoCs

stealth trojan

pid	Process
5085	com.inspire.what
5085	com.inspire.what
5085	com.inspire.what
5085	com.inspire.what
5085	com.inspire.what
5085	com.inspire.what
5085	com.inspire.what
5085	com.inspire.what

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.inspire.what

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.inspire.what/app_DynamicOptDex/RuSGrDZ.json	5085	com.inspire.what

com.inspire.what
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
PID:5085
- getprop ro.miui.ui.version.name
  2⤵
  PID:5166
- getprop ro.miui.ui.version.name
  2⤵
  PID:5263
- getprop ro.miui.ui.version.name
  2⤵
  PID:5425
- getprop ro.miui.ui.version.name
  2⤵
  PID:5455
- getprop ro.miui.ui.version.name
  2⤵
  PID:5487
- getprop ro.miui.ui.version.name
  2⤵
  PID:5513
- getprop ro.miui.ui.version.name
  2⤵
  PID:5550

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.inspire.what/app_DynamicOptDex/RuSGrDZ.json

Filesize
238KB

MD5
5c6e4313c75d445a13b78cd2d2f7b5e0

SHA1
8a5230ffa37bf0ae3188724fe6020c9007cf5049

SHA256
5c41e5fa7e3250f21cd71b958ef7d8a64443240965de36075bed2591c0ab74ad

SHA512
7c2093660f4c7d01c66800dc12a40b7d873a0d2daa993029b018cb84555463819bba57341e30857d61f52db7516f02ab6003ed13c5bf9fbea4adcb6743ae56ab

Download Submit
/data/data/com.inspire.what/app_DynamicOptDex/RuSGrDZ.json

Filesize
238KB

MD5
0a3f7b5135f9014a3bd5ada3797ab1e5

SHA1
7683f41ed510008f292e58a162da80b7a78fdd0c

SHA256
2a730e940b403afdfc254de8a1a62c264021d345bf534ac356188fa7d62a90eb

SHA512
b947d2959b80ea9a5427f9d41bb5bb1a729df5c339d09dada427e9c7a586789e97a88a554b151f39f9fc10ae124d446d5ff6e4dd2a0c40b92adf3ccba95c1bd4

Download Submit
/data/data/com.inspire.what/app_DynamicOptDex/oat/RuSGrDZ.json.cur.prof

Filesize
476B

MD5
4097403a0f4f26d0b49fcf208ab110e0

SHA1
de98b1bb9a69de19ad09e15c7e5e006ec91fd359

SHA256
32b9451c89fcde5ac59b6e40c6265bce5f6091364c2e38ef3bfdcdcd0fd52efd

SHA512
2a545d7022c27b7b40a2fe7652ba081533b1f563d4a6df58074d1a1561934863fe16877d00c8da80a718954c333729afaff6cec8a552e98147b6d4fd51cf7555

Download Submit
/data/user/0/com.inspire.what/app_DynamicOptDex/RuSGrDZ.json

Filesize
483KB

MD5
731bcf534eb246386e8f12a82070eff6

SHA1
e8b43df4402a57f31374884b423fe7b46bd6530d

SHA256
047615749c3439f5dd7f1120750f36674e2b6b1ab06be3af71f84b4ae0647e00

SHA512
292adc4b9be2e5fe46a0a48960589c2306104b1a1e1be4eeb79b4df87de95c795b1735ed8ecef22f53d304e39b20e283c77b2210e4f54e437fb0f3fd93cce9cf

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads