alienbot | 1c7d235a525c32568344edd0a93ca21ee9f8a30a91d7af2bc0aeba0cea1b5a2c

Analysis

max time kernel
1154530s
max time network
133s
platform
android_x64
resource
android-x64-20230831-en
resource tags

androidarch:x64arch:x86image:android-x64-20230831-enlocale:en-usos:android-10-x64system
submitted
18-10-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c7d235a525c32568344edd0a93ca21ee9f8a30a91d7af2bc0aeba0cea1b5a2c.apk
Size

2.7MB
MD5

b1eff3478423519bde22fbe1cb2cbe25
SHA1

0fc4e8eb2f7f53778175d9c2b3d98d212b65b06a
SHA256

1c7d235a525c32568344edd0a93ca21ee9f8a30a91d7af2bc0aeba0cea1b5a2c
SHA512

9d335b6bbe6902b6082c1f17cf5a0010ace25c6e1e2bc118661bb10ec99dabc45415e8baa9efa2f559c7d236483fd6d8335780a0cec58d059fd1993a21866581
SSDEEP

49152:D9MRHe66OlvLxIQq8YBg9f4dtUgP+21JuFzEj3Lkbeh/I2zW3lgcobx3FWhLN:4e3OVLx3q9BsQDUgX3Kwj3LOexIYW3l9

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://1natetboxs.net

rc4.plain

Extracted

Family

alienbot

http://1natetboxs.net

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.output.wire/app_DynamicOptDex/ew.json	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.output.wire

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.output.wire
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.output.wire

Removes its main activity from the application launcher 8 IoCs

stealth trojan

Processes:

com.output.wire

pid	process
5028	com.output.wire
5028	com.output.wire
5028	com.output.wire
5028	com.output.wire
5028	com.output.wire
5028	com.output.wire
5028	com.output.wire
5028	com.output.wire

Acquires the wake lock. 1 IoCs

Processes:

com.output.wire

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.output.wire

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.output.wire

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.output.wire

ioc	pid	process
/data/user/0/com.output.wire/app_DynamicOptDex/XmDYKd.json	5028	com.output.wire
/data/user/0/com.output.wire/app_DynamicOptDex/jLt.json	5028	com.output.wire
/data/user/0/com.output.wire/app_DynamicOptDex/ew.json	5028	com.output.wire

com.output.wire
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
PID:5028
- getprop ro.miui.ui.version.name
  2⤵
  PID:5166
- getprop ro.miui.ui.version.name
  2⤵
  PID:5251
- getprop ro.miui.ui.version.name
  2⤵
  PID:5342
- getprop ro.miui.ui.version.name
  2⤵
  PID:5375
- getprop ro.miui.ui.version.name
  2⤵
  PID:5411
- getprop ro.miui.ui.version.name
  2⤵
  PID:5472
- getprop ro.miui.ui.version.name
  2⤵
  PID:5507

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.output.wire/app_DynamicOptDex/XmDYKd.json

Filesize
529KB

MD5
6bf5caabcea2e2e99a6e5c21b571ee35

SHA1
77899e8ac21086e858a6f915df57c81bb656e0b2

SHA256
670914c371cf2e93beacfcb3ea916abcd9e77afad25b58688d5f900edd526ccf

SHA512
1985f909ce67b9e25f026882c4f9b41db83a0593c28ece25b09dc0c88242025ba42542c97b98e5f89c1599b22a24343998456f33da6539161e15c54f51a159cc

Download Submit
/data/data/com.output.wire/app_DynamicOptDex/XmDYKd.json

Filesize
529KB

MD5
31ac26d3e93777069e81c1b815d101e6

SHA1
281c7a4cd841524cc2b7ed36e9360221ae10b5f2

SHA256
24082ad848d129a254a7d6c57a001b9f422c158c17e89177f38c0acaf1ac9467

SHA512
2510806924bf256a84486f9eb8e59da244c6bee3371f260b4c4ef6b916905c5066d8e8a722af04e2d9890591b22aa40e50bf31b6ee21a0627636589c4f49a63e

Download Submit
/data/data/com.output.wire/app_DynamicOptDex/ew.json

Filesize
238KB

MD5
3a366da7beaba55d7295006e81f80fd9

SHA1
b3d49bf8e979ca8e56b4aa60ddc600ad89d9c4b9

SHA256
1bf6a39e590a3e109f44e1f9b86140aa6ca41c7fc143d727e286a2dad11871a4

SHA512
ad0d2dd1d50da72d07a48fe1d8c6f1b6bac21dae48baa95d6b745ad390d7a9dd1edafd7f24bb30452c004988954321d0c41a5bb4fa7cb8ea0d0976a92ba94cf9

Download Submit
/data/data/com.output.wire/app_DynamicOptDex/ew.json

Filesize
238KB

MD5
6720cfcc736604ed53e89af3070000d9

SHA1
91b6c47de72b53e1f09ec8d6d128f0b3b5ca53eb

SHA256
f44926c4fe4678a46bf5eb9a9c49d241a3a3afdc2eb0b0a751d9edbd646604ef

SHA512
bbf7180ab7c07e791818e26342e7a83c64c546273f341a605fd3481fc3deba62c2829f2708f75574a619419c2a5d3696e676d9c593b75143e36346f095188918

Download Submit
/data/data/com.output.wire/app_DynamicOptDex/jLt.json

Filesize
516KB

MD5
f33183f44b80a2ac99040ad10f42b185

SHA1
377e5311d5462cdb67551184bd0decad3ffa6edd

SHA256
e5e744b4d1e581493f3f07276876220c36728947af609d3a7580f3c009237d9e

SHA512
82d150f1ed88e883bf5b1268a884e0e567db1e4a5bd64f5548c8cdaddbeaf79d228d17c928bf08798312ccd32547775389b236c593816d5f318437062ee4c083

Download Submit
/data/data/com.output.wire/app_DynamicOptDex/jLt.json

Filesize
516KB

MD5
ae3b0f42d632355096cd56a7978f840d

SHA1
75f3795c16e4e271481fa15e703b04e867f39692

SHA256
46e24bc9e5da5f97a69a66e9fbda41cf21915b65dfe930498fe4be4c987f85be

SHA512
39b0c67670c9171ca9bc9bb82ca44e7a8a477028339c256fd78ee76a1c1c487f47e3976b3a87d4f89c6c0a368037d5016ba8176b05a84ace54024acdcc0c70c0

Download Submit
/data/data/com.output.wire/app_DynamicOptDex/oat/XmDYKd.json.cur.prof

Filesize
210B

MD5
23790d6ef41331ffb6673f0ce78a73b0

SHA1
6f0426bcbaa21a4d20012d88898bab6f9ff1e812

SHA256
4a744fa9fcbd998b1a37a7daf1d804e7630db0467935ee25ca24aaebac03fecd

SHA512
8d680e82710db8024ede93efbc2995492495d8609bea77ea81460bd36158d8300324f345cd54ca713fa13713c9d9b191e86690565eab0dca896bf38d3456e765

Download Submit
/data/data/com.output.wire/app_DynamicOptDex/oat/ew.json.cur.prof

Filesize
386B

MD5
5a9bde33ae24d6c2ee9eb14c7e31fd08

SHA1
45c3b1ad1d76be47a2e72d947b27bc695c07efed

SHA256
39235f6a82ef95f38eca489adb6990f81e78f239f891bad5762f33989fd3777b

SHA512
729ecf6dc5381901f4db505015dbe8da54a1b58f8d16dd30869215b09ab918e2a814110d11e6bfb3975c3dbfdc47acda8b2be333bcfca2c8916661964855f0af

Download Submit
/data/data/com.output.wire/app_DynamicOptDex/oat/jLt.json.cur.prof

Filesize
220B

MD5
806790737d686923390be5675467a571

SHA1
8aa90b7d769ab7cfc616268c6179392af8dcc07b

SHA256
d6460f9f7fa2faeb8bbd6458d7cd5a114c73162c52b78c33842d8ebaf5fff482

SHA512
ed4deccecfd47ce75361b11a13b96f989b44034bf976ee0c27ebafe7f865156aff96459b0beb926767d8462aab54c8a11ad7fc19846ceab319c09e94a8fe699a

Download Submit
/data/user/0/com.output.wire/app_DynamicOptDex/XmDYKd.json

Filesize
1.5MB

MD5
d2a45c292d1a779f5dabc99ab3a82d86

SHA1
aadeacbbdf3442a5302c4b5fd5b3e5f497ae6cbd

SHA256
91486de8521dffb38a2c4d5aee3825a96353908844888ed960a2eef0cd091151

SHA512
589a20e9cb4f62ced331ab9b254bb588f45f065f7ad3fe6dd744d8941355414c25e01c6d0553c322a978834e76e1ea6ae6513d1f3720bfe1b84764a06ef7f696

Download Submit
/data/user/0/com.output.wire/app_DynamicOptDex/ew.json

Filesize
483KB

MD5
222cdbf22262802bb051311acd7c5c84

SHA1
f40bcece274334cf24a2334eb3a6cae88e8f656a

SHA256
99cb75cda7b01bbdc8856ea44890d53aeb00a3684ed1986805ff6061ca8590d8

SHA512
789e4cc7a8a7a60e96d34f2fbb288c09f03db3a558916b966ec13bdb09474e22b3aa3f13cb6e45fa7ecefdfdf19d40b4d8054cdaa1382fb6d990498520a89baa

Download Submit
/data/user/0/com.output.wire/app_DynamicOptDex/jLt.json

Filesize
1.4MB

MD5
ed517e296f714db16d731b7fb66c14e3

SHA1
ae63d13d173528b46b3cfeb1401945f0a4f14070

SHA256
8c2a958f337d0a579ed87c04caa0c1cea109ad82a3147a17418c1d2692998330

SHA512
7277ba34c180a8b5ecc814e489cd161deef748d853069f22fbe1c7e2c544cb156993682a95068059b5f06dab056dbbc79b3161724a674954097b8c3bf36a589e

Download Submit