Overview

overview

10

Static

static

7

d5a786ea0f...5f.apk

android-9-x86

10

d5a786ea0f...5f.apk

android-10-x64

10

d5a786ea0f...5f.apk

android-11-x64

10

HM_JsBridge.js

windows7-x64

1

HM_JsBridge.js

windows10-2004-x64

1

consentform.html

windows7-x64

1

consentform.html

windows10-2004-x64

1

Analysis

  • max time kernel
    1902230s
  • max time network
    142s
  • platform
    android_x64
  • resource
    android-x64-arm64-20230831-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230831-enlocale:en-usos:android-11-x64system
  • submitted
    07-09-2023 20:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5a786ea0f6499d9bb654c37a20dda6ff7d0644084762697ae181d4d19de4b5f.apk

  • Size

    2.1MB

  • MD5

    bf7c010798cd3b0afd41791d46686ba0

  • SHA1

    d59032cd5e341206b0527b85f5aedc75ba4faba3

  • SHA256

    d5a786ea0f6499d9bb654c37a20dda6ff7d0644084762697ae181d4d19de4b5f

  • SHA512

    b41cae02d199d8a6ea5bfdde446fc59000c504b8f000d8279aa7aa659e6fdfaf9186957582d54ee734db671329ac062acea84e37ddba03ccfefec62a3b1db0b6

  • SSDEEP

    49152:aL2g3N12jPKHQMcuijDri0J0801nFC/kEjQcl1dIpkJWRd5rQ0sojhCJf:21iiwMcuwkESM0rDsIhi

Score
10/10
alienbotcerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://bigionlinegiris.net

rc4.plain

Extracted

Family

alienbot

C2

http://bigionlinegiris.net

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Removes its main activity from the application launcher 5 IoCs
    stealthtrojan
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion

Processes

  • com.frown.trend
    1⤵
    • Makes use of the framework's Accessibility service.
    • Removes its main activity from the application launcher
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4440
    • getprop ro.miui.ui.version.name
      2⤵
        PID:4609
      • getprop ro.miui.ui.version.name
        2⤵
          PID:4720
        • getprop ro.miui.ui.version.name
          2⤵
            PID:4846
          • getprop ro.miui.ui.version.name
            2⤵
              PID:4885

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /data/user/0/com.frown.trend/app_DynamicOptDex/hgsdi.json
            Filesize

            238KB

            MD5

            f8869e5e222ce32aef02ba043018beaf

            SHA1

            014458654f015e694cb93d3317d2b106f39d52ff

            SHA256

            6eb77097b3bd268b08c3c89ac37d8c302ecea971ed2e78741eafa234bd32e0b8

            SHA512

            02a7602416ed08d5d89d17aaa02e8d4d644b5aa45be7289091832c25def70a593308da77c404080208e3d58e069e6d8d5b80aff46530f2379babc431a3c42163

            Download Submit

          • /data/user/0/com.frown.trend/app_DynamicOptDex/hgsdi.json
            Filesize

            238KB

            MD5

            88fe94ed3afbe6d864a4f3fe7bfb8239

            SHA1

            1fef6da5e92a7258ab4fb1f7a5e75be5b6536aa1

            SHA256

            d33dfcab2f87d37fdcbe390cb25931d4a3b0bd6daab93d2bf57390bf1fd6212d

            SHA512

            2e767cada03252e9d3a00c9e767ce40c6c769d98db68211fc5f0a302be7d1d22f529780cb336b2d3cfed257a3a1d7c7736bd310e465d221a336efaaf8458dc03

            Download Submit

          • /data/user/0/com.frown.trend/app_DynamicOptDex/hgsdi.json
            Filesize

            483KB

            MD5

            5d39df45d9b98df1833630d1085c087e

            SHA1

            36a9ae12a4aa58e79ef4af7cde911598a3c000e8

            SHA256

            5d4697010ed89fd9e3ff8194b8053929f1964292fc6be105d868c5e0f088c6c0

            SHA512

            7b74837a5e7fbd8c3513884aad2e9d70b27264a2caa82dbb16c9fb4763a160a7aec1d2778338ccc78af787f39ba9f20dee6ae4a64204911a37fc3a98de7d59e8

            Download Submit

          • /data/user/0/com.frown.trend/app_DynamicOptDex/oat/hgsdi.json.cur.prof
            Filesize

            324B

            MD5

            4783f4471037401de86d42a182819379

            SHA1

            ca437166f852079f6e0a2d97a54697aee600be8e

            SHA256

            dc0fe1f2092076099d2a076c6d076463299f03351d45e7927c839eb3bfe49629

            SHA512

            d2c754468239479b6ab74f499bbb63c4aecd7536af27f589b44bde5faf2cbc725f24465dd7feaacdecf6bcbcab1ef14164a92bccfae76f48f46cd499fe80fed6

            Download Submit