alienbot | e5b16c682bd82fad9898eb1259b02c872be31a6dfa0c30e8618f06e33883d6a4

Analysis

max time kernel
870419s
max time network
163s
platform
android_x64
resource
android-x64-arm64-20230824-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230824-enlocale:en-usos:android-11-x64system
submitted
26-08-2023 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5b16c682bd82fad9898eb1259b02c872be31a6dfa0c30e8618f06e33883d6a4.apk
Size

2.4MB
MD5

34c5814c9f1bc5e15c9b7554178ad894
SHA1

6e04f5e4cc2307ca4fc4909c73f274731cd40869
SHA256

e5b16c682bd82fad9898eb1259b02c872be31a6dfa0c30e8618f06e33883d6a4
SHA512

4959c9c1ac0f201b5998192ba2ce3457a5c5efe5192db8053b43d1a2f5fe831b4867398e5b31810089d60803021cd4530616f179f9bf2e77bc15af7c97fc9fea
SSDEEP

49152:/g9o9qixF9nhspwsAVk5b/yhXoEZy5lLGVVfoGFT9B/+GxEe8ZqSbcHtk3X0g7bh:/yo9qW7hpabwXoEZsCB5FCGxEFqSgNWx

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://girisapi9327.pw

rc4.plain

Extracted

Family

alienbot

http://girisapi9327.pw

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.portion.initial/app_DynamicOptDex/dBk.json	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.portion.initial

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.portion.initial
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.portion.initial

Removes its main activity from the application launcher 8 IoCs

stealth trojan

Processes:

com.portion.initial

pid	process
4380	com.portion.initial
4380	com.portion.initial
4380	com.portion.initial
4380	com.portion.initial
4380	com.portion.initial
4380	com.portion.initial
4380	com.portion.initial
4380	com.portion.initial

Acquires the wake lock. 1 IoCs

Processes:

com.portion.initial

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.portion.initial
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.portion.initial

ioc pid process

/data/user/0/com.portion.initial/app_DynamicOptDex/dBk.json 4380 com.portion.initial
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.portion.initial

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.portion.initial

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.portion.initial

ioc	pid	process
/data/user/0/com.portion.initial/app_DynamicOptDex/dBk.json	4380	com.portion.initial

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.portion.initial

com.portion.initial
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4380
- getprop ro.miui.ui.version.name
  2⤵
  PID:4538
- getprop ro.miui.ui.version.name
  2⤵
  PID:4791
- getprop ro.miui.ui.version.name
  2⤵
  PID:4865
- getprop ro.miui.ui.version.name
  2⤵
  PID:4907
- getprop ro.miui.ui.version.name
  2⤵
  PID:4936
- getprop ro.miui.ui.version.name
  2⤵
  PID:4975
- getprop ro.miui.ui.version.name
  2⤵
  PID:5005

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.portion.initial/app_DynamicOptDex/dBk.json

Filesize
238KB

MD5
32abc08eeced3121f5cc9ced6cb66bfc

SHA1
2c083729ec1a4e88d8022d056f09b1ba8add5fc6

SHA256
158fc8ec304cb7f96b3136eac5415441aef5c7989eec6fa77d5efc845d160720

SHA512
28c82a835e5453ad6553da5d670e10bfa1b83c10f912bcaaa8225374efee01aba53174e22d2566db773a4ac48c0b140976fb827e982b5cd3216e83581eb13647

Download Submit
/data/user/0/com.portion.initial/app_DynamicOptDex/dBk.json

Filesize
238KB

MD5
20bec0eb5cd0fdffdaf4474e651489ee

SHA1
cc36ffb137e0d7ed100d51e792a6bd40add37a59

SHA256
71db3e22ea235a4757d0251d8bfca114e79946de92c620d5d6a88c6aa8079a5b

SHA512
9b8cd7f9ce83c861e28b4b99fe306b9c2f1014e5248b183c64cde28ae6dc3ec10aa68b7c67be3ef96691ff3fa036b160740a3d7cfbb63f1b517e8fe4f6afddc7

Download Submit
/data/user/0/com.portion.initial/app_DynamicOptDex/dBk.json

Filesize
483KB

MD5
f87bc44315f48ad2199c9418cc9bc98b

SHA1
a18d81824183992897c5a789b64a86731c249213

SHA256
f4462160dfcae5fddb83c5e0c9020e887c15ace3c898b13d6defdbe9046c1e5a

SHA512
22d50472c298356d5e24848e6f6c53a84fbdb65fc1cfb53b17b32c56fd0fe5b8b07d5c157d39a6b26422e7425ee59ba220d21d5db4af1f88ab1534deb9cc5928

Download Submit
/data/user/0/com.portion.initial/app_DynamicOptDex/oat/dBk.json.cur.prof

Filesize
316B

MD5
5e24935ad225d948750a64083dd5e745

SHA1
0093f83e0d076c74bbbbdd47835c6cfbd1c86384

SHA256
6a1f56d772ba32a4a8138ec4f69bbab8cff0ec6005b5c9b8e08e616b90ac0be0

SHA512
d905be4d6e1a8680cd3580dcf0a32650b616555e482d9bde32245d548325811a5658d5e59c6d3a02b9113c6133c1fd722abe8881ee2d83f25abe753ab77c8b95

Download Submit