alienbot | b93caedc9c88a4b350e4a4dc2d6217c535a951360b3d03a8390fe2bb75f11097

General

Target

b93caedc9c88a4b350e4a4dc2d6217c535a951360b3d03a8390fe2bb75f11097.apk
Size

2.1MB
MD5

81713d7dbd949c997dee822ecb162f92
SHA1

64a6becb5ae5e1ca8e11a1c3ec42d7788032b896
SHA256

b93caedc9c88a4b350e4a4dc2d6217c535a951360b3d03a8390fe2bb75f11097
SHA512

d085a7e01614416cee234bdde6b95aa75690320d23e381e90152ec8a30d2dfffb4c7aabe4ad648281cfa7843ddaf295ffbc3b689b51bcd03d9c874b9f4617d9e
SSDEEP

49152:GhSLR2JcrJDKcYHCHcsEETSm8t30J0801BpYXCkkaiYu2mcl1dIpkJwRJ5XH:oSlPrJDKcYCcs/TdCkkaqMmXH

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://limit-tanimlama.net

rc4.plain

Extracted

Family

alienbot

C2

http://limit-tanimlama.net

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 2 IoCs

resource	yara_rule
behavioral1/memory/4171-0.dex	family_cerberus
behavioral1/memory/4147-0.dex	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.shrimp.plate
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.shrimp.plate

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.shrimp.plate

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4147	com.shrimp.plate

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.shrimp.plate

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.shrimp.plate/app_DynamicOptDex/PWp.json	4171	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.shrimp.plate/app_DynamicOptDex/PWp.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.shrimp.plate/app_DynamicOptDex/oat/x86/PWp.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.shrimp.plate/app_DynamicOptDex/PWp.json	4147	com.shrimp.plate

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.shrimp.plate

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.shrimp.plate

com.shrimp.plate
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
PID:4147
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.shrimp.plate/app_DynamicOptDex/PWp.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.shrimp.plate/app_DynamicOptDex/oat/x86/PWp.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4171

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.shrimp.plate/app_DynamicOptDex/PWp.json

Filesize
238KB

MD5
aa284953a78db438b81418df5701554f

SHA1
db5a9469ac112a43366f2b5664cb8b2831f2377e

SHA256
d5687693b70d0ac09ef92c3c936518bdc9d134ebcf4fd9d15a65d3750df6079e

SHA512
51674731679db84ecdb0b86416e4a98e517bc890838976dbb034b6e7266336429b7d326a4f53e4a49b46bd9b3e647bc47cd7a97264c47038ed09961ad08e17bb

Download Submit
/data/data/com.shrimp.plate/app_DynamicOptDex/PWp.json

Filesize
238KB

MD5
48f82a2b8ab94a24e5c8dc36bb0265c7

SHA1
6486d693ec759c07631b414be4c62e2caa5e9e92

SHA256
d6adeedd0bba6f02d979469d88f457e672b28ab6ea91bac1195a046e5999a4bf

SHA512
165fc1f815ff603f115123332b3a210627a986e24a99f94523b85ac6bf995287739cff9c7f00987d9b955bd1665656e25834ee7823ae4ba589fecee787687a31

Download Submit
/data/data/com.shrimp.plate/app_DynamicOptDex/oat/PWp.json.cur.prof

Filesize
489B

MD5
12eee63640646bf4031b13e6a6168069

SHA1
88877b614a26318ea5f158834fef924e870617bd

SHA256
f0bc6960de209416e6ff9675a9a7357a3fec7ae83dadd2bb1864affdeb8d71a7

SHA512
f849cd4be4ad1e90c14422cce15b69d6c49a8c9b6939f13749a8c7e30637fdffddf4c1752ea5acd4d4b0652da9dd77c4e4c00f9c6e99a629c3336be7bd1b24d4

Download Submit
/data/data/com.shrimp.plate/app_DynamicOptDex/oat/PWp.json.cur.prof

Filesize
567B

MD5
dc742afd5ae87d333e1f85d2979a2573

SHA1
ad106ef1a4cb174e76e62c228b2038348b2cfe84

SHA256
d6b705df6984f24f145bc56e7122ca17b5b97e70298ddbc82ea14838dd703ebb

SHA512
fc64201890b7386f65c5b5e35da56517120b3bbf8568f3ed737d9ea3ed1d89ee825fb2eba199056449629f865ee12fa3a691636cb4f94747f0674c01754dedaf

Download Submit
/data/data/com.shrimp.plate/app_apk/ring0.apk

Filesize
946KB

MD5
a73f108dc1b655252c7e45e5df04d4f6

SHA1
8459f380f7ef684e393c4408f7f4ee58c99147c4

SHA256
c34367f5395f513b8ee0dedcd5502aed69172e71004a80c1f896ca97e05f4f62

SHA512
8f84e47b367fb35a073a31cf41422edccbde99ee126cb37d2df0bddae5e8ca0f5df4d6221930548bfd216f583b2885485d764fd58f73d6a14b9a697b66c58dc4

Download Submit
/data/user/0/com.shrimp.plate/app_DynamicOptDex/PWp.json

Filesize
483KB

MD5
05bc4c5935fe474a7ef2df5c11c4d5fb

SHA1
6594db018fb78cd6e58e869cf79ddc356a290738

SHA256
6d29b8802e3a0a002a4204d0c19506e9ba8212d36305844e6a02c4404511924f

SHA512
c3742908ba13ec14567ed16f7a863a7576efeca8b5e24917d95730dd64d0b2624f44a662446ba43c329e0f07463b7b3a9a9ece3bb470f16fc1830645e29e02cb

Download Submit
/data/user/0/com.shrimp.plate/app_DynamicOptDex/PWp.json

Filesize
483KB

MD5
5d1270ce04e50f766ffec46f60f7db9b

SHA1
b00a717497db20d791d954de2e49cc883afbd3fb

SHA256
7dd5ca5efcccb89e7fc6507d82bef770378f3b013a4897fdcb6b64688572a6d2

SHA512
acc2ae388765bfb72fff09ba28a9d12107512b2d04ad5df8472a23658252c08ba1a4b409018b4dd8b373360cfcc92b18f393c844e19b70b571d64b26f533c3cf

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads