alienbot | 1b51293002041bfee9c8daba4eda7fe5b4678ef1b9ee693cced004400bf01d64

Analysis

max time kernel
2491363s
max time network
142s
platform
android_x64
resource
android-x64-20230831-en
resource tags

androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system
submitted
14-09-2023 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b51293002041bfee9c8daba4eda7fe5b4678ef1b9ee693cced004400bf01d64.apk
Size

2.1MB
MD5

e66ac604e5898c0e639db52ca8258b17
SHA1

d03e3c798a5cc7b8f3f3b521dae119a932d4fb2e
SHA256

1b51293002041bfee9c8daba4eda7fe5b4678ef1b9ee693cced004400bf01d64
SHA512

18de30f7aec32792165b90cad8792ea2946e45616e889a507288a55f1a6dbd9c680a6ca3ef776158685f683f588f3dbd0382c7ab0a1193a502af42eee7bc9b96
SSDEEP

49152:DCU2f145StuFvk2bPEGX69oMfYi0Z0J0801gLzr1k6Dcl1dIpkJaavh/7c5L/Rng:af19EFswMGAff1kyM4Vlw

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://23.88.40.50

rc4.plain

Extracted

Family

alienbot

http://23.88.40.50

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral2/memory/4854-0.dex	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.cattle.way
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.cattle.way

Removes its main activity from the application launcher 5 IoCs

stealth trojan

pid	Process
4854	com.cattle.way
4854	com.cattle.way
4854	com.cattle.way
4854	com.cattle.way
4854	com.cattle.way

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.cattle.way

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json	4854	com.cattle.way

com.cattle.way
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
PID:4854
- getprop ro.miui.ui.version.name
  2⤵
  PID:5102
- getprop ro.miui.ui.version.name
  2⤵
  PID:5170
- getprop ro.miui.ui.version.name
  2⤵
  PID:5297
- getprop ro.miui.ui.version.name
  2⤵
  PID:5328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.cattle.way/app_DynamicOptDex/efyrx.json

Filesize
238KB

MD5
f3985de7f85cf76cfa98e6c1e0477c61

SHA1
fed6b8d0fd062b72b031fcb2c65dd0eeda29326c

SHA256
77b822ba471e584f6a624e39aa7e30aee06996b75920a5eac9198244d7edfb87

SHA512
94a8b72324408f8da621db348bf2aed7c96927da838f611d48b84431334507ca592e260fa48e6adcf63eafde427201bbee079678d998bb8d5d1bc4b8c59d0ec8

Download Submit
/data/data/com.cattle.way/app_DynamicOptDex/efyrx.json

Filesize
238KB

MD5
b5c02c909a7078df281f55ca9e60af8a

SHA1
03068e95674919cdbc49a289b2b33b668dff6a40

SHA256
a7828afdec786b19764540a2437575fcac02107139314c4140574b45a9dd159a

SHA512
a6d3f5cbf93fe3854be6b9aacc97dde9d4c68954a32ce2323fff648871e027a77ebdaa492c2ded2ceb0e9103ab06d5e95d6345e7ed4feabdc6e405b3f7a139e9

Download Submit
/data/data/com.cattle.way/app_DynamicOptDex/oat/efyrx.json.cur.prof

Filesize
385B

MD5
c022cf1c4fe4292c358c4809e1362531

SHA1
e6b4a558e5704acf7cb373a9a919473b8d037d6f

SHA256
0eada258eb8fa5bd75bdb686609093dd280848661b353414730a9adcf6fca7fa

SHA512
c4d811c3f5cf4939322743f686780218999c7aa4c3b83fa1b8bc692a4be04c020762db107de4428cc5a3f4b6fb9cedec905e9c4d5ea7aa3e675e22a8dead99f4

Download Submit
/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json

Filesize
483KB

MD5
cd5443f4f22b8a71f1d6aa4c9dc7b95d

SHA1
9044803662bf5b81c8181ed5cd92ec45974875db

SHA256
5027e406bb115f8b0312928d979392edf7e73bf194ff3712c9bfe2661750452f

SHA512
c122c4774f603bff013425b36575f4cd7257b48db9fa86b99477ffc25c71d1d55c7e12fbe86cefeb98bb35bb869abb060b0d02490c987e587c6415f259be926d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads