alienbot | e15e150aecbdac58bf9a81fb23c6f22e4a07c4541064fdbfdcff5c9b6d28ba20

Analysis

max time kernel
870836s
max time network
149s
platform
android_x86
resource
android-x86-arm-20230824-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230824-enlocale:en-usos:android-9-x86system
submitted
26-08-2023 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e15e150aecbdac58bf9a81fb23c6f22e4a07c4541064fdbfdcff5c9b6d28ba20.apk
Size

2.2MB
MD5

8367c4c697115e6de5779785299fde57
SHA1

f453b72a6ba3e8dbfd747dbccd7980f13204f062
SHA256

e15e150aecbdac58bf9a81fb23c6f22e4a07c4541064fdbfdcff5c9b6d28ba20
SHA512

a7c31b94aa5b6539c76ed7bb094f235f97324666f13ff8f59b2b89aae061856a37f1f7b5e2d322a348d7a41fc13f4bcab2ef3cbbd140320ffd6d64cc86bfaca0
SSDEEP

49152:X5On6l+9IMZ/aY4toyk7LIzVjEeQ3PlHJXTuNM4fhO73rMYUIZimnpuxdRv0wc17:X5GxaxtogzVjEeQ39HJXTuNM4fh03rfr

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://girisapi6581.pw

rc4.plain

Extracted

Family

alienbot

http://girisapi6581.pw

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.grant.person/app_DynamicOptDex/pFnU.json	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.grant.person

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.grant.person
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.grant.person

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.grant.person

pid process

4111 com.grant.person
Acquires the wake lock. 1 IoCs

Processes:

com.grant.person

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.grant.person
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.grant.person

ioc pid process

/data/user/0/com.grant.person/app_DynamicOptDex/pFnU.json 4111 com.grant.person
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.grant.person

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.grant.person
Removes a system notification. 1 IoCs
evasion

Processes:

com.grant.person

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.grant.person

pid	process
4111	com.grant.person

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.grant.person

ioc	pid	process
/data/user/0/com.grant.person/app_DynamicOptDex/pFnU.json	4111	com.grant.person

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.grant.person

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.grant.person

com.grant.person
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
PID:4111

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.grant.person/app_DynamicOptDex/oat/pFnU.json.cur.prof

Filesize
395B

MD5
6667db1250130f256af6164618fc24e9

SHA1
ad7f778f68afe54e5e4937a12aa89c548a228411

SHA256
c4b5a9ed5567dc7bda30c7dda1583c0f389df395bc67625ead05bdcfa9713676

SHA512
2735875a735095478e4fb4931318f03643938d90affea6c3d84ba2e538f64e792ed4084faf6933aa80c9d7a2360d8ce330d72094475dc79ed6329cdc36fb52fc

Download Submit
/data/data/com.grant.person/app_DynamicOptDex/pFnU.json

Filesize
238KB

MD5
4eedca40cbfd0261d247fee18172b867

SHA1
e7cbb894e67e0f8042bd907ca24633d3763c5e90

SHA256
aab746e5b57d916cbd1c17f93a6dcba438021dd63184a1ead4f6d20b6cc64b6e

SHA512
7f8b6195e3bbc61dec96f49e92e93462b4ff52300b5386518f05eb203069870119e8271f8cb5b56eca252bf92c7c22d86db6318c18519c9a1fae62109dd88cf0

Download Submit
/data/data/com.grant.person/app_DynamicOptDex/pFnU.json

Filesize
238KB

MD5
6f9bc8a2c656367f8dd610b7cb12d2e8

SHA1
80dae4e8d0da976de314ba440c0eabd363281ca4

SHA256
16f48f6acb25c859fe8bc0334c3faf53ea28ce4e8436c1d39c472e2687b2e3c8

SHA512
0926b545766b0810ff9e586f7b3d9af815ca3af89c4692aa1efd497cef4f4427f7da91771ac52f92821b508455ae5d1bfb62a6a66665ee99c4d142cac8af1b79

Download Submit
/data/user/0/com.grant.person/app_DynamicOptDex/pFnU.json

Filesize
483KB

MD5
bfb0786a37b68d462f3929135065f759

SHA1
5856617e29a1a98c29f14155161d26274b726f0a

SHA256
ae20a9b08e386c89458465af1368475c77e5fa71e75b0f3ba5eab9ec8a0abf8d

SHA512
4f5767eed21832e50c304ec7661d0ae39eb6fc1412b1d6345e245588e6a9b653c9c9fd3ebd43582d2a0720f3cda4580379e9562e83d5740c76aaefab95229960

Download Submit