alienbot | 6c90dfc63bce24689c0c5922f8eac1779c01156dc54c3066bae8ca65198949f5

Analysis

max time kernel
871000s
max time network
151s
platform
android_x86
resource
android-x86-arm-20230824-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230824-enlocale:en-usos:android-9-x86system
submitted
26-08-2023 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c90dfc63bce24689c0c5922f8eac1779c01156dc54c3066bae8ca65198949f5.apk
Size

1.8MB
MD5

e23523d7d031814057ee47fb0a4fa62f
SHA1

52e52042285da521648dd97c3c47a98509f9e779
SHA256

6c90dfc63bce24689c0c5922f8eac1779c01156dc54c3066bae8ca65198949f5
SHA512

c8aba721fefa1c4df8d9003969b10f1f9db9a6a255979e3ad5a536c056afadc2d4f73bb760600f628df9bab5fd95835b18a2191e553de9a4a77ee303889a3c3c
SSDEEP

49152:Ju2k5XGGH5jLm2QyUgYHMuFWTWhL6em5SWRPZHvvyJoRL500:JJGZXjWgYsKJ0em57ZP6SRL5f

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://talatlarholdngltd.net

rc4.plain

Extracted

Family

alienbot

http://talatlarholdngltd.net

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.century.whale/app_DynamicOptDex/oC.json	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.century.whale

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.century.whale
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.century.whale

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.century.whale

pid process

4113 com.century.whale
Acquires the wake lock. 1 IoCs

Processes:

com.century.whale

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.century.whale
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.century.whale

ioc pid process

/data/user/0/com.century.whale/app_DynamicOptDex/oC.json 4113 com.century.whale
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.century.whale

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.century.whale
Removes a system notification. 1 IoCs
evasion

Processes:

com.century.whale

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.century.whale

pid	process
4113	com.century.whale

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.century.whale

ioc	pid	process
/data/user/0/com.century.whale/app_DynamicOptDex/oC.json	4113	com.century.whale

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.century.whale

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.century.whale

com.century.whale
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
PID:4113

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.century.whale/app_DynamicOptDex/oC.json

Filesize
238KB

MD5
a6ae212f985061ba286a40d696376bbb

SHA1
ad4a3abe7041c200cefab7e327147c91d19b740e

SHA256
8eeca7fa5432e9869c6cde3fe5e9c0e08bb1a1541150010f41ce6ab2b763212a

SHA512
e0faa9b3f1ee6f9b47077c2bfabb305bb63e99d69ac8c42727f60e0c1b9b3023a4a0094d9638fdd0f3d548cf62d76861d57d8ce60f129b5f9ee047f50c2f2ac9

Download Submit
/data/data/com.century.whale/app_DynamicOptDex/oC.json

Filesize
238KB

MD5
ab154cfe486e6a10a66652f108ab9268

SHA1
d85068edaedd591661027b25836175cc746e79d1

SHA256
c3ebd8f0c73997cb9a6cc131287ce988aeb618ed996b994ea370faca68aaecc2

SHA512
0e817dfeb81f533974ebc5c30d90d696a284a538bb68ed27b122eb6bacc45c0b19daf9452cde8b98df258f353c91a2fdd1ce89aa5c0e39dfa240a267f94ac8ea

Download Submit
/data/data/com.century.whale/app_DynamicOptDex/oat/oC.json.cur.prof

Filesize
364B

MD5
95ebb73331381c480eff8e0ccadf4aae

SHA1
35798ed551bdf0b17576ee4ba84f0e437bf2dc89

SHA256
427f111eac6840f702438b0577ee40d2ca517ae3c241a0a90c564335c63f9ff5

SHA512
9cba56a65bc530f4f15fedc587288602347cf1bec6d2765adcd5257574e1eb8a12fbfd95b97040c3dfa2ba8d57734c93f42ccfce1de84b767671751c8a6bf607

Download Submit
/data/user/0/com.century.whale/app_DynamicOptDex/oC.json

Filesize
483KB

MD5
e3800c18e5b583fcc1dba28154bae655

SHA1
1f76daa9e1b79d98988cacdbcc4258d00e4ee669

SHA256
fd4695ae70b53c1faea5acd81187268d451e96694f1b9f152c2840b6852b8341

SHA512
386b0dfa9070a6c96c6924bb594fb17e0f693c21e5136aadf2a200896ed947de3553eaf2ed33c3739df8ad89c664af0a16c726680a6b0a6bf00f9aa18aa7cb6b

Download Submit