Overview

overview

10

Static

static

7

c83e025b27...19.apk

android-9-x86

10

c83e025b27...19.apk

android-10-x64

10

c83e025b27...19.apk

android-11-x64

10

HM_JsBridge.js

windows7-x64

1

HM_JsBridge.js

windows10-2004-x64

1

consentform.html

windows7-x64

1

consentform.html

windows10-2004-x64

1

Analysis

  • max time kernel
    1696821s
  • max time network
    50s
  • platform
    android_x86
  • resource
    android-x86-arm-20230831-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
  • submitted
    05/09/2023, 11:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c83e025b27b19399dcad71b0e40c3019.apk

  • Size

    2.1MB

  • MD5

    c83e025b27b19399dcad71b0e40c3019

  • SHA1

    e24a30b603a7b469b968cb682d83cb67d37d7cdf

  • SHA256

    2ce35170c58b4140a752bf67bf4d8c81d65a1cf49b0aa17a6f31f136bc1c85bd

  • SHA512

    f4d35a5127e86c4634ebc95dcc03c6cf11bc5fbf07bbb2032903f60599d3d144eaa97360c089ed30ac394b7b6a93d091ca2de22fb5bb0648156b0187c6d0ac22

  • SSDEEP

    49152:beeN09Xci53aEYXjUwmllgzi0J0801rBaXMwbocl1dIpkJWuO9QDenNOLjRx5j1:bJMj5KEUjNQ+MwKM6QENcZj1

Score
10/10
alienbotcerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://79.110.62.44

rc4.plain

Extracted

Family

alienbot

C2

http://79.110.62.44

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 2 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests enabling of the accessibility settings. 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Removes a system notification. 1 IoCs
    evasion

Processes

  • com.acid.reason
    1⤵
    • Makes use of the framework's Accessibility service.
    • Removes its main activity from the application launcher
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests enabling of the accessibility settings.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    PID:4164
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.acid.reason/app_DynamicOptDex/pXws.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.acid.reason/app_DynamicOptDex/oat/x86/pXws.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4189

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.acid.reason/app_DynamicOptDex/pXws.json
    Filesize

    238KB

    MD5

    5dcb0a0f9f1f623cc8b6251dfff7d34d

    SHA1

    781c0325e19ec7c0f66a02092b9792a4afcd4731

    SHA256

    adced2bbe4abdb32a80c43e91e27d05063b1265b5e7e18cf272fd9f632a16494

    SHA512

    54b6a828071e110cc5140399ea40db33a90ccc023488e57020569c15efaeecd210aa5f31a1eac3553cae85fe656ac4d04ed7a1c99f897b85a09d076959975f43

    Download Submit

  • /data/data/com.acid.reason/app_DynamicOptDex/pXws.json
    Filesize

    238KB

    MD5

    14f07669c9c283ff161b3ac3da7f83f0

    SHA1

    b6afeace48c71f55adb3d06b53fca22ba55ff45f

    SHA256

    12be5073538f5274f34922786093e2b3421d4f04d45427305d9af793a23b8b24

    SHA512

    a668ed7dbb2a220a15e40ad7ee5abc4f453ec848bee3add533f96742ba9f7362b5b9a0f1f7aee06769febd87df48dffa135e8cf95fa47ae27a671bfe4ee91e16

    Download Submit

  • /data/user/0/com.acid.reason/app_DynamicOptDex/pXws.json
    Filesize

    483KB

    MD5

    f5f8b4743154eea88216c1fabad616d6

    SHA1

    da672a3f58d31efd52b33c62a15ece33f68c224a

    SHA256

    0bb2e0317d2e80b627ad63f42daa5b6d7940da8d838bdd852c7fa31518e0b050

    SHA512

    52561b6e211dbe4aa4953bb4b023467d3d5d467a178a0fbd1a343b568952406d7d0f198ee8e88527e94c1d511203f011e2298d15a71f26ac7b350af0ba5d6ea6

    Download Submit

  • /data/user/0/com.acid.reason/app_DynamicOptDex/pXws.json
    Filesize

    483KB

    MD5

    9d9f67d1b602d0b16bb44384931787f0

    SHA1

    68d01c93a7d832702703e26da65340f14bfb7f0f

    SHA256

    213296cb2078e4c7510528764b819a079597983847e16b2c767f54849d4a5f6e

    SHA512

    df36b8bc78d78b9d629498f273aab95e2ff4c161c329cf3f49931fce96aaf1056a42b677c5e969f29b168466a7244bb184f0dff81475d15a3a5996146395b556

    Download Submit