Malware Analysis Report

2024-10-19 11:56

Sample ID 231210-cyvl8sbehq
Target 23b3e076cdab5b50881f23a26a0f7d1d64b600ea5a8856da2a4f3adab81203a6.bin
SHA256 23b3e076cdab5b50881f23a26a0f7d1d64b600ea5a8856da2a4f3adab81203a6
Tags
alienbot cerberus banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23b3e076cdab5b50881f23a26a0f7d1d64b600ea5a8856da2a4f3adab81203a6

Threat Level: Known bad

The file 23b3e076cdab5b50881f23a26a0f7d1d64b600ea5a8856da2a4f3adab81203a6.bin was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker evasion infostealer rat stealth trojan

Alienbot

Cerberus payload

Cerberus

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-10 02:29

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-10 02:29

Reported

2023-12-10 02:32

Platform

android-x64-20231023.1-en

Max time kernel

1368481s

Max time network

136s

Command Line

com.side.husband

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.side.husband

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 188.114.97.0:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.8:443 ssl.google-analytics.com tcp
NL 142.251.39.100:443 www.google.com tcp
US 1.1.1.1:53 bpargastasyas.ml udp
NL 142.250.179.132:443 tcp
NL 142.250.179.132:443 tcp

Files

/data/data/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 5e3e44c7b57c1ec0357ea6890e91eb07
SHA1 197f55b788d78f7e74861c31d05bf9eea285ad03
SHA256 13a58f8173e217ce1a5b46d552ddfb3c3e2e04b6d7c44c6cd3a211b83850e061
SHA512 b9414faab533bd6a7fe4e62217779b831e888f64182d7d43faa5a70e9cf27433daf7340305c3ecc9d905b887b9e818f37310729bae0a6d53e7b25cd059d7a35c

/data/data/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 165cff3acd86133745c2bfbf7fea8f89
SHA1 f507a90d90e19f8639c1f05bd0fbdc6dde975280
SHA256 a8f157ac47912dfb4bab7c7895dbf6d7abe3b963e51f9062d66d92ce0ee832fc
SHA512 a6a20013972c0e327264ea932911e4fa11dda795ebfdd8cb763b8beba6dab4b9766a669deb4bf707680d5a2cb1aaa8838948c98acaa9fbbf577b715c038733d8

/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 8ea5dae61ca0889417db86ff26fea3ee
SHA1 85c9bc2f074bc5450af76d0acafb1f27939e22b9
SHA256 69c7ae04bc1ecc5217f1a3eef149382edc589ce183d4b5062193c2f8974c7690
SHA512 c55fdaf2af279a525b507e2a7aa2d2a5e771bcb872fb8ce4eeca626078475f45b8135b91a6de21ebfa89fd0fdc5f3e4a88551bf21b0b446437bfefcab5c2abe1

/data/data/com.side.husband/app_DynamicOptDex/oat/mfOdosA.json.cur.prof

MD5 a81fc2ea0e693a31e3486db0328af429
SHA1 6355a06b9ceb6f407794be460328a808e80f5ac0
SHA256 b838fd2b8d36df3b407674b20b608545cd36089255527e7c609f2aea5341671f
SHA512 96a8f62c1fce7aca613f6d6fba166dd291985b27ec0c4eb3d75394f533a3d5566cf483195444aa6a32de150a62cc9f0c5f15d6c8266c39f655fe972bc6e581d1

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-10 02:29

Reported

2023-12-10 02:32

Platform

android-x64-arm64-20231023-en

Max time kernel

1368494s

Max time network

143s

Command Line

com.side.husband

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.side.husband

Network

Country Destination Domain Proto
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 188.114.97.0:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 bpargastasyas.ml udp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
NL 142.251.36.4:443 tcp
US 1.1.1.1:53 www.google.com udp
DE 172.217.23.196:443 www.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.200:443 ssl.google-analytics.com tcp

Files

/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 5e3e44c7b57c1ec0357ea6890e91eb07
SHA1 197f55b788d78f7e74861c31d05bf9eea285ad03
SHA256 13a58f8173e217ce1a5b46d552ddfb3c3e2e04b6d7c44c6cd3a211b83850e061
SHA512 b9414faab533bd6a7fe4e62217779b831e888f64182d7d43faa5a70e9cf27433daf7340305c3ecc9d905b887b9e818f37310729bae0a6d53e7b25cd059d7a35c

/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 165cff3acd86133745c2bfbf7fea8f89
SHA1 f507a90d90e19f8639c1f05bd0fbdc6dde975280
SHA256 a8f157ac47912dfb4bab7c7895dbf6d7abe3b963e51f9062d66d92ce0ee832fc
SHA512 a6a20013972c0e327264ea932911e4fa11dda795ebfdd8cb763b8beba6dab4b9766a669deb4bf707680d5a2cb1aaa8838948c98acaa9fbbf577b715c038733d8

/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 8ea5dae61ca0889417db86ff26fea3ee
SHA1 85c9bc2f074bc5450af76d0acafb1f27939e22b9
SHA256 69c7ae04bc1ecc5217f1a3eef149382edc589ce183d4b5062193c2f8974c7690
SHA512 c55fdaf2af279a525b507e2a7aa2d2a5e771bcb872fb8ce4eeca626078475f45b8135b91a6de21ebfa89fd0fdc5f3e4a88551bf21b0b446437bfefcab5c2abe1

/data/user/0/com.side.husband/app_DynamicOptDex/oat/mfOdosA.json.cur.prof

MD5 916579e1a223eb0a47dd2d744c682d6b
SHA1 0b4f6cbda78f525b018a4e5ef9f97fa628a68299
SHA256 59510c8c4d2ed70ff2b7792cb422e8ff1650755451baf5848b0df279052d4e78
SHA512 e8edc11ba5167df6090c2477852f2591dde5e6a66c19a072b48d7174c002062f33ae0873357c44674d5311139e859d3be54726b89688b37dbf847f33237d730c

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-10 02:29

Reported

2023-12-10 02:32

Platform

android-x86-arm-20231023-en

Max time kernel

1368476s

Max time network

147s

Command Line

com.side.husband

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json N/A N/A
N/A /data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.side.husband

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.side.husband/app_DynamicOptDex/oat/x86/mfOdosA.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 216.58.208.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.206:443 android.apis.google.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 188.114.96.0:443 jsonplaceholder.typicode.com tcp
US 1.1.1.1:53 bpargastasyas.ml udp

Files

/data/data/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 5e3e44c7b57c1ec0357ea6890e91eb07
SHA1 197f55b788d78f7e74861c31d05bf9eea285ad03
SHA256 13a58f8173e217ce1a5b46d552ddfb3c3e2e04b6d7c44c6cd3a211b83850e061
SHA512 b9414faab533bd6a7fe4e62217779b831e888f64182d7d43faa5a70e9cf27433daf7340305c3ecc9d905b887b9e818f37310729bae0a6d53e7b25cd059d7a35c

/data/data/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 165cff3acd86133745c2bfbf7fea8f89
SHA1 f507a90d90e19f8639c1f05bd0fbdc6dde975280
SHA256 a8f157ac47912dfb4bab7c7895dbf6d7abe3b963e51f9062d66d92ce0ee832fc
SHA512 a6a20013972c0e327264ea932911e4fa11dda795ebfdd8cb763b8beba6dab4b9766a669deb4bf707680d5a2cb1aaa8838948c98acaa9fbbf577b715c038733d8

/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 8ea5dae61ca0889417db86ff26fea3ee
SHA1 85c9bc2f074bc5450af76d0acafb1f27939e22b9
SHA256 69c7ae04bc1ecc5217f1a3eef149382edc589ce183d4b5062193c2f8974c7690
SHA512 c55fdaf2af279a525b507e2a7aa2d2a5e771bcb872fb8ce4eeca626078475f45b8135b91a6de21ebfa89fd0fdc5f3e4a88551bf21b0b446437bfefcab5c2abe1

/data/user/0/com.side.husband/app_DynamicOptDex/mfOdosA.json

MD5 71c46fd2fecee9eda372ed4dd410e13e
SHA1 9f4f16d3572e4218047d5c48fa425a5cd16247b4
SHA256 86e90910a7579bb45649cfef0bcf24c8c6d6dbd24cb9009ba402a8a21ac391f4
SHA512 e62874e7daa03b5a47d01d7db3e3d82e0e77bcb50272b6662b2a9b9630045624f8268f942afa2c346cb693bcbbbfcae2179b74e918a0f692eb8677d6588ed8db

/data/data/com.side.husband/app_DynamicOptDex/oat/mfOdosA.json.cur.prof

MD5 f3d73818bce7f56a27d20ea553ee3acc
SHA1 66792105cf33ecca154bc82f130633260172409f
SHA256 a5e9d51b8e259309e626292d9dad22e686d28a78d207c6be5d401bdb5150d196
SHA512 b3325077b77d5d090f4cd3203cbfea815c794f20c293d000866e8358f6e44dc0897ceb75d7570e6cf713cd6252f6ccdbfaca412c548c81e7832296b81a604528