alienbot | e7aaa8fc7985a2229f5af5b2fb8d460e9fe4e8fc6c3d2a83134d56756bdcd344

Analysis

max time kernel
2252909s
max time network
162s
platform
android_x64
resource
android-x64-20230831-en
resource tags

androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system
submitted
11-09-2023 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7aaa8fc7985a2229f5af5b2fb8d460e9fe4e8fc6c3d2a83134d56756bdcd344.apk
Size

2.1MB
MD5

cf2d7238e9d7a1a384b431c7660c5a7a
SHA1

a5da57e5eb9db610bcf2096cf0539421b4cc28e3
SHA256

e7aaa8fc7985a2229f5af5b2fb8d460e9fe4e8fc6c3d2a83134d56756bdcd344
SHA512

51c4bbaec9bc6dcf70dbec907cfad3dde437358cb55bf2317992aa59f0ad5fd18f15cac9a65914530ee5867dc8c5bc390ccfabe317a0d4d9ab5f954eb400c888
SSDEEP

49152:4aJDuO8N6JkJeDHFddqUF+klkmWn0J0801XJ+HgY/scl1dIpkJeRZ5KGejMT:lJDuO8g1leUFFljgYqM4KGeYT

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://limit-tanimlama.net

rc4.plain

Extracted

Family

alienbot

http://limit-tanimlama.net

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral2/memory/5046-0.dex	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.heart.mobile
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.heart.mobile

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.heart.mobile

Removes its main activity from the application launcher 3 IoCs

stealth trojan

pid	Process
5046	com.heart.mobile
5046	com.heart.mobile
5046	com.heart.mobile

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.heart.mobile

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.heart.mobile/app_DynamicOptDex/dtglRi.json	5046	com.heart.mobile

Reads information about phone network operator.

com.heart.mobile
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
PID:5046
- getprop ro.miui.ui.version.name
  2⤵
  PID:5144
- getprop ro.miui.ui.version.name
  2⤵
  PID:5251

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.heart.mobile/app_DynamicOptDex/dtglRi.json

Filesize
238KB

MD5
4d518cf5d168bc80bb0c10c97023954d

SHA1
b54f945e8e9fc508876a86536441a6ea1b6fdedb

SHA256
af9a6a46aab804f893ad55f9540602652dee0c410e67256470dd5208e0359232

SHA512
6c33c35504fb5afdad825e02d386677d5e3ab37532b6444d151f676c83f04ecf9582e81dd1cf61752e8972a42d489dfe8b90a00f8c77473e1ae5adf0b400b198

Download Submit
/data/data/com.heart.mobile/app_DynamicOptDex/dtglRi.json

Filesize
238KB

MD5
8ee181ea913de41c5deb0cff95b45f3a

SHA1
83625b213f91a310e91b1f2cc95fbfc33349ef24

SHA256
3540984fa2bd9c09ba20c19c937a8d2687636cf0355bc991579c8fd02e3db1f7

SHA512
60f39b3f73f10e0499addb88aecc80c5293eb267294b85d5afb7b51c361d0e481b03f1aec3ebdce9e557c1014c29327eae35c91b98fe619e0ceb77f6274036c9

Download Submit
/data/data/com.heart.mobile/app_DynamicOptDex/oat/dtglRi.json.cur.prof

Filesize
510B

MD5
3da5409835d98f480f2122a5c5aa0875

SHA1
102aa22b0d27011301c34f9eff323f89d429f1cb

SHA256
4a31107bd4b86be6abb2291f5f13030ca57ed15bb52b3158f7e3943b6cad86eb

SHA512
68d7cc6b8efd2a0bee8f2e14c746c841a82f26f311ec912c3411e2d6dfbf803ffd7d701225d8dc7fd69b096c7e20683821c978823629c14bb84810eb2d367ee0

Download Submit
/data/data/com.heart.mobile/app_apk/ring0.apk

Filesize
946KB

MD5
a73f108dc1b655252c7e45e5df04d4f6

SHA1
8459f380f7ef684e393c4408f7f4ee58c99147c4

SHA256
c34367f5395f513b8ee0dedcd5502aed69172e71004a80c1f896ca97e05f4f62

SHA512
8f84e47b367fb35a073a31cf41422edccbde99ee126cb37d2df0bddae5e8ca0f5df4d6221930548bfd216f583b2885485d764fd58f73d6a14b9a697b66c58dc4

Download Submit
/data/user/0/com.heart.mobile/app_DynamicOptDex/dtglRi.json

Filesize
483KB

MD5
9dca3d8a4cc8e59d161066b70357256a

SHA1
68425b4de32dd62dffb734d85021fd49d2fa01be

SHA256
196885cbb4288493ed09557ab1e6c93c6ab0cffa0c384265fe0fa7bfe9e70a45

SHA512
2deedb739bb888671ff9ab06735174f5fbec882e46f9bd62067208ebbcec787f86c69b7493c6a26141568b616be112d7d1ec9910ab33ef16131fc68d014f64dc

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads