alienbot | 3f39c2fc43173b203a6a0b0331adb6ad265f0ee09fbab56ff25f18dec4fb805b

Analysis

max time kernel
3919295s
max time network
161s
platform
android_x64
resource
android-x64-arm64-20231023-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231023-enlocale:en-usos:android-11-x64system
submitted
19-11-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f39c2fc43173b203a6a0b0331adb6ad265f0ee09fbab56ff25f18dec4fb805b.apk
Size

3.3MB
MD5

edd5463d40b2df8261e5d83d1dd817ed
SHA1

771f4a6cbba22aa24ceb962196693afc3a4ea1aa
SHA256

3f39c2fc43173b203a6a0b0331adb6ad265f0ee09fbab56ff25f18dec4fb805b
SHA512

b0cc13b6d0c25d512ccf1a9f0dda89a06bd2a505a98cf6c94d857b8954cb7650c7c8759e62d0dbaf9f5a4dbeca8ce5369036f611b7cd2d36f6291b15ccfd1595
SSDEEP

98304:rJuyrXzkstBCQWIxchONDDs9VxQfk/uTAeM:rYyrXzkO2802f0UM

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://194.163.161.72/

rc4.plain

Extracted

Family

alienbot

http://194.163.161.72/

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 3 IoCs

Processes:

resource	yara_rule
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json	family_cerberus
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json	family_cerberus
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

magic.disagree.often

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	magic.disagree.often
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	magic.disagree.often

Removes its main activity from the application launcher 2 IoCs
stealth trojan

Processes:

magic.disagree.often

pid process

4380 magic.disagree.often
4380 magic.disagree.often
Acquires the wake lock. 1 IoCs

Processes:

magic.disagree.often

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock magic.disagree.often

pid	process
4380	magic.disagree.often
4380	magic.disagree.often

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	magic.disagree.often

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

magic.disagree.often

ioc	pid	process
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json	4380	magic.disagree.often
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json	4380	magic.disagree.often

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

magic.disagree.often

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS magic.disagree.often

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	magic.disagree.often

magic.disagree.often
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4380
- getprop ro.miui.ui.version.name
  2⤵
  PID:4561

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json

Filesize
482KB

MD5
ff0f495f931ba5f212613f80e7f410b1

SHA1
ada2d98ec059148e957f86307f7e5952223d996a

SHA256
55a93d0cd5a3f4e93063e93b143fd74744cb76ca893f460bf7cb3b1fbbdbbe48

SHA512
738ab9cc6c0a92e6fc25b03f40190af3ed3c604b8d162c05974f8ce8ca6cfda1f302b7253ebf6930aa08cbe222046b5f5609b8ef9c2384e79aca551df74bbf71

Download Submit
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json

Filesize
482KB

MD5
8ab798666cef9aba8d3b3fe22c2cc4fb

SHA1
215a4641fff65b4711b91f92dc9a42d34103a617

SHA256
72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333

SHA512
b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

Download Submit
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json

Filesize
482KB

MD5
8ab798666cef9aba8d3b3fe22c2cc4fb

SHA1
215a4641fff65b4711b91f92dc9a42d34103a617

SHA256
72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333

SHA512
b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

Download Submit
/data/user/0/magic.disagree.often/app_DynamicOptDex/BN.json

Filesize
482KB

MD5
8ab798666cef9aba8d3b3fe22c2cc4fb

SHA1
215a4641fff65b4711b91f92dc9a42d34103a617

SHA256
72a92d7274ad7403d45172602750fe47d512c41f616f50d0eb80809f7e388333

SHA512
b0b7dae5b63fa0e9a25b707277386ccb6d00042061907535de2ad5dff8d790f572bd84ad2b59855ccd8936f9e72cef205534e3fb0774ba21cd59991626b23e45

Download Submit
/data/user/0/magic.disagree.often/app_DynamicOptDex/oat/BN.json.cur.prof

Filesize
344B

MD5
30536a6840dccd237df127c52c7966e0

SHA1
169234009b626455efbbdaa3ce8ab4c9677d4f5a

SHA256
3d9781f1efee3584a1109b55470440b4f40e35973b33da46bf9c886048d10117

SHA512
9ec305f7bc65aeff50a110b049ada00876612cf58b0e30ee5bd546fbd14fdcfd7a1d5d19140636a1ca58cbf60e9183896fc11010c95f8aefda4bad5386effd8d

Download Submit