alienbot | 8484c2866f4404efae683034430804680ec740b0919e435c3897ee45c3ae3759

General

Target

8484c2866f4404efae683034430804680ec740b0919e435c3897ee45c3ae3759.apk
Size

1.8MB
MD5

6f578eab62f3c76e7319284f6b199ed7
SHA1

368f26efd03c9e9c3c2f07d3c84c414c2cf666b5
SHA256

8484c2866f4404efae683034430804680ec740b0919e435c3897ee45c3ae3759
SHA512

398144a369836788e78f36aa928809ffcd04a43ac7168373982c6c5d8cb5db2203982643d1ef32d76f3288cc9ec2f046ebc9dddf4aeb935d519c5ee1606295f6
SSDEEP

49152:p7hKTua7KtTNNbUCzBa0hth+HkfQnrfGic8hxg8/pMzP:JkKPa6o0h3+Efe7TXxCzP

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://cacecarsa2.com

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 2 IoCs

Processes:

resource	yara_rule
/data/data/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json	family_cerberus
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json	family_cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

nziaryxzmcxobbploy.lufhis.fezdtho

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	nziaryxzmcxobbploy.lufhis.fezdtho
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	nziaryxzmcxobbploy.lufhis.fezdtho

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

nziaryxzmcxobbploy.lufhis.fezdtho

pid process

4244 nziaryxzmcxobbploy.lufhis.fezdtho
Checks Android system properties for emulator presence. 1 IoCs

Processes:

nziaryxzmcxobbploy.lufhis.fezdtho

description ioc process

Accessed system property key: ro.product.model nziaryxzmcxobbploy.lufhis.fezdtho

pid	process
4244	nziaryxzmcxobbploy.lufhis.fezdtho

description	ioc	process
Accessed system property	key: ro.product.model	nziaryxzmcxobbploy.lufhis.fezdtho

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

nziaryxzmcxobbploy.lufhis.fezdtho/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/oat/x86/aT.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json	4244	nziaryxzmcxobbploy.lufhis.fezdtho
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json	4270	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/oat/x86/aT.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json	4244	nziaryxzmcxobbploy.lufhis.fezdtho

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

nziaryxzmcxobbploy.lufhis.fezdtho

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS nziaryxzmcxobbploy.lufhis.fezdtho

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	nziaryxzmcxobbploy.lufhis.fezdtho

nziaryxzmcxobbploy.lufhis.fezdtho
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks Android system properties for emulator presence.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4244
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/oat/x86/aT.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4270

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json

Filesize
710KB

MD5
85eadfc5e60acd29888f2c26534bb463

SHA1
1ac2498eea903927f2cd78220599b4fd98ea7306

SHA256
a72322c91ca9540aff284e9e46d2332870221cfd607792fb533a3eef142e9aca

SHA512
c3cb4954ebd89634a20a8c55660acbe6a32dff9a3ac2900d53bb7a66c19d5dbcbcc06f1d1b7fa6d1e7e8a20bd71bcc7c72409b5b1b7dd98c2f71f1bdf4fed6bb

Download Submit
/data/data/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json

Filesize
710KB

MD5
934b81cac7ceb4caab9b8c4186b614df

SHA1
c3c0709b833348feda77972888dbdc23d38800cb

SHA256
65655dd4a51322a416408aa47625afde37a7136d2cba45f2d7ca021ae15b5525

SHA512
fc0e5c14945734b6d867baa22424a31f2f384c789d907e2d66e65136d6b39fb97264cbdc259c82d58ac058a96ede420563f233f26ec53a235a78195ce7fbafec

Download Submit
/data/data/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/oat/aT.json.cur.prof

Filesize
467B

MD5
a3df83e208bf8bd64bc82318d1690484

SHA1
b6a8326a3b5d7b4430172361d2bbe25d21c992a3

SHA256
f77f9d452974d6c63c97c33ba4588352de9a772ceb2150a593c89e6a7df13576

SHA512
37b4894c3dc078cf81d57d665b633fa5c1efc0c46eedec0dfd7e2c63adb597d905541f82cf2d6bb46d29da3efb6e64352e7a7c6a9b459e2f8fe2a9cc5517ac15

Download Submit
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json

Filesize
710KB

MD5
0a427b0077333b0e49a56e98edc0aee7

SHA1
d41d78fb4bd2e32c1c369605921df18391148141

SHA256
008f99b2027c1e528564106d8c461f890d383ae3d0ea94363a0f0ce266928a80

SHA512
28c1febb3d399a1f145b2e32a05fd72113690cd0d868dad619cd4e989a446a7c215e88eb539decef2e4b9a2fa46e36cfb1578175ba9b748659dc6c5be5862b6f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads