alienbot | 8586757efc2359fa24f98fb9cd3c42827aefea7e69fa568be38043aea4454576

Analysis

max time kernel
2359283s
max time network
146s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
20-12-2023 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8586757efc2359fa24f98fb9cd3c42827aefea7e69fa568be38043aea4454576.apk
Size

2.1MB
MD5

f6bfa60529092c4b02cbb194ca1b90f1
SHA1

87f57d6783cc626ecd87d56a2ae6f0a5a51debaa
SHA256

8586757efc2359fa24f98fb9cd3c42827aefea7e69fa568be38043aea4454576
SHA512

3579de3d544473c47e2b6a0db9cc75e1f095b6be0fc8b7075755165e6cab9d8c48cabf9ee8b9fa786d992edd85eece7cd1359c1e979bff2e557cdacae570521e
SSDEEP

49152:kN1PNgSNd83DXd5AuytWc0D3l9zT074rIWQgAV1Y5AqYRsByL+:krlg6kn9AboH874rIWyXL+

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://saglamsiparislerburada.shop

rc4.plain

Extracted

Family

alienbot

http://saglamsiparislerburada.shop

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json	family_cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.scout.reopen

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.scout.reopen
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.scout.reopen

Removes its main activity from the application launcher 8 IoCs

stealth trojan

Processes:

com.scout.reopen

pid	process
4965	com.scout.reopen
4965	com.scout.reopen
4965	com.scout.reopen
4965	com.scout.reopen
4965	com.scout.reopen
4965	com.scout.reopen
4965	com.scout.reopen
4965	com.scout.reopen

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.scout.reopen

ioc pid process

/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json 4965 com.scout.reopen
Acquires the wake lock 1 IoCs

Processes:

com.scout.reopen

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.scout.reopen

ioc	pid	process
/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json	4965	com.scout.reopen

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.scout.reopen

com.scout.reopen
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
PID:4965

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.scout.reopen/app_DynamicOptDex/klblxHG.json

Filesize
238KB

MD5
b36eb84093714d6fcff081b1593b811a

SHA1
6bd217666e550ebc28d0f81e09be88f37f4c1307

SHA256
b8918f025b3e4d5c20a0c3d29ee1f087230d4cefbfd2eda86b6a1abdceabb821

SHA512
3bfffdedf670499c9b041a608f25035ece4ab5f825d9709a650bd281991c5a4d434b45d4951e0d60bd5d55f1bc08dff1b0564ede32e4579d8c3d09d5b28d1077

Download Submit
/data/data/com.scout.reopen/app_DynamicOptDex/klblxHG.json

Filesize
238KB

MD5
5ee1bede9feaba1e40b0e2ec6865d69f

SHA1
a63af22b9b39f9cc6683026e0aed88407f8f561d

SHA256
f4d58b7b70d2e60cf0e579bf068b49568862b7ae96d937fee8a12803aa59d914

SHA512
ab1fb790f65ac993f419e4be1a1242264826707d9688aaf1287a6aaf937a11e5ea63279deb54dde0eea4abae0c09ce3509ac85d7580727d8547452afb920eedb

Download Submit
/data/data/com.scout.reopen/app_DynamicOptDex/oat/klblxHG.json.cur.prof

Filesize
375B

MD5
8056b705ddbc2660283376ce720fbbcd

SHA1
00eadd4f86958bea027c0239780d236471a89fa5

SHA256
7009fdc17c8bedacc6059f380a82ed0059bfabc4e6e83b759b9c253bd48ca602

SHA512
659728980b834819dfaf1b10f5e4b2307f770db7d7ca0a913bbad437429d285f2d30d2c0e81e33d81b52905206120a90cec907d8045d1b0c5bc31b3040e059a5

Download Submit
/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json

Filesize
482KB

MD5
a75b81dbafbf0927c126004c729ca3c6

SHA1
6571802a07b56a9f7a75d1e184eb0f26e3e2a746

SHA256
6333e8a28e7af5d55ba7c76c91a9f8ab2b542490f2a453deca6b8205b92ef131

SHA512
5019bc1a52b8e2d826d125126ef879513d1b738ebc0ec687ce224d3854100513c964a85d0265d7e536cecdef2618e75411733495b2171ed070dc6f2f03d4f053

Download Submit