alienbot | 43f7de64b8026fa16a4e0b74a9a3d1c879db3098c9780ac202fc2113a5577c48

Resubmissions

09-10-2023 22:34

231009-2hkvjaah72 10

09-10-2023 22:08

231009-12p3xsag76 10

Analysis

max time kernel
377779s
max time network
165s
platform
android_x64
resource
android-x64-20230831-en
resource tags

androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system
submitted
09-10-2023 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43f7de64b8026fa16a4e0b74a9a3d1c879db3098c9780ac202fc2113a5577c48.apk
Size

4.3MB
MD5

5821d41b75a741cbf411f02eba9e85df
SHA1

6cfc9e0fe629d884e23a40247dfd040f47c511eb
SHA256

43f7de64b8026fa16a4e0b74a9a3d1c879db3098c9780ac202fc2113a5577c48
SHA512

ba1edb32d7d65bf6ddb7b6da2553e5898167c5bd4671c1e5da0eab7cdf873a1e018450a4a62a3dbc35aa70e9236c63a36b6b8b103474552b89ff726355acfe4f
SSDEEP

98304:P2HJ6clSJ5WC2SX/Kpym5SBzvq/h/P9/GKJRyHjVmMkfbh1mMXyZYv+Afez8E:+pFZ1cm5SuTexZk91DgYWp

Score

10^/10

alienbot banker evasion infostealer stealth trojan

Malware Config

Extracted

Family

alienbot

http://wf4sctx9cksg94528o7o.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service. 3 IoCs

Processes:

fr.associated.string

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	fr.associated.string
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	fr.associated.string
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	fr.associated.string

Removes its main activity from the application launcher 7 IoCs

stealth trojan

Processes:

fr.associated.string

pid	process
5008	fr.associated.string
5008	fr.associated.string
5008	fr.associated.string
5008	fr.associated.string
5008	fr.associated.string
5008	fr.associated.string
5008	fr.associated.string

Acquires the wake lock. 1 IoCs

Processes:

fr.associated.string

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock fr.associated.string
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

fr.associated.string

ioc pid process

/data/user/0/fr.associated.string/app_DynamicOptDex/aZiccBex.json 5008 fr.associated.string
Removes a system notification. 1 IoCs
evasion

Processes:

fr.associated.string

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag fr.associated.string

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	fr.associated.string

ioc	pid	process
/data/user/0/fr.associated.string/app_DynamicOptDex/aZiccBex.json	5008	fr.associated.string

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	fr.associated.string

fr.associated.string
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
PID:5008
- getprop ro.miui.ui.version.name
  2⤵
  PID:5290
- getprop ro.miui.ui.version.name
  2⤵
  PID:5383
- getprop ro.miui.ui.version.name
  2⤵
  PID:5516
- getprop ro.miui.ui.version.name
  2⤵
  PID:5545
- getprop ro.miui.ui.version.name
  2⤵
  PID:5576
- getprop ro.miui.ui.version.name
  2⤵
  PID:5605
- getprop ro.miui.ui.version.name
  2⤵
  PID:5632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/fr.associated.string/app_DynamicOptDex/aZiccBex.json

Filesize
704KB

MD5
71ddacd8a2cb40df18134c90a1bb4be2

SHA1
293b301ee8eb182182214f1a23c9d50c9dcec727

SHA256
7b9a551a5ed085cd9c0d9423e763ff7a51d01fee25b078be7c6e85aefd6c6836

SHA512
f12ea753b2066e1d195969efb56cb226476ce7d86d28cf452ec6b087fc6f1786fff4c20282c1a242063dbf7bb52de74d60cafa8d6f9edccfe89d6bb623492aaf

Download Submit
/data/data/fr.associated.string/app_DynamicOptDex/aZiccBex.json

Filesize
704KB

MD5
c79398dd96dad9fa31b8da95334ef0b9

SHA1
98b969ccd2423bd76402fc96baf24704a8a35406

SHA256
83c8b8636a889d87c90671c1172dbdef67030bdbd62829a8db1c6372001e72b3

SHA512
fe628d0079582bc7ae6f536af76da3d1038fdd715a62a58e254e801b91f7928135b14701bb5960bfe582ea7e88a7f1ec77319f55ed46c0bbc4f2936eaa91d574

Download Submit
/data/data/fr.associated.string/app_DynamicOptDex/oat/aZiccBex.json.cur.prof

Filesize
479B

MD5
f0799fc9e43f8234bbe2f489b0c32562

SHA1
17501c4d5e6a742328331263e775ba7cb8141810

SHA256
8980db4e6045b2086156c0e153890734e2a686f22403b8608bdc11c75fd758e1

SHA512
2357867f163a5ca932c89c6fc62bba524648f7dfce774f1e7d032874da110c22fcd4e69cc195a6cbbc5dd0e4dd01415252339a5d43232a9bdaa359f57087da46

Download Submit
/data/user/0/fr.associated.string/app_DynamicOptDex/aZiccBex.json

Filesize
916KB

MD5
0930ec69d81f4b96649d36d7b6f24b90

SHA1
349be2cb09fd8974250fe3aa03b54a43ab1da09c

SHA256
5d30844dfc43fa7dba25603cde401697fd5c3f857e4f59fded3c41db719ad3de

SHA512
0771ec5c54d5c68be8301d5ddbb7ad5904e24f32fc8d1ce6a085410e9985a71653a0e69a3f892868369dbab3c85ebdd5345bb25244f29665f021551f694b3045

Download Submit