alienbot | e5b16c682bd82fad9898eb1259b02c872be31a6dfa0c30e8618f06e33883d6a4

Analysis

max time kernel
870433s
max time network
138s
platform
android_x86
resource
android-x86-arm-20230824-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230824-enlocale:en-usos:android-9-x86system
submitted
26-08-2023 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5b16c682bd82fad9898eb1259b02c872be31a6dfa0c30e8618f06e33883d6a4.apk
Size

2.4MB
MD5

34c5814c9f1bc5e15c9b7554178ad894
SHA1

6e04f5e4cc2307ca4fc4909c73f274731cd40869
SHA256

e5b16c682bd82fad9898eb1259b02c872be31a6dfa0c30e8618f06e33883d6a4
SHA512

4959c9c1ac0f201b5998192ba2ce3457a5c5efe5192db8053b43d1a2f5fe831b4867398e5b31810089d60803021cd4530616f179f9bf2e77bc15af7c97fc9fea
SSDEEP

49152:/g9o9qixF9nhspwsAVk5b/yhXoEZy5lLGVVfoGFT9B/+GxEe8ZqSbcHtk3X0g7bh:/yo9qW7hpabwXoEZsCB5FCGxEFqSgNWx

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://girisapi9327.pw

rc4.plain

Extracted

Family

alienbot

http://girisapi9327.pw

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.portion.initial/app_DynamicOptDex/dBk.json	family_cerberus
/data/user/0/com.portion.initial/app_DynamicOptDex/dBk.json	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.portion.initial

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.portion.initial
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.portion.initial

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.portion.initial

pid process

4210 com.portion.initial
Acquires the wake lock. 1 IoCs

Processes:

com.portion.initial

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.portion.initial

pid	process
4210	com.portion.initial

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.portion.initial

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.portion.initial/app_DynamicOptDex/dBk.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.portion.initial/app_DynamicOptDex/oat/x86/dBk.odex --compiler-filter=quicken --class-loader-context=&com.portion.initial

ioc	pid	process
/data/user/0/com.portion.initial/app_DynamicOptDex/dBk.json	4236	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.portion.initial/app_DynamicOptDex/dBk.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.portion.initial/app_DynamicOptDex/oat/x86/dBk.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.portion.initial/app_DynamicOptDex/dBk.json	4210	com.portion.initial

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.portion.initial

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.portion.initial
Removes a system notification. 1 IoCs
evasion

Processes:

com.portion.initial

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.portion.initial

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.portion.initial

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.portion.initial

com.portion.initial
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
PID:4210
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.portion.initial/app_DynamicOptDex/dBk.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.portion.initial/app_DynamicOptDex/oat/x86/dBk.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.portion.initial/app_DynamicOptDex/dBk.json

Filesize
238KB

MD5
32abc08eeced3121f5cc9ced6cb66bfc

SHA1
2c083729ec1a4e88d8022d056f09b1ba8add5fc6

SHA256
158fc8ec304cb7f96b3136eac5415441aef5c7989eec6fa77d5efc845d160720

SHA512
28c82a835e5453ad6553da5d670e10bfa1b83c10f912bcaaa8225374efee01aba53174e22d2566db773a4ac48c0b140976fb827e982b5cd3216e83581eb13647

Download Submit
/data/data/com.portion.initial/app_DynamicOptDex/dBk.json

Filesize
238KB

MD5
20bec0eb5cd0fdffdaf4474e651489ee

SHA1
cc36ffb137e0d7ed100d51e792a6bd40add37a59

SHA256
71db3e22ea235a4757d0251d8bfca114e79946de92c620d5d6a88c6aa8079a5b

SHA512
9b8cd7f9ce83c861e28b4b99fe306b9c2f1014e5248b183c64cde28ae6dc3ec10aa68b7c67be3ef96691ff3fa036b160740a3d7cfbb63f1b517e8fe4f6afddc7

Download Submit
/data/data/com.portion.initial/app_DynamicOptDex/oat/dBk.json.cur.prof

Filesize
444B

MD5
9b5efb5946345183084e2e388f815b49

SHA1
f9fbb375234acbc50557f41eb7931cb9ca85a660

SHA256
ee90490ed3dad4cdd5d1bfe218e11a9cb09064d336ebee3c94b3a465560339d4

SHA512
134424ecadd1f1004d56d62c1af10a30d3347c6a0ad2cd358fbeb6fea9104de5905906322b68c3766b6f62daae56f6c4781f9474a6b6a0d26a92dfa020265811

Download Submit
/data/user/0/com.portion.initial/app_DynamicOptDex/dBk.json

Filesize
483KB

MD5
d9a20c995ee68648d567fcbaee7cb28f

SHA1
a654a243b3b41b7eab393d26f4b44e2c096b6989

SHA256
1a1a3fd146d6611b4e7e40e74f7258175246c3307c563842f64c9b6f39f9e9c8

SHA512
90149696ae136bf430ac909ef33908a2a685527a6c7dbc4d2111e8957411bc708480f6e9297bcf46315f9054bab523b1d845c73b1f5964a525aa0b93d069307f

Download Submit
/data/user/0/com.portion.initial/app_DynamicOptDex/dBk.json

Filesize
483KB

MD5
f87bc44315f48ad2199c9418cc9bc98b

SHA1
a18d81824183992897c5a789b64a86731c249213

SHA256
f4462160dfcae5fddb83c5e0c9020e887c15ace3c898b13d6defdbe9046c1e5a

SHA512
22d50472c298356d5e24848e6f6c53a84fbdb65fc1cfb53b17b32c56fd0fe5b8b07d5c157d39a6b26422e7425ee59ba220d21d5db4af1f88ab1534deb9cc5928

Download Submit