Overview

overview

10

Static

static

7

45f01f69b0...7e.apk

android-9-x86

10

45f01f69b0...7e.apk

android-10-x64

10

45f01f69b0...7e.apk

android-11-x64

10

libEncryptorP.so

debian-9-armhf

1

libapminsighta.so

debian-9-armhf

1

libapminsightb.so

debian-9-armhf

Analysis

  • max time kernel
    315530s
  • max time network
    138s
  • platform
    android_x86
  • resource
    android-x86-arm-20231023-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231023-enlocale:en-usos:android-9-x86system
  • submitted
    27-11-2023 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45f01f69b0c5b25a3c90808eb889d4c649087e72668edb90b9d982b2dfcfe87e.apk

  • Size

    1.5MB

  • MD5

    86578d94e97a1043846bda311e04da45

  • SHA1

    1364d63e90796d1d9bdb42a0fe18ae4dbb8c6106

  • SHA256

    45f01f69b0c5b25a3c90808eb889d4c649087e72668edb90b9d982b2dfcfe87e

  • SHA512

    afc60a9f453c2fd0d942c00c443770f465ce66db4059a5f979942aea5efa3e05bf507621d5011747228c4ad47d2a83a11e0935ec44727f2ea09b4f0d92a6b54f

  • SSDEEP

    24576:xrWlX8lXWiPz3K8kNxivwgJrbqFvo4zzuABpIpMvb/YRAC7GnnUOdhvj5a0ekp1R:2Pew2xkPBpJvjC7qUY59/eoFD

Score
10/10
alienbotcerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

https://ukalasahne.net

rc4.plain

Extracted

Family

alienbot

C2

https://ukalasahne.net

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 2 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Removes a system notification. 1 IoCs
    evasion

Processes

  • com.warrior.priority
    1⤵
    • Makes use of the framework's Accessibility service.
    • Removes its main activity from the application launcher
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    PID:4294
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.warrior.priority/app_DynamicOptDex/oat/x86/XfS.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4322

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.warrior.priority/app_DynamicOptDex/XfS.json
    Filesize

    238KB

    MD5

    2cfecc18ef54d20cf76d4466e538e892

    SHA1

    74caeef82f43274d5e82aa8f47879827fe8bfbd4

    SHA256

    e485e2ce0aa58e74e7882fa406aeda0b717fde1f64e1f999fce1f7dba1b8cef0

    SHA512

    229d03343b4a960ca2730754be5980ac29e80d82aba58564004d2840e0274929337f664ba76d64b0e8d6ac02c7d75dec888f222cdcfce5aa2921567495e95ac4

    Download Submit

  • /data/data/com.warrior.priority/app_DynamicOptDex/XfS.json
    Filesize

    238KB

    MD5

    593c0ddd4d2d69fa42bd1cf5015eb248

    SHA1

    90530f01fd550a0d51d92a5cf726b26b0e9264a4

    SHA256

    4be618659daa106c1e512dd791b3b6bc396a5802f18f0a3b616304703baa5906

    SHA512

    bcd1988379092cca3e2202bc99410ccf7e2a62285b8fe43d50294c1fe560d76bef3aacfd57900e6edc5f9d8195c5ce5874fd850baf76233a7d8e47d2f1e084e2

    Download Submit

  • /data/data/com.warrior.priority/app_DynamicOptDex/oat/XfS.json.cur.prof
    Filesize

    444B

    MD5

    0337f32da6938403419340ce5249237e

    SHA1

    434bede31d498aae89603afced4a43ca694a0827

    SHA256

    bfaac91c5b3db34e37ce83d15d697d38365ef4c01029a0c54ff1e99c49168096

    SHA512

    d5ec4fa7f549e9c58777511ad61d8af07b090a2f9a4b2f95a90336bd7b87bb4be367f2657bb91cc81f7945b069dc39b6b8ba8fad0ceaefe55126138568ef5049

    Download Submit

  • /data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json
    Filesize

    483KB

    MD5

    29f2103e368650e0d9e7e643dc69b22f

    SHA1

    b4d347b519aa923a704ce5b7cbe870628a0f70cd

    SHA256

    b882104ae41264aa3a8236d247700d43f6fa33e1bae851a368de8b8647513f7d

    SHA512

    504742bbef53ccb0b33f9cedde33e45236473b3686dca35b53e79ab775001bc1e2e16e225feccbd7a09ee0ca18cd7e703a5d451272151d65b6ebc8610f734112

    Download Submit

  • /data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json
    Filesize

    483KB

    MD5

    eb38e7017072f8078c1662ca8dd7949a

    SHA1

    a31933d2fdb92bb5b0563d25f8151e0023748c90

    SHA256

    848117e1861aa672f0ac10f27bf8a8c3adb032262064e8740f51ccb8f382d65a

    SHA512

    ad5871421bc1e0193e4714d9a8841da818eb8d0e0a0de86b3f9efcdabf2ff61b4aa7de390e11ad695af2e0134c11d0f9c785f91eb6168ca44ae762f01dd1d942

    Download Submit