alienbot | e15e150aecbdac58bf9a81fb23c6f22e4a07c4541064fdbfdcff5c9b6d28ba20

Analysis

max time kernel
870852s
max time network
155s
platform
android_x64
resource
android-x64-arm64-20230824-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230824-enlocale:en-usos:android-11-x64system
submitted
26-08-2023 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e15e150aecbdac58bf9a81fb23c6f22e4a07c4541064fdbfdcff5c9b6d28ba20.apk
Size

2.2MB
MD5

8367c4c697115e6de5779785299fde57
SHA1

f453b72a6ba3e8dbfd747dbccd7980f13204f062
SHA256

e15e150aecbdac58bf9a81fb23c6f22e4a07c4541064fdbfdcff5c9b6d28ba20
SHA512

a7c31b94aa5b6539c76ed7bb094f235f97324666f13ff8f59b2b89aae061856a37f1f7b5e2d322a348d7a41fc13f4bcab2ef3cbbd140320ffd6d64cc86bfaca0
SSDEEP

49152:X5On6l+9IMZ/aY4toyk7LIzVjEeQ3PlHJXTuNM4fhO73rMYUIZimnpuxdRv0wc17:X5GxaxtogzVjEeQ39HJXTuNM4fh03rfr

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://girisapi6581.pw

rc4.plain

Extracted

Family

alienbot

http://girisapi6581.pw

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.grant.person/app_DynamicOptDex/pFnU.json	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.grant.person

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.grant.person
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.grant.person

Removes its main activity from the application launcher 5 IoCs
stealth trojan

Processes:

com.grant.person

pid process

4388 com.grant.person
4388 com.grant.person
4388 com.grant.person
4388 com.grant.person
4388 com.grant.person
Acquires the wake lock. 1 IoCs

Processes:

com.grant.person

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.grant.person
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.grant.person

ioc pid process

/data/user/0/com.grant.person/app_DynamicOptDex/pFnU.json 4388 com.grant.person
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.grant.person

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.grant.person

pid	process
4388	com.grant.person
4388	com.grant.person
4388	com.grant.person
4388	com.grant.person
4388	com.grant.person

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.grant.person

ioc	pid	process
/data/user/0/com.grant.person/app_DynamicOptDex/pFnU.json	4388	com.grant.person

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.grant.person

com.grant.person
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4388
- getprop ro.miui.ui.version.name
  2⤵
  PID:4511
- getprop ro.miui.ui.version.name
  2⤵
  PID:4634
- getprop ro.miui.ui.version.name
  2⤵
  PID:4800
- getprop ro.miui.ui.version.name
  2⤵
  PID:4832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.grant.person/app_DynamicOptDex/oat/pFnU.json.cur.prof

Filesize
317B

MD5
513635ca1f08297c161acfe92036725d

SHA1
5dd1a0552788eae3c57bba4718867c1924e6ccc2

SHA256
967952ba3856716932ff04e9a8a73cf7b0a32aafab8096c401b5b9af32593cc3

SHA512
88a44f5befdb8b916e0420dbd37a28815e6fc53b34d3cd0105278e9cbb21add3db670ee4be9f282f9b03c8b83cc62732896ca390da3bf8a208ba1efa93c67dcb

Download Submit
/data/user/0/com.grant.person/app_DynamicOptDex/pFnU.json

Filesize
238KB

MD5
4eedca40cbfd0261d247fee18172b867

SHA1
e7cbb894e67e0f8042bd907ca24633d3763c5e90

SHA256
aab746e5b57d916cbd1c17f93a6dcba438021dd63184a1ead4f6d20b6cc64b6e

SHA512
7f8b6195e3bbc61dec96f49e92e93462b4ff52300b5386518f05eb203069870119e8271f8cb5b56eca252bf92c7c22d86db6318c18519c9a1fae62109dd88cf0

Download Submit
/data/user/0/com.grant.person/app_DynamicOptDex/pFnU.json

Filesize
238KB

MD5
6f9bc8a2c656367f8dd610b7cb12d2e8

SHA1
80dae4e8d0da976de314ba440c0eabd363281ca4

SHA256
16f48f6acb25c859fe8bc0334c3faf53ea28ce4e8436c1d39c472e2687b2e3c8

SHA512
0926b545766b0810ff9e586f7b3d9af815ca3af89c4692aa1efd497cef4f4427f7da91771ac52f92821b508455ae5d1bfb62a6a66665ee99c4d142cac8af1b79

Download Submit
/data/user/0/com.grant.person/app_DynamicOptDex/pFnU.json

Filesize
483KB

MD5
bfb0786a37b68d462f3929135065f759

SHA1
5856617e29a1a98c29f14155161d26274b726f0a

SHA256
ae20a9b08e386c89458465af1368475c77e5fa71e75b0f3ba5eab9ec8a0abf8d

SHA512
4f5767eed21832e50c304ec7661d0ae39eb6fc1412b1d6345e245588e6a9b653c9c9fd3ebd43582d2a0720f3cda4580379e9562e83d5740c76aaefab95229960

Download Submit