Overview

overview

10

Static

static

7

d5a786ea0f...5f.apk

android-9-x86

10

d5a786ea0f...5f.apk

android-10-x64

10

d5a786ea0f...5f.apk

android-11-x64

10

HM_JsBridge.js

windows7-x64

1

HM_JsBridge.js

windows10-2004-x64

1

consentform.html

windows7-x64

1

consentform.html

windows10-2004-x64

1

Analysis

  • max time kernel
    1902230s
  • max time network
    158s
  • platform
    android_x86
  • resource
    android-x86-arm-20230831-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
  • submitted
    07-09-2023 20:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5a786ea0f6499d9bb654c37a20dda6ff7d0644084762697ae181d4d19de4b5f.apk

  • Size

    2.1MB

  • MD5

    bf7c010798cd3b0afd41791d46686ba0

  • SHA1

    d59032cd5e341206b0527b85f5aedc75ba4faba3

  • SHA256

    d5a786ea0f6499d9bb654c37a20dda6ff7d0644084762697ae181d4d19de4b5f

  • SHA512

    b41cae02d199d8a6ea5bfdde446fc59000c504b8f000d8279aa7aa659e6fdfaf9186957582d54ee734db671329ac062acea84e37ddba03ccfefec62a3b1db0b6

  • SSDEEP

    49152:aL2g3N12jPKHQMcuijDri0J0801nFC/kEjQcl1dIpkJWRd5rQ0sojhCJf:21iiwMcuwkESM0rDsIhi

Score
10/10
alienbotcerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://bigionlinegiris.net

rc4.plain

Extracted

Family

alienbot

C2

http://bigionlinegiris.net

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 2 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Removes a system notification. 1 IoCs
    evasion

Processes

  • com.frown.trend
    1⤵
    • Makes use of the framework's Accessibility service.
    • Removes its main activity from the application launcher
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    PID:4151
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.frown.trend/app_DynamicOptDex/hgsdi.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.frown.trend/app_DynamicOptDex/oat/x86/hgsdi.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.frown.trend/app_DynamicOptDex/hgsdi.json
    Filesize

    238KB

    MD5

    f8869e5e222ce32aef02ba043018beaf

    SHA1

    014458654f015e694cb93d3317d2b106f39d52ff

    SHA256

    6eb77097b3bd268b08c3c89ac37d8c302ecea971ed2e78741eafa234bd32e0b8

    SHA512

    02a7602416ed08d5d89d17aaa02e8d4d644b5aa45be7289091832c25def70a593308da77c404080208e3d58e069e6d8d5b80aff46530f2379babc431a3c42163

    Download Submit

  • /data/data/com.frown.trend/app_DynamicOptDex/hgsdi.json
    Filesize

    238KB

    MD5

    88fe94ed3afbe6d864a4f3fe7bfb8239

    SHA1

    1fef6da5e92a7258ab4fb1f7a5e75be5b6536aa1

    SHA256

    d33dfcab2f87d37fdcbe390cb25931d4a3b0bd6daab93d2bf57390bf1fd6212d

    SHA512

    2e767cada03252e9d3a00c9e767ce40c6c769d98db68211fc5f0a302be7d1d22f529780cb336b2d3cfed257a3a1d7c7736bd310e465d221a336efaaf8458dc03

    Download Submit

  • /data/data/com.frown.trend/app_DynamicOptDex/oat/hgsdi.json.cur.prof
    Filesize

    476B

    MD5

    3ad1c03d79be7484e5f90ec00c790de6

    SHA1

    f70720c5fa9590a029587df5892bab1be69d3d83

    SHA256

    249664381f70c65ccf1a58727cc8a469643dbb30fc240d1158edc8afba72ebdc

    SHA512

    01ea02c5c27b23b8d52a4bc8a6a1d0bfb5c1bbe9c5cc842930bb0c3b5c520ec3ea7b096d692ba1626b559eb909ae7bf3759581bcfd3ac0caed07e82872edbf3c

    Download Submit

  • /data/user/0/com.frown.trend/app_DynamicOptDex/hgsdi.json
    Filesize

    483KB

    MD5

    84ccffe496a4b2df7424fcdd4637767e

    SHA1

    3fdb55b0fb9d0c3a3caf3ffb1e494a99576be324

    SHA256

    2759005fde3a8b9d1839b4916020f4cc4832d88f356f5380fd1ff01b3b976f67

    SHA512

    8f37886cdc80cc70dc5c7bc9e99b820e281c38d8c87a52006359d7c32a595949630e3aab0a0c0afb3b85131075f4b8fc019071ed7141f65e691e4712fd308870

    Download Submit

  • /data/user/0/com.frown.trend/app_DynamicOptDex/hgsdi.json
    Filesize

    483KB

    MD5

    5d39df45d9b98df1833630d1085c087e

    SHA1

    36a9ae12a4aa58e79ef4af7cde911598a3c000e8

    SHA256

    5d4697010ed89fd9e3ff8194b8053929f1964292fc6be105d868c5e0f088c6c0

    SHA512

    7b74837a5e7fbd8c3513884aad2e9d70b27264a2caa82dbb16c9fb4763a160a7aec1d2778338ccc78af787f39ba9f20dee6ae4a64204911a37fc3a98de7d59e8

    Download Submit