alienbot | 45f01f69b0c5b25a3c90808eb889d4c649087e72668edb90b9d982b2dfcfe87e

Analysis

max time kernel
315548s
max time network
160s
platform
android_x64
resource
android-x64-arm64-20231023-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231023-enlocale:en-usos:android-11-x64system
submitted
27-11-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45f01f69b0c5b25a3c90808eb889d4c649087e72668edb90b9d982b2dfcfe87e.apk
Size

1.5MB
MD5

86578d94e97a1043846bda311e04da45
SHA1

1364d63e90796d1d9bdb42a0fe18ae4dbb8c6106
SHA256

45f01f69b0c5b25a3c90808eb889d4c649087e72668edb90b9d982b2dfcfe87e
SHA512

afc60a9f453c2fd0d942c00c443770f465ce66db4059a5f979942aea5efa3e05bf507621d5011747228c4ad47d2a83a11e0935ec44727f2ea09b4f0d92a6b54f
SSDEEP

24576:xrWlX8lXWiPz3K8kNxivwgJrbqFvo4zzuABpIpMvb/YRAC7GnnUOdhvj5a0ekp1R:2Pew2xkPBpJvjC7qUY59/eoFD

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

https://ukalasahne.net

rc4.plain

Extracted

Family

alienbot

https://ukalasahne.net

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral3/memory/4419-0.dex	family_cerberus

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.warrior.priority
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.warrior.priority

Removes its main activity from the application launcher 8 IoCs

stealth trojan

pid	Process
4419	com.warrior.priority
4419	com.warrior.priority
4419	com.warrior.priority
4419	com.warrior.priority
4419	com.warrior.priority
4419	com.warrior.priority
4419	com.warrior.priority
4419	com.warrior.priority

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.warrior.priority

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json	4419	com.warrior.priority

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.warrior.priority

com.warrior.priority
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4419

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json

Filesize
238KB

MD5
2cfecc18ef54d20cf76d4466e538e892

SHA1
74caeef82f43274d5e82aa8f47879827fe8bfbd4

SHA256
e485e2ce0aa58e74e7882fa406aeda0b717fde1f64e1f999fce1f7dba1b8cef0

SHA512
229d03343b4a960ca2730754be5980ac29e80d82aba58564004d2840e0274929337f664ba76d64b0e8d6ac02c7d75dec888f222cdcfce5aa2921567495e95ac4

Download Submit
/data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json

Filesize
238KB

MD5
593c0ddd4d2d69fa42bd1cf5015eb248

SHA1
90530f01fd550a0d51d92a5cf726b26b0e9264a4

SHA256
4be618659daa106c1e512dd791b3b6bc396a5802f18f0a3b616304703baa5906

SHA512
bcd1988379092cca3e2202bc99410ccf7e2a62285b8fe43d50294c1fe560d76bef3aacfd57900e6edc5f9d8195c5ce5874fd850baf76233a7d8e47d2f1e084e2

Download Submit
/data/user/0/com.warrior.priority/app_DynamicOptDex/XfS.json

Filesize
483KB

MD5
eb38e7017072f8078c1662ca8dd7949a

SHA1
a31933d2fdb92bb5b0563d25f8151e0023748c90

SHA256
848117e1861aa672f0ac10f27bf8a8c3adb032262064e8740f51ccb8f382d65a

SHA512
ad5871421bc1e0193e4714d9a8841da818eb8d0e0a0de86b3f9efcdabf2ff61b4aa7de390e11ad695af2e0134c11d0f9c785f91eb6168ca44ae762f01dd1d942

Download Submit
/data/user/0/com.warrior.priority/app_DynamicOptDex/oat/XfS.json.cur.prof

Filesize
313B

MD5
6070ada59ffbe31405b3030e7d7644d0

SHA1
141e31cfb4bd63fc15270efd3873fa576557d7e0

SHA256
3ca5d9a2200c1adf64498f344736fa129aa8958a95c4ef08d4236ecb8b93e86d

SHA512
c7dfae531b769e96acade73e2810f4c96f9fb53f7d28fa30e06840aafa67c6a16f7e9ea2ac8eeb176600ab2b0f6e670835d78765a4cc0211fc1e9e3fc33f952b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads