alienbot | 5749211e8e6f11210b0d09dfdcc3f515ed591f222f2ee69c1e1eaed2ad304474

Analysis

max time kernel
3635587s
max time network
136s
platform
android_x64
resource
android-x64-20230831-en
resource tags

androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system
submitted
27-09-2023 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5749211e8e6f11210b0d09dfdcc3f515ed591f222f2ee69c1e1eaed2ad304474.apk
Size

2.1MB
MD5

452ac293c79df1615440b0bc35118a29
SHA1

e587c096d2da807c24552db937f7982e5ce54234
SHA256

5749211e8e6f11210b0d09dfdcc3f515ed591f222f2ee69c1e1eaed2ad304474
SHA512

96879a065cd8d0744c98fa87500eecc11eb9c4eaa7a4c4993790cb7a598af7f646784006edb3b8ea30b4fb09618e5d5c84271de9cf3d61207be3b208f29e2f2f
SSDEEP

49152:yZp061pD55yo+TkJKxG0J0801af53v2s85cl1dIpkJRRb5xo:yZp5DZk152suMJxo

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://0d24c9424c2347f9b.pw

rc4.plain

Extracted

Family

alienbot

http://0d24c9424c2347f9b.pw

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral2/memory/4972-0.dex	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.slush.very
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.slush.very

Removes its main activity from the application launcher 8 IoCs

stealth trojan

pid	Process
4972	com.slush.very
4972	com.slush.very
4972	com.slush.very
4972	com.slush.very
4972	com.slush.very
4972	com.slush.very
4972	com.slush.very
4972	com.slush.very

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.slush.very

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.slush.very/app_DynamicOptDex/JkoeHT.json	4972	com.slush.very

com.slush.very
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
PID:4972
- getprop ro.miui.ui.version.name
  2⤵
  PID:5183
- getprop ro.miui.ui.version.name
  2⤵
  PID:5253
- getprop ro.miui.ui.version.name
  2⤵
  PID:5375
- getprop ro.miui.ui.version.name
  2⤵
  PID:5404
- getprop ro.miui.ui.version.name
  2⤵
  PID:5440
- getprop ro.miui.ui.version.name
  2⤵
  PID:5469
- getprop ro.miui.ui.version.name
  2⤵
  PID:5502

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.slush.very/app_DynamicOptDex/JkoeHT.json

Filesize
238KB

MD5
73d4f1af21998352c6fc24f072ceb597

SHA1
2d98935662d4ae2e19cab9967db43ee6a7ad2015

SHA256
48da8bd42239bbd9cc9d55f51c6929c88cd40077f3642995a3af8117162061e6

SHA512
2ef4b3ab7b4bd773f67f8c439c91a23d4094e6337bc6acf03c69d1ccc680c425bdeac52050775b19927be7013e930d2b86fb68780bdc7a85fb379fa25e2079f8

Download Submit
/data/data/com.slush.very/app_DynamicOptDex/JkoeHT.json

Filesize
238KB

MD5
d4bd8907fda9d4d4c7775eb44a701ab2

SHA1
6146eaedb8c21def25045505b67e7fa0301c3b2d

SHA256
d325106e4ddefe331f8ea6ba81437633d64e0ef2b18ca0155e91bfcfc0762904

SHA512
ad16694033b0bd6cc9f7b5674918e84fbc928da2a36b61e740df51bd1d1b4356038c4328e19566238f6f4beeb95857c6a5c3aa137ad7c144a187c87219ae9944

Download Submit
/data/data/com.slush.very/app_DynamicOptDex/oat/JkoeHT.json.cur.prof

Filesize
389B

MD5
074be0b78d28a8fd56272daeba16aa1d

SHA1
4963f0b3204f55b7cfb8b8a3688f3b653522bd94

SHA256
ce6e0a487199bec4ed4eca9a430c0cd599ba02b8e472ed3a5d896baee8748f9b

SHA512
ed97cb6d58916be5d29c9dc22cc448c0bdf0734593cc5c44a14e345c2eb928f73e6473fa90901b731ec2ebd745540e4389a31093a97a34963089d6d666e47c15

Download Submit
/data/user/0/com.slush.very/app_DynamicOptDex/JkoeHT.json

Filesize
483KB

MD5
dc859becbc717473e717613c86fb0bbb

SHA1
e547efa49d03e0195b26cb23d322a4dcb4578cb1

SHA256
5c7e44e300c8beab02d5100e181aa7f807c4e1f8698c02d07a1539db279b9288

SHA512
1cb1bc06c4f776cd51a58fe8587c79d948e7fb4d324256eebc5158fc4a573030e85f17a63cbfd5e6078444ac7559b554751dc8c2c542b5f58a0feb58ab02bdb5

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads