alienbot | e15e150aecbdac58bf9a81fb23c6f22e4a07c4541064fdbfdcff5c9b6d28ba20

Analysis

max time kernel
870807s
max time network
168s
platform
android_x64
resource
android-x64-20230824-en
resource tags

androidarch:x64arch:x86image:android-x64-20230824-enlocale:en-usos:android-10-x64system
submitted
26-08-2023 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e15e150aecbdac58bf9a81fb23c6f22e4a07c4541064fdbfdcff5c9b6d28ba20.apk
Size

2.2MB
MD5

8367c4c697115e6de5779785299fde57
SHA1

f453b72a6ba3e8dbfd747dbccd7980f13204f062
SHA256

e15e150aecbdac58bf9a81fb23c6f22e4a07c4541064fdbfdcff5c9b6d28ba20
SHA512

a7c31b94aa5b6539c76ed7bb094f235f97324666f13ff8f59b2b89aae061856a37f1f7b5e2d322a348d7a41fc13f4bcab2ef3cbbd140320ffd6d64cc86bfaca0
SSDEEP

49152:X5On6l+9IMZ/aY4toyk7LIzVjEeQ3PlHJXTuNM4fhO73rMYUIZimnpuxdRv0wc17:X5GxaxtogzVjEeQ39HJXTuNM4fh03rfr

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://girisapi6581.pw

rc4.plain

Extracted

Family

alienbot

http://girisapi6581.pw

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.grant.person/app_DynamicOptDex/pFnU.json	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.grant.person

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.grant.person
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.grant.person

Removes its main activity from the application launcher 5 IoCs
stealth trojan

Processes:

com.grant.person

pid process

5225 com.grant.person
5225 com.grant.person
5225 com.grant.person
5225 com.grant.person
5225 com.grant.person
Acquires the wake lock. 1 IoCs

Processes:

com.grant.person

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.grant.person
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.grant.person

ioc pid process

/data/user/0/com.grant.person/app_DynamicOptDex/pFnU.json 5225 com.grant.person

pid	process
5225	com.grant.person
5225	com.grant.person
5225	com.grant.person
5225	com.grant.person
5225	com.grant.person

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.grant.person

ioc	pid	process
/data/user/0/com.grant.person/app_DynamicOptDex/pFnU.json	5225	com.grant.person

com.grant.person
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
PID:5225
- getprop ro.miui.ui.version.name
  2⤵
  PID:5323
- getprop ro.miui.ui.version.name
  2⤵
  PID:5426
- getprop ro.miui.ui.version.name
  2⤵
  PID:5589
- getprop ro.miui.ui.version.name
  2⤵
  PID:5622

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.grant.person/app_DynamicOptDex/oat/pFnU.json.cur.prof

Filesize
390B

MD5
174c37705e72dd741057712cc662773d

SHA1
59b1b2e722fb41825047625450d6999f701bf5bd

SHA256
00b55b0e444b7b9e17eeebb5fcffe244332732369530802a7a054c4ee4eaf34a

SHA512
0a84dad9330b4c54befe8ddd61604624543d6654b56cbe79923c967d4738c0f0e15afac03d7a479321a7d738fadc8e80d161833bc44ad1a4ef54cc6e7f7d6a71

Download Submit
/data/data/com.grant.person/app_DynamicOptDex/pFnU.json

Filesize
238KB

MD5
4eedca40cbfd0261d247fee18172b867

SHA1
e7cbb894e67e0f8042bd907ca24633d3763c5e90

SHA256
aab746e5b57d916cbd1c17f93a6dcba438021dd63184a1ead4f6d20b6cc64b6e

SHA512
7f8b6195e3bbc61dec96f49e92e93462b4ff52300b5386518f05eb203069870119e8271f8cb5b56eca252bf92c7c22d86db6318c18519c9a1fae62109dd88cf0

Download Submit
/data/data/com.grant.person/app_DynamicOptDex/pFnU.json

Filesize
238KB

MD5
6f9bc8a2c656367f8dd610b7cb12d2e8

SHA1
80dae4e8d0da976de314ba440c0eabd363281ca4

SHA256
16f48f6acb25c859fe8bc0334c3faf53ea28ce4e8436c1d39c472e2687b2e3c8

SHA512
0926b545766b0810ff9e586f7b3d9af815ca3af89c4692aa1efd497cef4f4427f7da91771ac52f92821b508455ae5d1bfb62a6a66665ee99c4d142cac8af1b79

Download Submit
/data/user/0/com.grant.person/app_DynamicOptDex/pFnU.json

Filesize
483KB

MD5
bfb0786a37b68d462f3929135065f759

SHA1
5856617e29a1a98c29f14155161d26274b726f0a

SHA256
ae20a9b08e386c89458465af1368475c77e5fa71e75b0f3ba5eab9ec8a0abf8d

SHA512
4f5767eed21832e50c304ec7661d0ae39eb6fc1412b1d6345e245588e6a9b653c9c9fd3ebd43582d2a0720f3cda4580379e9562e83d5740c76aaefab95229960

Download Submit