Overview

overview

10

Static

static

7

3f39c2fc43...5b.apk

android-9-x86

10

3f39c2fc43...5b.apk

android-10-x64

10

3f39c2fc43...5b.apk

android-11-x64

10

about1d.html

windows7-x64

1

about1d.html

windows10-2004-x64

1

about2d.html

windows7-x64

1

about2d.html

windows10-2004-x64

1

index.html

windows7-x64

1

index.html

windows10-2004-x64

1

scanning.html

windows7-x64

1

scanning.html

windows10-2004-x64

1

sharing.html

windows7-x64

1

sharing.html

windows10-2004-x64

1

Analysis

  • max time kernel
    3919289s
  • max time network
    150s
  • platform
    android_x86
  • resource
    android-x86-arm-20231023-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231023-enlocale:en-usos:android-9-x86system
  • submitted
    19-11-2023 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f39c2fc43173b203a6a0b0331adb6ad265f0ee09fbab56ff25f18dec4fb805b.apk

  • Size

    3.3MB

  • MD5

    edd5463d40b2df8261e5d83d1dd817ed

  • SHA1

    771f4a6cbba22aa24ceb962196693afc3a4ea1aa

  • SHA256

    3f39c2fc43173b203a6a0b0331adb6ad265f0ee09fbab56ff25f18dec4fb805b

  • SHA512

    b0cc13b6d0c25d512ccf1a9f0dda89a06bd2a505a98cf6c94d857b8954cb7650c7c8759e62d0dbaf9f5a4dbeca8ce5369036f611b7cd2d36f6291b15ccfd1595

  • SSDEEP

    98304:rJuyrXzkstBCQWIxchONDDs9VxQfk/uTAeM:rYyrXzkO2802f0UM

Score
10/10
alienbotcerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://194.163.161.72/

rc4.plain

Extracted

Family

alienbot

C2

http://194.163.161.72/

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 4 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Removes a system notification. 1 IoCs
    evasion

Processes

  • magic.disagree.often
    1⤵
    • Makes use of the framework's Accessibility service.
    • Removes its main activity from the application launcher
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    PID:4261
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/magic.disagree.often/app_DynamicOptDex/oat/x86/BN.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/magic.disagree.often/app_DynamicOptDex/BN.json
    Filesize

    482KB

    MD5

    ff0f495f931ba5f212613f80e7f410b1

    SHA1

    ada2d98ec059148e957f86307f7e5952223d996a

    SHA256

    55a93d0cd5a3f4e93063e93b143fd74744cb76ca893f460bf7cb3b1fbbdbbe48

    SHA512

    738ab9cc6c0a92e6fc25b03f40190af3ed3c604b8d162c05974f8ce8ca6cfda1f302b7253ebf6930aa08cbe222046b5f5609b8ef9c2384e79aca551df74bbf71

    Download Submit

  • /data/data/magic.disagree.often/app_DynamicOptDex/BN.json
    Filesize

    482KB

    MD5

    8ab798666cef9aba8d3b3fe22c2cc4fb

    SHA1

    215a4641fff65b4711b91f92dc9a42d34103a617

    SHA256

    72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333

    SHA512

    b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

    Download Submit

  • /data/data/magic.disagree.often/app_DynamicOptDex/oat/BN.json.cur.prof
    Filesize

    476B

    MD5

    a5b847c8a7a72b9cb0ef4e2843267704

    SHA1

    7745705dc71a2b91e4edc269678996b62d6d6dc4

    SHA256

    b019d587466a6c0bb87a1cfa3a5b5f76e42da78c2ed4b40e4319255e5d4537d5

    SHA512

    d4b1a446a88b9adcefc5195772649a2c593b8b83463558bc802bc67802dc2c7fb9be7f0d667fcb95c342cba24d9edbf4181f03a17d22425cf64b3f77e41724e6

    Download Submit

  • /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json
    Filesize

    482KB

    MD5

    8ab798666cef9aba8d3b3fe22c2cc4fb

    SHA1

    215a4641fff65b4711b91f92dc9a42d34103a617

    SHA256

    72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333

    SHA512

    b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

    Download Submit

  • /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json
    Filesize

    482KB

    MD5

    5ab478c7eed9bef922ddbff57f4da9d9

    SHA1

    befe1483c3e99714a949013c8dc4b8c953daa62f

    SHA256

    1cb2f9a55804b613e0b4f9bfa49c0e9027d3399bb828a90448a5059fc33a94b3

    SHA512

    c40a550fcebb48bd94fa62d35c0a0fb116dd6f8748141e6859c214f774eeb532655fc76ae6a77259434a89d6904206ba241f6dbf3f40fe33f605a952cc12f65c

    Download Submit

  • /data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json
    Filesize

    482KB

    MD5

    8ab798666cef9aba8d3b3fe22c2cc4fb

    SHA1

    215a4641fff65b4711b91f92dc9a42d34103a617

    SHA256

    72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333

    SHA512

    b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

    Download Submit