alienbot | 0422433a6cea4da9fa32db2410144f406f01eec5ff5915b2b8c192ec3639b363

Analysis

max time kernel
2252874s
max time network
159s
platform
android_x64
resource
android-x64-20230831-en
resource tags

androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system
submitted
11-09-2023 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0422433a6cea4da9fa32db2410144f406f01eec5ff5915b2b8c192ec3639b363.apk
Size

2.1MB
MD5

e40024f930c3f19b89b0f0639e3e048c
SHA1

44255903ab77c97c9de06e7a52921593cdb89483
SHA256

0422433a6cea4da9fa32db2410144f406f01eec5ff5915b2b8c192ec3639b363
SHA512

326d8facbbd82b6eeac70a04ab5cbc3426a5e5242d4edf3dd49109e75742838cd0edb7e4018ca82321cc72f086fcff33d106805628d5f370df97fea5b70b0fcc
SSDEEP

49152:L6pmUQoDTrOiCFPA2gL0J0801VBUf2cRqcl1dIpkJ8Rp5/0xNew:1ULrOiCFAM2cyMy/0PR

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://limit-tanimlama.net

rc4.plain

Extracted

Family

alienbot

http://limit-tanimlama.net

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.supply.oil/app_DynamicOptDex/GybLWWK.json	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.supply.oil

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.supply.oil
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.supply.oil

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.supply.oil

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.supply.oil
Removes its main activity from the application launcher 3 IoCs
stealth trojan

Processes:

com.supply.oil

pid process

4974 com.supply.oil
4974 com.supply.oil
4974 com.supply.oil
Acquires the wake lock. 1 IoCs

Processes:

com.supply.oil

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.supply.oil
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.supply.oil

ioc pid process

/data/user/0/com.supply.oil/app_DynamicOptDex/GybLWWK.json 4974 com.supply.oil
Reads information about phone network operator.

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.supply.oil

pid	process
4974	com.supply.oil
4974	com.supply.oil
4974	com.supply.oil

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.supply.oil

ioc	pid	process
/data/user/0/com.supply.oil/app_DynamicOptDex/GybLWWK.json	4974	com.supply.oil

com.supply.oil
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
PID:4974
- getprop ro.miui.ui.version.name
  2⤵
  PID:5087
- getprop ro.miui.ui.version.name
  2⤵
  PID:5189

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.supply.oil/app_DynamicOptDex/GybLWWK.json

Filesize
238KB

MD5
10a6e436b0bee31a9f2ed74b4d6a50b7

SHA1
0360f72ad2b82c42da703114162d8b4566613481

SHA256
087fd075a58880efd16d03724740416bf331634a3bffce2af075172f709837fe

SHA512
6b62579a92291baf3844eb4747eb2a05024f4283bb35906aa415b265b3f008a87a159c89890b1f7ba4789d87125c1e92c6fde75408209a3d1872f9b1b8c014e5

Download Submit
/data/data/com.supply.oil/app_DynamicOptDex/GybLWWK.json

Filesize
238KB

MD5
784200c45e8d5ec0e504d4e09cb8fc87

SHA1
d4c2d36a6e328a28108cf4cdd3bae967f65369b3

SHA256
05514060c89e27fae692115142f190dc10e39060d21a0e9523da6cf684d5a84f

SHA512
476cbaa17406636f20cf23062c69902d57f0199a053e556cb15ad6f0c3b5722ab9b5ddf81b38b9cc2754c162b8050cd20a6250793af60507600c23dc35050a0c

Download Submit
/data/data/com.supply.oil/app_DynamicOptDex/oat/GybLWWK.json.cur.prof

Filesize
407B

MD5
6a0b6eb782a566cf3a5c37cd6b188b85

SHA1
8d959845bf9fc5b4b3208f53101d3cc3bd7166fe

SHA256
9241ddf609de5a88e9517c29cd320486850de5d81912284fc570522b1287462e

SHA512
b5e62191aa57e5e049e32e926ea82f29ab98832cff1069d13183d63188c9574f22fa0aa0bf5e66a99b9243ee028e8438fa18184c8991d08b69023a3105f57a2c

Download Submit
/data/data/com.supply.oil/app_DynamicOptDex/oat/GybLWWK.json.cur.prof

Filesize
526B

MD5
97cdf825c2a6bea3fa36d80aa2290334

SHA1
60bead1a0820dc6e1b93e7598064163bba996b4f

SHA256
d5383f5550a1cbe6514f7b80dfe69348de56215c8b8e1e4dfe03f6939cb7b07f

SHA512
c727e0f91f182e5f75ece3e2ae465d685220aa4343611fff608942a77df85971330283f26aa4f2a9b33a80614521a428c0402e2a8d9432047641075f291ab69a

Download Submit
/data/data/com.supply.oil/app_apk/ring0.apk

Filesize
946KB

MD5
a73f108dc1b655252c7e45e5df04d4f6

SHA1
8459f380f7ef684e393c4408f7f4ee58c99147c4

SHA256
c34367f5395f513b8ee0dedcd5502aed69172e71004a80c1f896ca97e05f4f62

SHA512
8f84e47b367fb35a073a31cf41422edccbde99ee126cb37d2df0bddae5e8ca0f5df4d6221930548bfd216f583b2885485d764fd58f73d6a14b9a697b66c58dc4

Download Submit
/data/user/0/com.supply.oil/app_DynamicOptDex/GybLWWK.json

Filesize
483KB

MD5
013a804a457ce0c5e63f4003bd15c301

SHA1
1dd06b6d8465833e012c9cc070d63844b176ef6a

SHA256
5ee7fd2974b8ba94491cd02575da34d60affe0228ae5a30ad478d820e0226663

SHA512
a121e0a32bf0eebf9239b8e52d6efb1df4655c0c11314bf08620897431c1d297019caf4122acb73ced329552460770afcc4464d13199b928290b6180a3963fcb

Download Submit