Overview

overview

10

Static

static

7

1c7d235a52...2c.apk

android-9-x86

10

1c7d235a52...2c.apk

android-10-x64

10

1c7d235a52...2c.apk

android-11-x64

10

chartjs-pl...min.js

windows7-x64

1

chartjs-pl...min.js

windows10-2004-x64

1

hammerjs.js

windows7-x64

1

hammerjs.js

windows10-2004-x64

1

jquery-3.4.1.min.js

windows7-x64

1

jquery-3.4.1.min.js

windows10-2004-x64

1

libalog.so

debian-9-armhf

1

libapminsighta.so

debian-9-armhf

1

libvcnverify.so

debian-9-armhf

1

libvcnverifylite.so

debian-9-armhf

1

libvctfo.so

debian-9-armhf

1

libvideodec.so

debian-9-armhf

1

libxz-main.so

debian-9-armhf

1

libzstd-jn...ess.so

debian-9-armhf

1

template.js

windows7-x64

1

template.js

windows10-2004-x64

1

Analysis

  • max time kernel
    1154539s
  • max time network
    132s
  • platform
    android_x86
  • resource
    android-x86-arm-20230831-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
  • submitted
    18-10-2023 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c7d235a525c32568344edd0a93ca21ee9f8a30a91d7af2bc0aeba0cea1b5a2c.apk

  • Size

    2.7MB

  • MD5

    b1eff3478423519bde22fbe1cb2cbe25

  • SHA1

    0fc4e8eb2f7f53778175d9c2b3d98d212b65b06a

  • SHA256

    1c7d235a525c32568344edd0a93ca21ee9f8a30a91d7af2bc0aeba0cea1b5a2c

  • SHA512

    9d335b6bbe6902b6082c1f17cf5a0010ace25c6e1e2bc118661bb10ec99dabc45415e8baa9efa2f559c7d236483fd6d8335780a0cec58d059fd1993a21866581

  • SSDEEP

    49152:D9MRHe66OlvLxIQq8YBg9f4dtUgP+21JuFzEj3Lkbeh/I2zW3lgcobx3FWhLN:4e3OVLx3q9BsQDUgX3Kwj3LOexIYW3l9

Score
10/10
alienbotcerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://1natetboxs.net

rc4.plain

Extracted

Family

alienbot

C2

http://1natetboxs.net

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 2 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 6 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Removes a system notification. 1 IoCs
    evasion

Processes

  • com.output.wire
    1⤵
    • Makes use of the framework's Accessibility service.
    • Removes its main activity from the application launcher
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    PID:4201
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.output.wire/app_DynamicOptDex/XmDYKd.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.output.wire/app_DynamicOptDex/oat/x86/XmDYKd.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4230
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.output.wire/app_DynamicOptDex/jLt.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.output.wire/app_DynamicOptDex/oat/x86/jLt.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4255
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.output.wire/app_DynamicOptDex/ew.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.output.wire/app_DynamicOptDex/oat/x86/ew.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4279

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.output.wire/app_DynamicOptDex/XmDYKd.json
    Filesize

    529KB

    MD5

    6bf5caabcea2e2e99a6e5c21b571ee35

    SHA1

    77899e8ac21086e858a6f915df57c81bb656e0b2

    SHA256

    670914c371cf2e93beacfcb3ea916abcd9e77afad25b58688d5f900edd526ccf

    SHA512

    1985f909ce67b9e25f026882c4f9b41db83a0593c28ece25b09dc0c88242025ba42542c97b98e5f89c1599b22a24343998456f33da6539161e15c54f51a159cc

    Download Submit

  • /data/data/com.output.wire/app_DynamicOptDex/XmDYKd.json
    Filesize

    529KB

    MD5

    31ac26d3e93777069e81c1b815d101e6

    SHA1

    281c7a4cd841524cc2b7ed36e9360221ae10b5f2

    SHA256

    24082ad848d129a254a7d6c57a001b9f422c158c17e89177f38c0acaf1ac9467

    SHA512

    2510806924bf256a84486f9eb8e59da244c6bee3371f260b4c4ef6b916905c5066d8e8a722af04e2d9890591b22aa40e50bf31b6ee21a0627636589c4f49a63e

    Download Submit

  • /data/data/com.output.wire/app_DynamicOptDex/ew.json
    Filesize

    238KB

    MD5

    3a366da7beaba55d7295006e81f80fd9

    SHA1

    b3d49bf8e979ca8e56b4aa60ddc600ad89d9c4b9

    SHA256

    1bf6a39e590a3e109f44e1f9b86140aa6ca41c7fc143d727e286a2dad11871a4

    SHA512

    ad0d2dd1d50da72d07a48fe1d8c6f1b6bac21dae48baa95d6b745ad390d7a9dd1edafd7f24bb30452c004988954321d0c41a5bb4fa7cb8ea0d0976a92ba94cf9

    Download Submit

  • /data/data/com.output.wire/app_DynamicOptDex/ew.json
    Filesize

    238KB

    MD5

    6720cfcc736604ed53e89af3070000d9

    SHA1

    91b6c47de72b53e1f09ec8d6d128f0b3b5ca53eb

    SHA256

    f44926c4fe4678a46bf5eb9a9c49d241a3a3afdc2eb0b0a751d9edbd646604ef

    SHA512

    bbf7180ab7c07e791818e26342e7a83c64c546273f341a605fd3481fc3deba62c2829f2708f75574a619419c2a5d3696e676d9c593b75143e36346f095188918

    Download Submit

  • /data/data/com.output.wire/app_DynamicOptDex/jLt.json
    Filesize

    516KB

    MD5

    f33183f44b80a2ac99040ad10f42b185

    SHA1

    377e5311d5462cdb67551184bd0decad3ffa6edd

    SHA256

    e5e744b4d1e581493f3f07276876220c36728947af609d3a7580f3c009237d9e

    SHA512

    82d150f1ed88e883bf5b1268a884e0e567db1e4a5bd64f5548c8cdaddbeaf79d228d17c928bf08798312ccd32547775389b236c593816d5f318437062ee4c083

    Download Submit

  • /data/data/com.output.wire/app_DynamicOptDex/jLt.json
    Filesize

    516KB

    MD5

    ae3b0f42d632355096cd56a7978f840d

    SHA1

    75f3795c16e4e271481fa15e703b04e867f39692

    SHA256

    46e24bc9e5da5f97a69a66e9fbda41cf21915b65dfe930498fe4be4c987f85be

    SHA512

    39b0c67670c9171ca9bc9bb82ca44e7a8a477028339c256fd78ee76a1c1c487f47e3976b3a87d4f89c6c0a368037d5016ba8176b05a84ace54024acdcc0c70c0

    Download Submit

  • /data/data/com.output.wire/app_DynamicOptDex/oat/XmDYKd.json.cur.prof
    Filesize

    210B

    MD5

    23790d6ef41331ffb6673f0ce78a73b0

    SHA1

    6f0426bcbaa21a4d20012d88898bab6f9ff1e812

    SHA256

    4a744fa9fcbd998b1a37a7daf1d804e7630db0467935ee25ca24aaebac03fecd

    SHA512

    8d680e82710db8024ede93efbc2995492495d8609bea77ea81460bd36158d8300324f345cd54ca713fa13713c9d9b191e86690565eab0dca896bf38d3456e765

    Download Submit

  • /data/data/com.output.wire/app_DynamicOptDex/oat/ew.json.cur.prof
    Filesize

    379B

    MD5

    587fdda39eee03abd0bd94efd161302e

    SHA1

    e0f46d00b7cde0a0ce04908ea100a28ba7685e98

    SHA256

    3d67a353dd0ef3e4c7a50823311716bd5c5e67cd02f7916b12eb31449b33ee99

    SHA512

    f75f6b2ae96449b97a247593becbae48cedb936b8de22e448224842162471cd66631db8d459d2e2cdfa2970c3504e186a0f08c082c606c50ea1bf5882e043127

    Download Submit

  • /data/data/com.output.wire/app_DynamicOptDex/oat/jLt.json.cur.prof
    Filesize

    220B

    MD5

    5652018eb7a18f2e38bf965b392a505f

    SHA1

    6914cd9cf73f380391260a0763ae5dda0ff25589

    SHA256

    4a2b7f2089261ce4a98229ec05c1d6d33e12cf7991b903d3fd6f64ad9cdf11d6

    SHA512

    1f2b119e6330a7fc836c1a1bb57428142db88f3086b5e1fb8138da486edeb6ecc09069bc4fe339e6efbe735bd9a53d65f985e859c742e64bbe7243581e55fd95

    Download Submit

  • /data/user/0/com.output.wire/app_DynamicOptDex/XmDYKd.json
    Filesize

    1.5MB

    MD5

    1d845cb75b2f0c369b48e5f92897e5d3

    SHA1

    10095c7dd2e8dccd6bf34e37ccc8902042898fa0

    SHA256

    b2eb7d54017f49ca6f237a8af7360f2c16a1ef7f4fd368c059c7a96d6c4bcdf0

    SHA512

    0f50f99a05fb8d7438b700fdbcc17b7ed7acf0cce8610aa014b1ca7677758e86afe522fca229212d82e980edb16b1974d5533288b61870a33b0e8c99b9cdb8f2

    Download Submit

  • /data/user/0/com.output.wire/app_DynamicOptDex/XmDYKd.json
    Filesize

    1.5MB

    MD5

    d2a45c292d1a779f5dabc99ab3a82d86

    SHA1

    aadeacbbdf3442a5302c4b5fd5b3e5f497ae6cbd

    SHA256

    91486de8521dffb38a2c4d5aee3825a96353908844888ed960a2eef0cd091151

    SHA512

    589a20e9cb4f62ced331ab9b254bb588f45f065f7ad3fe6dd744d8941355414c25e01c6d0553c322a978834e76e1ea6ae6513d1f3720bfe1b84764a06ef7f696

    Download Submit

  • /data/user/0/com.output.wire/app_DynamicOptDex/ew.json
    Filesize

    483KB

    MD5

    9c14bc1e51b4748ecbe38d5b5c3138c7

    SHA1

    e2a923f60b7fe0adb2c32c293e86a7ccc5db8bed

    SHA256

    48cb2168bded67e7948c8001ae5a5b22e465fef16c63c52966a12eb47a3f2226

    SHA512

    58fdef8a033a82175837fac77b883f294d03749a3c7dd679e8e5947558bd21f33fa383e5cce9706c63663034cc9d036bc875be77db986e98e4abf9d37bde3e66

    Download Submit

  • /data/user/0/com.output.wire/app_DynamicOptDex/ew.json
    Filesize

    483KB

    MD5

    222cdbf22262802bb051311acd7c5c84

    SHA1

    f40bcece274334cf24a2334eb3a6cae88e8f656a

    SHA256

    99cb75cda7b01bbdc8856ea44890d53aeb00a3684ed1986805ff6061ca8590d8

    SHA512

    789e4cc7a8a7a60e96d34f2fbb288c09f03db3a558916b966ec13bdb09474e22b3aa3f13cb6e45fa7ecefdfdf19d40b4d8054cdaa1382fb6d990498520a89baa

    Download Submit

  • /data/user/0/com.output.wire/app_DynamicOptDex/jLt.json
    Filesize

    1.4MB

    MD5

    e8f52b3c7545954e80b87a9726743dbd

    SHA1

    afe047b51f689a5a0e9de2a0029f8a0f5b9efc91

    SHA256

    b51786e133b4ee9d067f8164578ff45bbe43c549afe2fed93f28e3cfca760105

    SHA512

    510117f9ede1e1b6b3b4965640f084cb66506e23728cf38ce3a6c5feabbb3a4bcebcd574bee349229f33837319da77fa5f89cd2a47264e56d0b1d804d838f380

    Download Submit

  • /data/user/0/com.output.wire/app_DynamicOptDex/jLt.json
    Filesize

    1.4MB

    MD5

    ed517e296f714db16d731b7fb66c14e3

    SHA1

    ae63d13d173528b46b3cfeb1401945f0a4f14070

    SHA256

    8c2a958f337d0a579ed87c04caa0c1cea109ad82a3147a17418c1d2692998330

    SHA512

    7277ba34c180a8b5ecc814e489cd161deef748d853069f22fbe1c7e2c544cb156993682a95068059b5f06dab056dbbc79b3161724a674954097b8c3bf36a589e

    Download Submit