alienbot | 8484c2866f4404efae683034430804680ec740b0919e435c3897ee45c3ae3759

Analysis

max time kernel
2349873s
max time network
154s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
20-12-2023 04:37

Target

8484c2866f4404efae683034430804680ec740b0919e435c3897ee45c3ae3759.apk
Size

1.8MB
MD5

6f578eab62f3c76e7319284f6b199ed7
SHA1

368f26efd03c9e9c3c2f07d3c84c414c2cf666b5
SHA256

8484c2866f4404efae683034430804680ec740b0919e435c3897ee45c3ae3759
SHA512

398144a369836788e78f36aa928809ffcd04a43ac7168373982c6c5d8cb5db2203982643d1ef32d76f3288cc9ec2f046ebc9dddf4aeb935d519c5ee1606295f6
SSDEEP

49152:p7hKTua7KtTNNbUCzBa0hth+HkfQnrfGic8hxg8/pMzP:JkKPa6o0h3+Efe7TXxCzP

Score

10^/10

Family

alienbot

http://cacecarsa2.com

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/data/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json	family_cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

nziaryxzmcxobbploy.lufhis.fezdtho

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	nziaryxzmcxobbploy.lufhis.fezdtho
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	nziaryxzmcxobbploy.lufhis.fezdtho

Removes its main activity from the application launcher 3 IoCs
stealth trojan

Processes:

nziaryxzmcxobbploy.lufhis.fezdtho

pid process

5061 nziaryxzmcxobbploy.lufhis.fezdtho
5061 nziaryxzmcxobbploy.lufhis.fezdtho
5061 nziaryxzmcxobbploy.lufhis.fezdtho

pid	process
5061	nziaryxzmcxobbploy.lufhis.fezdtho
5061	nziaryxzmcxobbploy.lufhis.fezdtho
5061	nziaryxzmcxobbploy.lufhis.fezdtho

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

nziaryxzmcxobbploy.lufhis.fezdtho

ioc	pid	process
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json	5061	nziaryxzmcxobbploy.lufhis.fezdtho
/data/user/0/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json	5061	nziaryxzmcxobbploy.lufhis.fezdtho

/data/data/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json

Filesize
710KB

MD5
85eadfc5e60acd29888f2c26534bb463

SHA1
1ac2498eea903927f2cd78220599b4fd98ea7306

SHA256
a72322c91ca9540aff284e9e46d2332870221cfd607792fb533a3eef142e9aca

SHA512
c3cb4954ebd89634a20a8c55660acbe6a32dff9a3ac2900d53bb7a66c19d5dbcbcc06f1d1b7fa6d1e7e8a20bd71bcc7c72409b5b1b7dd98c2f71f1bdf4fed6bb

Download Submit
/data/data/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/aT.json

Filesize
710KB

MD5
934b81cac7ceb4caab9b8c4186b614df

SHA1
c3c0709b833348feda77972888dbdc23d38800cb

SHA256
65655dd4a51322a416408aa47625afde37a7136d2cba45f2d7ca021ae15b5525

SHA512
fc0e5c14945734b6d867baa22424a31f2f384c789d907e2d66e65136d6b39fb97264cbdc259c82d58ac058a96ede420563f233f26ec53a235a78195ce7fbafec

Download Submit
/data/data/nziaryxzmcxobbploy.lufhis.fezdtho/app_DynamicOptDex/oat/aT.json.cur.prof

Filesize
386B

MD5
a480671eb5f6226ba6331020ccefb245

SHA1
fbfb08dd4603d5020a9fba6d1eb2771affbe176e

SHA256
a5e983255bf8fe87066527f2ce3070ab4d03ad73fbb3443c3a88a1d8b9671e43

SHA512
b9b37ab715f13c3d73e0d1f2dff6bfcfe73916de5de4f705ebe807f6e53ad6b40cc972ed3541053e23407e9200a66dd389475aeee58b9701edccf28ca336404c

Download Submit