alienbot | 23b3e076cdab5b50881f23a26a0f7d1d64b600ea5a8856da2a4f3adab81203a6

Resubmissions

10-12-2023 02:29

231210-cyvl8sbehq 10

04-12-2023 22:00

231204-1wsa4afg7w 10

Analysis

max time kernel
1368494s
max time network
143s
platform
android_x64
resource
android-x64-arm64-20231023-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231023-enlocale:en-usos:android-11-x64system
submitted
10-12-2023 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23b3e076cdab5b50881f23a26a0f7d1d64b600ea5a8856da2a4f3adab81203a6.apk
Size

1.9MB
MD5

646587934709574ea4f9b1fab6e6a9bf
SHA1

49928e81110adc671b33191b49058709def46c07
SHA256

23b3e076cdab5b50881f23a26a0f7d1d64b600ea5a8856da2a4f3adab81203a6
SHA512

14797057550ee09330357c6793889cccb94680376f356221d2329582ac601f71631107d370cbfd42acdc0b2fd28caee1adc72b0cf565f9727864696af052b664
SSDEEP

49152:EZEf0UOWjhOs8KuVWU86zAIrw2xXA44udBaxC2qHhzG:E+cURAsoVWUbUIrwEXA44u3ax1ozG

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://bpargastasyas.ml

rc4.plain

Extracted

Family

alienbot

http://bpargastasyas.ml

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json	family_cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.side.husband

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.side.husband
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.side.husband

Removes its main activity from the application launcher 8 IoCs

stealth trojan

Processes:

com.side.husband

pid	process
4408	com.side.husband
4408	com.side.husband
4408	com.side.husband
4408	com.side.husband
4408	com.side.husband
4408	com.side.husband
4408	com.side.husband
4408	com.side.husband

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.side.husband

ioc pid process

/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json 4408 com.side.husband
Acquires the wake lock 1 IoCs

Processes:

com.side.husband

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.side.husband
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.side.husband

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.side.husband

ioc	pid	process
/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json	4408	com.side.husband

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.side.husband

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.side.husband

com.side.husband
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json

Filesize
238KB

MD5
5e3e44c7b57c1ec0357ea6890e91eb07

SHA1
197f55b788d78f7e74861c31d05bf9eea285ad03

SHA256
13a58f8173e217ce1a5b46d552ddfb3c3e2e04b6d7c44c6cd3a211b83850e061

SHA512
b9414faab533bd6a7fe4e62217779b831e888f64182d7d43faa5a70e9cf27433daf7340305c3ecc9d905b887b9e818f37310729bae0a6d53e7b25cd059d7a35c

Download Submit
/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json

Filesize
238KB

MD5
165cff3acd86133745c2bfbf7fea8f89

SHA1
f507a90d90e19f8639c1f05bd0fbdc6dde975280

SHA256
a8f157ac47912dfb4bab7c7895dbf6d7abe3b963e51f9062d66d92ce0ee832fc

SHA512
a6a20013972c0e327264ea932911e4fa11dda795ebfdd8cb763b8beba6dab4b9766a669deb4bf707680d5a2cb1aaa8838948c98acaa9fbbf577b715c038733d8

Download Submit
/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json

Filesize
483KB

MD5
8ea5dae61ca0889417db86ff26fea3ee

SHA1
85c9bc2f074bc5450af76d0acafb1f27939e22b9

SHA256
69c7ae04bc1ecc5217f1a3eef149382edc589ce183d4b5062193c2f8974c7690

SHA512
c55fdaf2af279a525b507e2a7aa2d2a5e771bcb872fb8ce4eeca626078475f45b8135b91a6de21ebfa89fd0fdc5f3e4a88551bf21b0b446437bfefcab5c2abe1

Download Submit
/data/user/0/com.side.husband/app_DynamicOptDex/oat/mfOdosA.json.cur.prof

Filesize
320B

MD5
916579e1a223eb0a47dd2d744c682d6b

SHA1
0b4f6cbda78f525b018a4e5ef9f97fa628a68299

SHA256
59510c8c4d2ed70ff2b7792cb422e8ff1650755451baf5848b0df279052d4e78

SHA512
e8edc11ba5167df6090c2477852f2591dde5e6a66c19a072b48d7174c002062f33ae0873357c44674d5311139e859d3be54726b89688b37dbf847f33237d730c

Download Submit