alienbot | e25de236ced06f9dd1e0570a0b49beded9fa51965d1ed2d7c544b84b25a7c566

Analysis

max time kernel
4239862s
max time network
159s
platform
android_x64
resource
android-x64-arm64-20230831-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230831-enlocale:en-usos:android-11-x64system
submitted
04-10-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e25de236ced06f9dd1e0570a0b49beded9fa51965d1ed2d7c544b84b25a7c566.apk
Size

2.3MB
MD5

790a877839ad17d80d1f94fcfe2dd120
SHA1

b226c72c841fa8bafb04b2911bdd68df1e2bf679
SHA256

e25de236ced06f9dd1e0570a0b49beded9fa51965d1ed2d7c544b84b25a7c566
SHA512

8b1fee85e6e00edecd157b3ff4716b1bd91c8d45bc844512a4028915fbeefc8d4fbc1937876436d042e862bc1a1b89c45ab4c3f5c2ecc723f6169f231446a082
SSDEEP

49152:rT6x9SnCg1KA9brb9LsEv8o8qh2U2T0J0801APuw/XbJEqXcl1dIpkJXRn5ZI:rTlC0Kmbrb9cEEPwjJEmMTZI

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://eklimitonay.online

rc4.plain

Extracted

Family

alienbot

http://eklimitonay.online

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral3/memory/4659-0.dex	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.swift.wrap
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.swift.wrap

Removes its main activity from the application launcher 8 IoCs

stealth trojan

pid	Process
4659	com.swift.wrap
4659	com.swift.wrap
4659	com.swift.wrap
4659	com.swift.wrap
4659	com.swift.wrap
4659	com.swift.wrap
4659	com.swift.wrap
4659	com.swift.wrap

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.swift.wrap

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json	4659	com.swift.wrap

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.swift.wrap

com.swift.wrap
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4659
- getprop ro.miui.ui.version.name
  2⤵
  PID:4792
- getprop ro.miui.ui.version.name
  2⤵
  PID:4905
- getprop ro.miui.ui.version.name
  2⤵
  PID:5021
- getprop ro.miui.ui.version.name
  2⤵
  PID:5058
- getprop ro.miui.ui.version.name
  2⤵
  PID:5089
- getprop ro.miui.ui.version.name
  2⤵
  PID:5124
- getprop ro.miui.ui.version.name
  2⤵
  PID:5148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.swift.wrap/app_DynamicOptDex/oat/pFFJk.json.cur.prof

Filesize
319B

MD5
c67c80ebf9e52f29ca0fa1f2bfc43335

SHA1
67e214f0393eb6481a4a53866c485ad67c6a3a2b

SHA256
e9f317073732d5dc4c0408e1d1a83af57f83bfcefc4df550704abee2cec4aa10

SHA512
51ee6d2cccf129ddd60b578ff7b02a1d15d527101dae11017f6fa031a3fba4934a1121672ab75a9cacf9a79b961dce1af81dc9fa354c688f4248bb8514c360a4

Download Submit
/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json

Filesize
238KB

MD5
0219b6d26de9a569780bfc32d089ad79

SHA1
9fceddb0f5081cc5766c9d45960d7a1a15ff68fe

SHA256
61c3c9363d3b4cdd47db00e573a363f272c376aa850b61ca4ac6a31a3d293bc9

SHA512
a38e4b67fd045637363f968433850adcb5d1924a354b0afd364f2c7c25b0258dfc5554c79c4c40d6642d407d4c69751a8dbb476a1fec79133c85d668b327f12e

Download Submit
/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json

Filesize
238KB

MD5
3f3a4f6cd15e01e61d5661f8331c0a34

SHA1
51c652dac5a7e722e80abff83ee2be3f964d789d

SHA256
f2d5451b9e9d63bdbf6b90e680af654d84be3ecc74d1e4ef603aacce23fa9275

SHA512
f905b417fac1b04773239b174d04047e1ce6e7306818c883975adc2cc20c3eab6d536e164cec7d6ff048dcc251f3b8ce842d1fc0ea028121612f3d8202fb63c8

Download Submit
/data/user/0/com.swift.wrap/app_DynamicOptDex/pFFJk.json

Filesize
483KB

MD5
3eb1657245e2ca6c42bbeafacf31f02a

SHA1
b6b5ab7a1d86a3aca95133cda391d8e7cae42fae

SHA256
2a5102bb793252bcaa0bd5c08aba8410b48bca16a383975130bc5dd3f8a64af2

SHA512
316106d36bb571b8ecb4666c460e38645c273d2ef33643544c3b800610443ab4a256474486711a0f1285d28ec78ca448d7302adb8ee32d8923ebeec038a67767

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads