alienbot | 5cd54a0f2838f2878d425ee26b9b4fd22f37be3fd8b4f134001693ee32200595

Analysis

max time kernel
871110s
max time network
167s
platform
android_x64
resource
android-x64-arm64-20230824-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230824-enlocale:en-usos:android-11-x64system
submitted
26/08/2023, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cd54a0f2838f2878d425ee26b9b4fd22f37be3fd8b4f134001693ee32200595.apk
Size

2.2MB
MD5

f68a4728fde34ae60672262edade7ca6
SHA1

4d20dc6f801a493ddda69379eb7ac92b9e314a2b
SHA256

5cd54a0f2838f2878d425ee26b9b4fd22f37be3fd8b4f134001693ee32200595
SHA512

e0c6c1206ffacd35f78526d851b757c25869badcfaf7d56e03ba0f25fd1c2c1254735f1e85977667290603132aef2d5f83cbd26b4245815dba7658b7e7d4a058
SSDEEP

49152:h+EjtDfa6yOv+tR93hFj3/5HjExQvRIHBX5JNOey5jqXxZFtI09KlPXQkXlcC3d3:njtwR93hdv5HjExQv2HBX5JNOey5uXxI

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://190.14.37.178

rc4.plain

Extracted

Family

alienbot

http://190.14.37.178

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral3/memory/4709-0.dex	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.inspire.what
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.inspire.what

Removes its main activity from the application launcher 3 IoCs

stealth trojan

pid	Process
4709	com.inspire.what
4709	com.inspire.what
4709	com.inspire.what

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.inspire.what

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.inspire.what/app_DynamicOptDex/RuSGrDZ.json	4709	com.inspire.what

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.inspire.what

com.inspire.what
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4709
- getprop ro.miui.ui.version.name
  2⤵
  PID:4832
- getprop ro.miui.ui.version.name
  2⤵
  PID:5065

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.inspire.what/app_DynamicOptDex/RuSGrDZ.json

Filesize
238KB

MD5
5c6e4313c75d445a13b78cd2d2f7b5e0

SHA1
8a5230ffa37bf0ae3188724fe6020c9007cf5049

SHA256
5c41e5fa7e3250f21cd71b958ef7d8a64443240965de36075bed2591c0ab74ad

SHA512
7c2093660f4c7d01c66800dc12a40b7d873a0d2daa993029b018cb84555463819bba57341e30857d61f52db7516f02ab6003ed13c5bf9fbea4adcb6743ae56ab

Download Submit
/data/user/0/com.inspire.what/app_DynamicOptDex/RuSGrDZ.json

Filesize
238KB

MD5
0a3f7b5135f9014a3bd5ada3797ab1e5

SHA1
7683f41ed510008f292e58a162da80b7a78fdd0c

SHA256
2a730e940b403afdfc254de8a1a62c264021d345bf534ac356188fa7d62a90eb

SHA512
b947d2959b80ea9a5427f9d41bb5bb1a729df5c339d09dada427e9c7a586789e97a88a554b151f39f9fc10ae124d446d5ff6e4dd2a0c40b92adf3ccba95c1bd4

Download Submit
/data/user/0/com.inspire.what/app_DynamicOptDex/RuSGrDZ.json

Filesize
483KB

MD5
731bcf534eb246386e8f12a82070eff6

SHA1
e8b43df4402a57f31374884b423fe7b46bd6530d

SHA256
047615749c3439f5dd7f1120750f36674e2b6b1ab06be3af71f84b4ae0647e00

SHA512
292adc4b9be2e5fe46a0a48960589c2306104b1a1e1be4eeb79b4df87de95c795b1735ed8ecef22f53d304e39b20e283c77b2210e4f54e437fb0f3fd93cce9cf

Download Submit
/data/user/0/com.inspire.what/app_DynamicOptDex/oat/RuSGrDZ.json.cur.prof

Filesize
345B

MD5
a8fe88c433cbe6ff043a877f431194d2

SHA1
06d5f119e6d74e6cc134ff7bb9baf336d6f800e1

SHA256
11652ae671e878ad6528faf67861c4ea099202ac2f2472698a6d8cd3456bd983

SHA512
b56cf38b2f910ed8a549fd51f817c6361f3791fdab6733bd87a032aa0db060f1e30f8b430fba1bd6bfdcb3e4dd1988a385d8b414f5eb03d16a3fd0709f5dc4eb

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads