alienbot | 3f39c2fc43173b203a6a0b0331adb6ad265f0ee09fbab56ff25f18dec4fb805b

Analysis

max time kernel
3919223s
max time network
164s
platform
android_x64
resource
android-x64-20231023.1-en
resource tags

androidarch:x64arch:x86image:android-x64-20231023.1-enlocale:en-usos:android-10-x64system
submitted
19-11-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f39c2fc43173b203a6a0b0331adb6ad265f0ee09fbab56ff25f18dec4fb805b.apk
Size

3.3MB
MD5

edd5463d40b2df8261e5d83d1dd817ed
SHA1

771f4a6cbba22aa24ceb962196693afc3a4ea1aa
SHA256

3f39c2fc43173b203a6a0b0331adb6ad265f0ee09fbab56ff25f18dec4fb805b
SHA512

b0cc13b6d0c25d512ccf1a9f0dda89a06bd2a505a98cf6c94d857b8954cb7650c7c8759e62d0dbaf9f5a4dbeca8ce5369036f611b7cd2d36f6291b15ccfd1595
SSDEEP

98304:rJuyrXzkstBCQWIxchONDDs9VxQfk/uTAeM:rYyrXzkO2802f0UM

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://194.163.161.72/

rc4.plain

Extracted

Family

alienbot

http://194.163.161.72/

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 3 IoCs

resource	yara_rule
behavioral2/files/fstream-2.dat	family_cerberus
behavioral2/memory/5120-0.dex	family_cerberus
behavioral2/memory/5120-1.dex	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	magic.disagree.often
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	magic.disagree.often

Removes its main activity from the application launcher 4 IoCs

stealth trojan

pid	Process
5120	magic.disagree.often
5120	magic.disagree.often
5120	magic.disagree.often
5120	magic.disagree.often

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	magic.disagree.often

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json	5120	magic.disagree.often
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json	5120	magic.disagree.often

magic.disagree.often
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
PID:5120
- getprop ro.miui.ui.version.name
  2⤵
  PID:5300
- getprop ro.miui.ui.version.name
  2⤵
  PID:5386
- getprop ro.miui.ui.version.name
  2⤵
  PID:5512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/magic.disagree.often/app_DynamicOptDex/BN.json

Filesize
482KB

MD5
ff0f495f931ba5f212613f80e7f410b1

SHA1
ada2d98ec059148e957f86307f7e5952223d996a

SHA256
55a93d0cd5a3f4e93063e93b143fd74744cb76ca893f460bf7cb3b1fbbdbbe48

SHA512
738ab9cc6c0a92e6fc25b03f40190af3ed3c604b8d162c05974f8ce8ca6cfda1f302b7253ebf6930aa08cbe222046b5f5609b8ef9c2384e79aca551df74bbf71

Download Submit
/data/data/magic.disagree.often/app_DynamicOptDex/BN.json

Filesize
482KB

MD5
8ab798666cef9aba8d3b3fe22c2cc4fb

SHA1
215a4641fff65b4711b91f92dc9a42d34103a617

SHA256
72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333

SHA512
b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

Download Submit
/data/data/magic.disagree.often/app_DynamicOptDex/oat/BN.json.cur.prof

Filesize
400B

MD5
d37d5def4dc95ef901709f1a2fe9fe00

SHA1
428f282a6720b1a6b821b3413b7487d23e115f68

SHA256
c1654ca28324e52920c822e9066bdf00175026d59fb8ffd5e1072f06dbe5fda3

SHA512
8210f1142922f3ca5c49a634c6705d3386071e700343f810396f5a3d20f7b3ce33456a42e620da428255ad727419012eff7f810a7ef56f325c4234244f5a41e5

Download Submit
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json

Filesize
482KB

MD5
8ab798666cef9aba8d3b3fe22c2cc4fb

SHA1
215a4641fff65b4711b91f92dc9a42d34103a617

SHA256
72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333

SHA512
b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

Download Submit
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json

Filesize
482KB

MD5
8ab798666cef9aba8d3b3fe22c2cc4fb

SHA1
215a4641fff65b4711b91f92dc9a42d34103a617

SHA256
72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333

SHA512
b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads