Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

7dde3353e6...14.apk

android-9-x86

10

7dde3353e6...14.apk

android-10-x64

10

7dde3353e6...14.apk

android-11-x64

10

Analysis

  • max time kernel
    2300193s
  • max time network
    143s
  • platform
    android_x64
  • resource
    android-x64-20231215-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
  • submitted
    20/12/2023, 02:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7dde3353e679bd4ec0a5c8655d95edb9a41e2a6c284ece79e764fe91a709ba14.apk

  • Size

    2.3MB

  • MD5

    dafe74f89d07bb8e452506809920ceb8

  • SHA1

    449270d46ff82f62edd095a967b0751e62b4054f

  • SHA256

    7dde3353e679bd4ec0a5c8655d95edb9a41e2a6c284ece79e764fe91a709ba14

  • SHA512

    243ff9a864b66c46a8202b90b4d3d899f16d4953a91414c83024a6366f286c1e55bbacc80bbaa1370e42fbaf3050ca614164ade64c69175ec8c19bed2cf4153a

  • SSDEEP

    49152:x1qxruZUjBQLYhdo3bHDzFUYmQLcVXzRsoP8geg2QW/I9WkNU66SuhKmub7CyfGm:9iS+ibl9mlRWINTp9fp

Score
10/10
alienbotcerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://abracadabra6.xyz

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 2 IoCs
    stealthtrojan
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs

Processes

  • lrjdwnlfnrsjrh.kqtxlpsdmqlkxxre.xlpgxysehcskiwbrwaurejlwkm
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    PID:5141

Network

  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    216.58.212.228
  • flag-us
    DNS
    jsonplaceholder.typicode.com
    Remote address:
    1.1.1.1:53
    Request
    jsonplaceholder.typicode.com
    IN A
    Response
    jsonplaceholder.typicode.com
    IN A
    172.64.132.18
    jsonplaceholder.typicode.com
    IN A
    172.64.133.18
  • flag-us
    POST
    https://jsonplaceholder.typicode.com/posts
    Remote address:
    172.64.132.18:443
    Request
    POST /posts HTTP/1.1
    Content-Length: 15
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: jsonplaceholder.typicode.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 201 Created
    Date: Wed, 20 Dec 2023 21:20:30 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 40
    Connection: keep-alive
    Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1703107230&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=wj%2FqVB6I3XIwJoP%2FlZIxEU2Dxku%2FzE4dk4BszpAjy6A%3D"}]}
    Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1703107230&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=wj%2FqVB6I3XIwJoP%2FlZIxEU2Dxku%2FzE4dk4BszpAjy6A%3D
    Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
    X-Powered-By: Express
    X-Ratelimit-Limit: 1000
    X-Ratelimit-Remaining: 999
    X-Ratelimit-Reset: 1703107262
    Vary: Origin, X-HTTP-Method-Override, Accept-Encoding
    Access-Control-Allow-Credentials: true
    Cache-Control: no-cache
    Pragma: no-cache
    Expires: -1
    Access-Control-Expose-Headers: Location
    Location: https://jsonplaceholder.typicode.com/posts/101
    X-Content-Type-Options: nosniff
    Etag: W/"28-qTfHrE6INSRTzBnUDwZIeKeN1Wk"
    Via: 1.1 vegur
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 838aee011ffc6394-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    172.217.16.232
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.180.14
  • flag-us
    DNS
    abracadabra6.xyz
    Remote address:
    1.1.1.1:53
    Request
    abracadabra6.xyz
    IN A
    Response
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    216.58.201.100
  • flag-us
    DNS
    abracadabra6.xyz
    Remote address:
    1.1.1.1:53
    Request
    abracadabra6.xyz
    IN A
    Response
  • flag-us
    DNS
    g.tenor.com
    Remote address:
    1.1.1.1:53
    Request
    g.tenor.com
    IN A
    Response
    g.tenor.com
    IN CNAME
    tenor.googleapis.com
    tenor.googleapis.com
    IN A
    142.250.200.42
    tenor.googleapis.com
    IN A
    216.58.213.10
    tenor.googleapis.com
    IN A
    142.250.187.202
    tenor.googleapis.com
    IN A
    216.58.212.234
    tenor.googleapis.com
    IN A
    216.58.201.106
    tenor.googleapis.com
    IN A
    172.217.169.10
    tenor.googleapis.com
    IN A
    142.250.179.234
    tenor.googleapis.com
    IN A
    142.250.187.234
    tenor.googleapis.com
    IN A
    142.250.200.10
    tenor.googleapis.com
    IN A
    142.250.178.10
    tenor.googleapis.com
    IN A
    142.250.180.10
    tenor.googleapis.com
    IN A
    216.58.204.74
    tenor.googleapis.com
    IN A
    172.217.16.234
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.200.14
  • flag-us
    DNS
    www.youtube.com
    Remote address:
    1.1.1.1:53
    Request
    www.youtube.com
    IN A
    Response
    www.youtube.com
    IN CNAME
    youtube-ui.l.google.com
    youtube-ui.l.google.com
    IN A
    142.250.180.14
    youtube-ui.l.google.com
    IN A
    216.58.201.110
    youtube-ui.l.google.com
    IN A
    216.58.212.206
    youtube-ui.l.google.com
    IN A
    142.250.187.206
    youtube-ui.l.google.com
    IN A
    142.250.179.238
    youtube-ui.l.google.com
    IN A
    216.58.212.238
    youtube-ui.l.google.com
    IN A
    216.58.213.14
    youtube-ui.l.google.com
    IN A
    142.250.187.238
    youtube-ui.l.google.com
    IN A
    172.217.16.238
    youtube-ui.l.google.com
    IN A
    142.250.200.46
    youtube-ui.l.google.com
    IN A
    216.58.204.78
    youtube-ui.l.google.com
    IN A
    142.250.178.14
    youtube-ui.l.google.com
    IN A
    142.250.200.14
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    216.58.212.228
  • flag-us
    DNS
    mdh-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    mdh-pa.googleapis.com
    IN A
    Response
    mdh-pa.googleapis.com
    IN A
    216.58.201.106
    mdh-pa.googleapis.com
    IN A
    142.250.187.234
    mdh-pa.googleapis.com
    IN A
    172.217.16.234
    mdh-pa.googleapis.com
    IN A
    216.58.212.234
    mdh-pa.googleapis.com
    IN A
    142.250.200.10
    mdh-pa.googleapis.com
    IN A
    142.250.180.10
    mdh-pa.googleapis.com
    IN A
    216.58.213.10
    mdh-pa.googleapis.com
    IN A
    142.250.200.42
    mdh-pa.googleapis.com
    IN A
    142.250.179.234
    mdh-pa.googleapis.com
    IN A
    172.217.169.10
    mdh-pa.googleapis.com
    IN A
    142.250.187.202
    mdh-pa.googleapis.com
    IN A
    216.58.204.74
    mdh-pa.googleapis.com
    IN A
    142.250.178.10
  • 216.58.213.14:443
    208 B
     4
  • 142.250.187.228:443
    208 B
     4
  • 216.58.212.228:443
    www.google.com
    tls
    1.3kB
     5.6kB
     9
    11
  • 216.58.212.228:443
    www.google.com
    tls
    1.3kB
     5.6kB
     9
    11
  • 172.64.132.18:443
    https://jsonplaceholder.typicode.com/posts
    tls, http
    1.5kB
     7.5kB
     11
    10

    HTTP Request

    POST https://jsonplaceholder.typicode.com/posts

    HTTP Response

    201
  • 172.217.16.232:443
    ssl.google-analytics.com
    tls
    1.4kB
     5.9kB
     10
    9
  • 142.250.180.14:443
    android.apis.google.com
    tls
    1.9kB
     6.3kB
     10
    12
  • 216.58.201.100:443
    www.google.com
    tls
    1.5kB
     6.0kB
     12
    13
  • 172.217.16.226:443
    468 B
     9
  • 172.217.16.238:443
    468 B
     9
  • 142.250.187.227:443
    468 B
     9
  • 142.250.187.227:443
    468 B
     9
  • 142.250.200.14:443
    android.apis.google.com
    tls
    6.9kB
     10.6kB
     29
    31
  • 142.250.180.14:443
    www.youtube.com
    tls
    2.0kB
     8.7kB
     17
    15
  • 216.58.212.228:443
    www.google.com
    tls
    15.1kB
     11.0kB
     41
    50
  • 216.58.212.228:443
    www.google.com
    tls
    1.1kB
     5.3kB
     10
    8
  • 216.58.201.106:443
    mdh-pa.googleapis.com
    tls
    1.5kB
     11.0kB
     13
    17
  • 224.0.0.251:5353
    6.9kB
     23
  • 1.1.1.1:53
    www.google.com
    dns
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    216.58.212.228

  • 1.1.1.1:53
    jsonplaceholder.typicode.com
    dns
    74 B
     106 B
     1
    1

    DNS Request

    jsonplaceholder.typicode.com

    DNS Response

    172.64.132.18
    172.64.133.18

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    172.217.16.232

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.180.14

  • 1.1.1.1:53
    abracadabra6.xyz
    dns
    62 B
     127 B
     1
    1

    DNS Request

    abracadabra6.xyz

  • 1.1.1.1:53
    www.google.com
    dns
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    216.58.201.100

  • 1.1.1.1:53
    abracadabra6.xyz
    dns
    62 B
     127 B
     1
    1

    DNS Request

    abracadabra6.xyz

  • 1.1.1.1:53
    g.tenor.com
    dns
    57 B
     296 B
     1
    1

    DNS Request

    g.tenor.com

    DNS Response

    142.250.200.42
    216.58.213.10
    142.250.187.202
    216.58.212.234
    216.58.201.106
    172.217.169.10
    142.250.179.234
    142.250.187.234
    142.250.200.10
    142.250.178.10
    142.250.180.10
    216.58.204.74
    172.217.16.234

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.200.14

  • 1.1.1.1:53
    www.youtube.com
    dns
    61 B
     303 B
     1
    1

    DNS Request

    www.youtube.com

    DNS Response

    142.250.180.14
    216.58.201.110
    216.58.212.206
    142.250.187.206
    142.250.179.238
    216.58.212.238
    216.58.213.14
    142.250.187.238
    172.217.16.238
    142.250.200.46
    216.58.204.78
    142.250.178.14
    142.250.200.14

  • 142.250.180.14:443
    www.youtube.com
    https
    1.5kB
     49 B
     2
    1
  • 1.1.1.1:53
    www.google.com
    dns
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    216.58.212.228

  • 216.58.212.228:443
    www.google.com
    https
    1.5kB
     49 B
     2
    1
  • 1.1.1.1:53
    mdh-pa.googleapis.com
    dns
    67 B
     275 B
     1
    1

    DNS Request

    mdh-pa.googleapis.com

    DNS Response

    216.58.201.106
    142.250.187.234
    172.217.16.234
    216.58.212.234
    142.250.200.10
    142.250.180.10
    216.58.213.10
    142.250.200.42
    142.250.179.234
    172.217.169.10
    142.250.187.202
    216.58.204.74
    142.250.178.10

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/lrjdwnlfnrsjrh.kqtxlpsdmqlkxxre.xlpgxysehcskiwbrwaurejlwkm/app_DynamicOptDex/WRX.json
    Filesize

    693KB

    MD5

    546fddb6ce5bd49be50961bf31a27e03

    SHA1

    9e8fbff72bbf0e3edf149f8f12f8c3d3e8088cc6

    SHA256

    ec6677ae919129722c52feabe29df80c12a4347beb4be48fc3a16576f3d13da1

    SHA512

    6294cd3af8b8e1d3c26ddd8a0934f0a0e8948fc3835757f966378f6accd1f168d2bf009a104c9a73dc212da4c69c4d698d2aa8078c3b943d081d724e3acdc048

    Download Submit

  • /data/data/lrjdwnlfnrsjrh.kqtxlpsdmqlkxxre.xlpgxysehcskiwbrwaurejlwkm/app_DynamicOptDex/WRX.json
    Filesize

    693KB

    MD5

    a0ec4b3560a4645b42091707b6edf989

    SHA1

    8fdf10e8a1159e78f2ac2fecfa5dfedf9cc5f0a7

    SHA256

    b9ac8c63c12276732e00ee9506b582f816dca0a5d08978c27917f94ff8c1bc70

    SHA512

    f6fb020f2da9a7e4eac2affcfebf4440e4d0998c3994ffa1dffe6d0eed703e15d04ee9a6feded726f349deb413f90e7ff013f04c16a780f13bb33b678b6c1e28

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.