alienbot | 8586757efc2359fa24f98fb9cd3c42827aefea7e69fa568be38043aea4454576

General

Target

8586757efc2359fa24f98fb9cd3c42827aefea7e69fa568be38043aea4454576.apk
Size

2.1MB
MD5

f6bfa60529092c4b02cbb194ca1b90f1
SHA1

87f57d6783cc626ecd87d56a2ae6f0a5a51debaa
SHA256

8586757efc2359fa24f98fb9cd3c42827aefea7e69fa568be38043aea4454576
SHA512

3579de3d544473c47e2b6a0db9cc75e1f095b6be0fc8b7075755165e6cab9d8c48cabf9ee8b9fa786d992edd85eece7cd1359c1e979bff2e557cdacae570521e
SSDEEP

49152:kN1PNgSNd83DXd5AuytWc0D3l9zT074rIWQgAV1Y5AqYRsByL+:krlg6kn9AboH874rIWyXL+

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://saglamsiparislerburada.shop

rc4.plain

Extracted

Family

alienbot

C2

http://saglamsiparislerburada.shop

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json	family_cerberus
/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json	family_cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.scout.reopen

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.scout.reopen
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.scout.reopen

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.scout.reopen

pid process

4259 com.scout.reopen

pid	process
4259	com.scout.reopen

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.scout.reopen/app_DynamicOptDex/oat/x86/klblxHG.odex --compiler-filter=quicken --class-loader-context=&com.scout.reopen

ioc	pid	process
/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json	4285	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.scout.reopen/app_DynamicOptDex/oat/x86/klblxHG.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json	4259	com.scout.reopen

Acquires the wake lock 1 IoCs

Processes:

com.scout.reopen

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.scout.reopen
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.scout.reopen

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.scout.reopen

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.scout.reopen

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.scout.reopen

com.scout.reopen
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4259
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.scout.reopen/app_DynamicOptDex/oat/x86/klblxHG.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4285

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.scout.reopen/app_DynamicOptDex/klblxHG.json

Filesize
238KB

MD5
b36eb84093714d6fcff081b1593b811a

SHA1
6bd217666e550ebc28d0f81e09be88f37f4c1307

SHA256
b8918f025b3e4d5c20a0c3d29ee1f087230d4cefbfd2eda86b6a1abdceabb821

SHA512
3bfffdedf670499c9b041a608f25035ece4ab5f825d9709a650bd281991c5a4d434b45d4951e0d60bd5d55f1bc08dff1b0564ede32e4579d8c3d09d5b28d1077

Download Submit
/data/data/com.scout.reopen/app_DynamicOptDex/klblxHG.json

Filesize
238KB

MD5
5ee1bede9feaba1e40b0e2ec6865d69f

SHA1
a63af22b9b39f9cc6683026e0aed88407f8f561d

SHA256
f4d58b7b70d2e60cf0e579bf068b49568862b7ae96d937fee8a12803aa59d914

SHA512
ab1fb790f65ac993f419e4be1a1242264826707d9688aaf1287a6aaf937a11e5ea63279deb54dde0eea4abae0c09ce3509ac85d7580727d8547452afb920eedb

Download Submit
/data/data/com.scout.reopen/app_DynamicOptDex/oat/klblxHG.json.cur.prof

Filesize
468B

MD5
412250f44fc791bca9ee5c08fc22e641

SHA1
26defb0ae3fb201d596add556a8030b9d7750e99

SHA256
40955d9614b0234d93a88102e6d2a50921917835f00cbfadb8a3844787cf86ef

SHA512
78f2ea8a02f464567d2aca448b5f58390d09810abded13b7cfdee23860feb1251bf5a61cee705b8e85c3b2a8e42790b80e5ac3eeaf456d6c35bb6971af47f616

Download Submit
/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json

Filesize
482KB

MD5
bd91f43093de9df5b12a281c9abd6078

SHA1
7e1337376db47879ce879cdeb7a7545912ced1cf

SHA256
4b94b97cfbf995a732fc410eba859907de48133b2a7bc41a51c8d5835e84f940

SHA512
8a388fd4775afa562dcf16d9b2550779f2ce2d23769fd0887bbf35521a59a8d0aa105d6606c878723e5fbac87cd54790beebda971d198fb5c34d6cec229fe69a

Download Submit
/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json

Filesize
482KB

MD5
a75b81dbafbf0927c126004c729ca3c6

SHA1
6571802a07b56a9f7a75d1e184eb0f26e3e2a746

SHA256
6333e8a28e7af5d55ba7c76c91a9f8ab2b542490f2a453deca6b8205b92ef131

SHA512
5019bc1a52b8e2d826d125126ef879513d1b738ebc0ec687ce224d3854100513c964a85d0265d7e536cecdef2618e75411733495b2171ed070dc6f2f03d4f053

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads