Overview

overview

10

Static

static

7

5749211e8e...74.apk

android-9-x86

10

5749211e8e...74.apk

android-10-x64

10

5749211e8e...74.apk

android-11-x64

10

HM_JsBridge.js

windows7-x64

1

HM_JsBridge.js

windows10-2004-x64

1

consentform.html

windows7-x64

1

consentform.html

windows10-2004-x64

1

Analysis

  • max time kernel
    532214s
  • max time network
    151s
  • platform
    android_x86
  • resource
    android-x86-arm-20230831-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
  • submitted
    11-10-2023 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5749211e8e6f11210b0d09dfdcc3f515ed591f222f2ee69c1e1eaed2ad304474.apk

  • Size

    2.1MB

  • MD5

    452ac293c79df1615440b0bc35118a29

  • SHA1

    e587c096d2da807c24552db937f7982e5ce54234

  • SHA256

    5749211e8e6f11210b0d09dfdcc3f515ed591f222f2ee69c1e1eaed2ad304474

  • SHA512

    96879a065cd8d0744c98fa87500eecc11eb9c4eaa7a4c4993790cb7a598af7f646784006edb3b8ea30b4fb09618e5d5c84271de9cf3d61207be3b208f29e2f2f

  • SSDEEP

    49152:yZp061pD55yo+TkJKxG0J0801af53v2s85cl1dIpkJRRb5xo:yZp5DZk152suMJxo

Score
10/10
alienbotcerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://0d24c9424c2347f9b.pw

rc4.plain

Extracted

Family

alienbot

C2

http://0d24c9424c2347f9b.pw

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 2 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Removes a system notification. 1 IoCs
    evasion

Processes

  • com.slush.very
    1⤵
    • Makes use of the framework's Accessibility service.
    • Removes its main activity from the application launcher
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    PID:4159
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.slush.very/app_DynamicOptDex/JkoeHT.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.slush.very/app_DynamicOptDex/oat/x86/JkoeHT.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4186

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.slush.very/app_DynamicOptDex/JkoeHT.json
    Filesize

    238KB

    MD5

    73d4f1af21998352c6fc24f072ceb597

    SHA1

    2d98935662d4ae2e19cab9967db43ee6a7ad2015

    SHA256

    48da8bd42239bbd9cc9d55f51c6929c88cd40077f3642995a3af8117162061e6

    SHA512

    2ef4b3ab7b4bd773f67f8c439c91a23d4094e6337bc6acf03c69d1ccc680c425bdeac52050775b19927be7013e930d2b86fb68780bdc7a85fb379fa25e2079f8

    Download Submit

  • /data/data/com.slush.very/app_DynamicOptDex/JkoeHT.json
    Filesize

    238KB

    MD5

    d4bd8907fda9d4d4c7775eb44a701ab2

    SHA1

    6146eaedb8c21def25045505b67e7fa0301c3b2d

    SHA256

    d325106e4ddefe331f8ea6ba81437633d64e0ef2b18ca0155e91bfcfc0762904

    SHA512

    ad16694033b0bd6cc9f7b5674918e84fbc928da2a36b61e740df51bd1d1b4356038c4328e19566238f6f4beeb95857c6a5c3aa137ad7c144a187c87219ae9944

    Download Submit

  • /data/data/com.slush.very/app_DynamicOptDex/oat/JkoeHT.json.cur.prof
    Filesize

    481B

    MD5

    9e181c7e027f6a3dd8f73bde641e078b

    SHA1

    49d23d1378fece5b01edd84d3dbe4d23dbb94c45

    SHA256

    737a6ca837177775d7709e9a68f21920655176aa2a544a3ae8e15f944814a40b

    SHA512

    38761e0dbc9462c8d8942a6dc2941644ae1d26b49a4fc555807a4c06fe0c43d6f4882b3054245168779ba38520f6eb44dbaed4688a9055778694816489c81f11

    Download Submit

  • /data/user/0/com.slush.very/app_DynamicOptDex/JkoeHT.json
    Filesize

    483KB

    MD5

    e0cca15e18bd33496c52f629c28afb48

    SHA1

    5433e66252ce11f5ed66240ac37480f022df0e99

    SHA256

    f71016eb2986bc78c6f4fb03593b2ad5cc6290208dba760d524b45d5520ec939

    SHA512

    2eb8ca4732051a4e0101c47c131ab622be713834cf45015cd6f3835d0e5d3818d1e6797e6efda63e9e7c7a7ec90f190bc66a2424cad10717d0562e13f9c1a896

    Download Submit

  • /data/user/0/com.slush.very/app_DynamicOptDex/JkoeHT.json
    Filesize

    483KB

    MD5

    dc859becbc717473e717613c86fb0bbb

    SHA1

    e547efa49d03e0195b26cb23d322a4dcb4578cb1

    SHA256

    5c7e44e300c8beab02d5100e181aa7f807c4e1f8698c02d07a1539db279b9288

    SHA512

    1cb1bc06c4f776cd51a58fe8587c79d948e7fb4d324256eebc5158fc4a573030e85f17a63cbfd5e6078444ac7559b554751dc8c2c542b5f58a0feb58ab02bdb5

    Download Submit