alienbot | 2d369c8fd70cb536d9a80714cd1b89e28a811dc07da92694b41de4643f3e1cea

Analysis

max time kernel
3980695s
max time network
132s
platform
android_x86
resource
android-x86-arm-20230831-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
submitted
01-10-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d369c8fd70cb536d9a80714cd1b89e28a811dc07da92694b41de4643f3e1cea.apk
Size

1.8MB
MD5

e342007c492cef71303b65ce9d75914b
SHA1

f7a4862e859503facae246d22a67dea54f060d7a
SHA256

2d369c8fd70cb536d9a80714cd1b89e28a811dc07da92694b41de4643f3e1cea
SHA512

b30e7422b05b97170f7e4c5a413c5490ecbf17a567ad0b5533c3155f568f55ea5d73830c77b4c953a6da98a60b293eec76a7836f7d172928cf25bc02fd71f3c5
SSDEEP

49152:2bPD/YplMZKRYEPN3n0+gzjj3PgS+BbbWc/eg44E8:2bPD2lMZeYEPlYPj6Wc/eg5

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://nabsaktalazimolmasada.shop

rc4.plain

Extracted

Family

alienbot

http://nabsaktalazimolmasada.shop

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral1/memory/4129-0.dex	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.moon.true
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.moon.true

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4129	com.moon.true

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.moon.true

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.moon.true/app_DynamicOptDex/rQ.json	4129	com.moon.true

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.moon.true

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.moon.true

com.moon.true
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
PID:4129

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.moon.true/app_DynamicOptDex/oat/rQ.json.cur.prof

Filesize
393B

MD5
513678b99c0badd470bec895b78587ca

SHA1
550cdedf7cafe25f9f09c18f3cc42661b3d1ee28

SHA256
dbc5cf8ec5e03f125be7156e20b134128fa5ff2649473ce22beae3f4eecb01ed

SHA512
57899adf48fc366b404dea59f15d1769d0847fd36c044d27c9d8b7fd2c2b1edb3ea3cdbd27a5ee0a7d00dfc3c2540dabe1c6d2ee15f032c936cd93efc24ccd9e

Download Submit
/data/data/com.moon.true/app_DynamicOptDex/rQ.json

Filesize
238KB

MD5
6fb8ba66cf8aeacee671ae474865a51e

SHA1
de6fa27c36ecad735736b747ee8a035d1b031f32

SHA256
e60b1de379d80488bf619958b462733f9b22ec5926a8d31034694b5122a198ab

SHA512
c3faa7b0ba3a8a9539248c291f8e5cbe04d863ddb992bbf97ef17a82045245f549e29c6e0f09cec32e7e9ba227b6a79510a0cd1c61ba2dd0cd290ebace62cbed

Download Submit
/data/data/com.moon.true/app_DynamicOptDex/rQ.json

Filesize
238KB

MD5
2c5a378441355d9173d817dca49a84bb

SHA1
eadf5be3fa7f4da858c46640c221cad9dc008b4c

SHA256
9f15710a1c9ebc5c8cb05cc14252a091d2afdf76fbce521e381b8c5a0711e140

SHA512
bf2b794b3d679031bc827813842c9000b5df02935eb43b3995a83dfcc4d8ea3eeafcc56d5f8cb987adbfc1d1b7a2e5a339f9dc4ddcc7c7b748fc3bfc04d6801d

Download Submit
/data/user/0/com.moon.true/app_DynamicOptDex/rQ.json

Filesize
482KB

MD5
f877f9d2fd8133ce4707187dee4a3c80

SHA1
d26c958380eee1cd87deb505bb680fd2112263ab

SHA256
07acc87fd76a418b59c0528a197bfea276be078b3276366a647adaa4b633ac4b

SHA512
56af9a4f7c865874abd7e8f7e85a22e135463c99578d534f7a63f2f91a39db8e00c0ca62644bf46de612513e7bb74f90e083b6d2a87b3342665f301c077f7589

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads