alienbot | 7142344ff1efa338898a69da6c5081007223717b01b3f4d6207cecb9f646aab0

Analysis

max time kernel
2796365s
max time network
144s
platform
android_x64
resource
android-x64-arm64-20231023-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231023-enlocale:en-usos:android-11-x64system
submitted
06-11-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7142344ff1efa338898a69da6c5081007223717b01b3f4d6207cecb9f646aab0.apk
Size

3.1MB
MD5

b1f4cb2c134e42e1c26f333097e17e56
SHA1

7fcfc163fe3f8bf5a54e38fe21ce559d6cafcd40
SHA256

7142344ff1efa338898a69da6c5081007223717b01b3f4d6207cecb9f646aab0
SHA512

c058f040f08f8ecd89498d0b86d24e6519cb7d46d594e50adcff54d08419eb025d49c3be1cdb4b5362800a574e67c33712046d927c06853f3f54f409aa503783
SSDEEP

49152:h7KMzjB309sF4vt5HW7zDC4SvQvM2rIg5ZNMErWfPzODZTq81hSjA3y:FKck6mV5mCgvM2rT5NrLlBjEAi

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://buuncanlidersvarmi11.com

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 3 IoCs

Processes:

resource	yara_rule
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json	family_cerberus
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json	family_cerberus
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

chef.isolate.task

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	chef.isolate.task
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	chef.isolate.task

Removes its main activity from the application launcher 8 IoCs

stealth trojan

Processes:

chef.isolate.task

pid	process
4526	chef.isolate.task
4526	chef.isolate.task
4526	chef.isolate.task
4526	chef.isolate.task
4526	chef.isolate.task
4526	chef.isolate.task
4526	chef.isolate.task
4526	chef.isolate.task

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

chef.isolate.task

ioc	pid	process
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json	4526	chef.isolate.task
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json	4526	chef.isolate.task

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

chef.isolate.task

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS chef.isolate.task

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	chef.isolate.task

chef.isolate.task
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4526
- getprop ro.miui.ui.version.name
  2⤵
  PID:4640
- getprop ro.miui.ui.version.name
  2⤵
  PID:4693
- getprop ro.miui.ui.version.name
  2⤵
  PID:4876
- getprop ro.miui.ui.version.name
  2⤵
  PID:4904
- getprop ro.miui.ui.version.name
  2⤵
  PID:4942
- getprop ro.miui.ui.version.name
  2⤵
  PID:4974
- getprop ro.miui.ui.version.name
  2⤵
  PID:5006

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json

Filesize
718KB

MD5
941798c87bc19acf81e9a30c5c9d342d

SHA1
9c729d4edf25fdebabe911858ac4d51551946284

SHA256
89418d37f636411e97486c68de47965757b31da3a0b481979865c8efb5804fec

SHA512
d803a09f708f2834f683a22d3077b41d6b7cc512ba41f777ecde4670d2bc63b4a357ff06699e530bf4c3fdbf0b6fd10a6c33e6c8e4b8015955724bfb3fb19cc0

Download Submit
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json

Filesize
718KB

MD5
9848f326eb31b8eb6a6aff56e08eaa6f

SHA1
475866a598c6c9d049f5ed2ffb3410d98edc7159

SHA256
f49be7fe820c785aef3578b113a3240e8450c797609578b6d05316cbb3495779

SHA512
cff258de266dd100a77768560bd0e013c25d73ea46630f37dde7c8f3731d95128c99cdbe424379bed655aee20fe9187f37699f1966b5157aee2047d6127003a3

Download Submit
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json

Filesize
718KB

MD5
9848f326eb31b8eb6a6aff56e08eaa6f

SHA1
475866a598c6c9d049f5ed2ffb3410d98edc7159

SHA256
f49be7fe820c785aef3578b113a3240e8450c797609578b6d05316cbb3495779

SHA512
cff258de266dd100a77768560bd0e013c25d73ea46630f37dde7c8f3731d95128c99cdbe424379bed655aee20fe9187f37699f1966b5157aee2047d6127003a3

Download Submit
/data/user/0/chef.isolate.task/app_DynamicOptDex/fTnEmT.json

Filesize
718KB

MD5
9848f326eb31b8eb6a6aff56e08eaa6f

SHA1
475866a598c6c9d049f5ed2ffb3410d98edc7159

SHA256
f49be7fe820c785aef3578b113a3240e8450c797609578b6d05316cbb3495779

SHA512
cff258de266dd100a77768560bd0e013c25d73ea46630f37dde7c8f3731d95128c99cdbe424379bed655aee20fe9187f37699f1966b5157aee2047d6127003a3

Download Submit
/data/user/0/chef.isolate.task/app_DynamicOptDex/oat/fTnEmT.json.cur.prof

Filesize
339B

MD5
d9aafcff073bd42f1a04014aa624515f

SHA1
5f42616ec3d9b98a547a8fc6bfdc0de0d3d4236f

SHA256
71312128869b22147616bc93eab3c65b532adcd77474f7b66f99759f6f832dbb

SHA512
5479f2ec53ed8ce28d05ad458836a64353b081afb514e6023db6ce51410c281a1e5f61fea0ed5888908ea6d211be4524dd20a591489c2eb73a195ad14e8e36be

Download Submit