alienbot | 6a41f27d45308f281b986b4dfed2989781a0b69cbf069bc84f28e333b56d6dbf

Analysis

max time kernel
870784s
max time network
169s
platform
android_x64
resource
android-x64-20230824-en
resource tags

androidarch:x64arch:x86image:android-x64-20230824-enlocale:en-usos:android-10-x64system
submitted
26-08-2023 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a41f27d45308f281b986b4dfed2989781a0b69cbf069bc84f28e333b56d6dbf.apk
Size

2.1MB
MD5

6b5f91af50e12627a8125ed7803cce65
SHA1

4fd9bff7e333300c0ec69b22fbd61de96594daee
SHA256

6a41f27d45308f281b986b4dfed2989781a0b69cbf069bc84f28e333b56d6dbf
SHA512

ccd7877fa2ee11e2a3b62a72a352e6353e6fe004760fbff8cdc6ad365f0b2b8a9693e170b0f0380e82b573df80b3f2605a0f8ffeda6694475069f79bc69e67e1
SSDEEP

49152:IOnnxNRARz7R+vrjydjUYlUXzEr7dLMSHSVLSYS9ETtY2D+a7a:IOyRz1+vQUdcdLdHSVhS9EL+aG

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://45.81.39.102

rc4.plain

Extracted

Family

alienbot

http://45.81.39.102

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral2/memory/5009-0.dex	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.sock.rare
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.sock.rare

Removes its main activity from the application launcher 3 IoCs

stealth trojan

pid	Process
5009	com.sock.rare
5009	com.sock.rare
5009	com.sock.rare

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.sock.rare

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.sock.rare/app_DynamicOptDex/yWsJ.json	5009	com.sock.rare

com.sock.rare
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
PID:5009
- getprop ro.miui.ui.version.name
  2⤵
  PID:5117
- getprop ro.miui.ui.version.name
  2⤵
  PID:5214

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.sock.rare/app_DynamicOptDex/oat/yWsJ.json.cur.prof

Filesize
451B

MD5
73c3585e9adb75ea888697311aeed0dd

SHA1
988de28289f0a5db9688f7961a733d3524eb3dc2

SHA256
22abc8932b602e6bec94bca67e2cc71ff693727bf5ae1869a0251fca064b1df2

SHA512
38de3f0f626dbea79512c8f3fcef9291e1ecabbf79d8c2b2f1a72353b870033bffe2ea578ef4dbff6a78a07f47a50349a3cb60dd3c4d09ac9f02e971058e2df4

Download Submit
/data/data/com.sock.rare/app_DynamicOptDex/yWsJ.json

Filesize
238KB

MD5
b93ea1769b42feae29e7a9f15eeeb2e3

SHA1
1937dc34ba0c1667d2c2cdc116e25c2d2c6f9c0d

SHA256
aa39f833db5a09ccf4834b225dc1ffc02ce120968571b406fda646e3af0928ea

SHA512
143d374c069b1c603c40933f910a5d88bd38188e48c50ce876d202d85cb0ce21e8e72336a2843f0379ebb9212de99fd2a88abf650575697e2450f233ab838685

Download Submit
/data/data/com.sock.rare/app_DynamicOptDex/yWsJ.json

Filesize
238KB

MD5
34b673ea5586ff80d8f6534a5b58c6d5

SHA1
3907cefd8ecb7e0874352a0c9b2e3ca6860edf62

SHA256
e56f037f3a19888cbcec137e285c83bce06721ae410c77ef3680d86ef331cfeb

SHA512
28478f2a3386b905581598e2f601a9d5ce8ba25b04abac2bd4404ea8d83dba2fc5681faac94f40fab6150646cbcee766f1a283e627777ece9309a0c2f0e8c6d6

Download Submit
/data/user/0/com.sock.rare/app_DynamicOptDex/yWsJ.json

Filesize
483KB

MD5
ad36bd5f464c84ca31a0cd4e608fa724

SHA1
7dac615c087ac947fdcd941bce80ce89df3c5ede

SHA256
970cd465a88aac9e1754330fbadf3507bb124259f4c5b0f31542689e040ce07e

SHA512
fd0337337024b972f79a77e347bf7bfe648523102aa1d2daa080d089ba142319b013f83975778e5b045edd6991fac4a47344b0dc5dfb638b8231c4750e7540d3

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads