alienbot | 8586757efc2359fa24f98fb9cd3c42827aefea7e69fa568be38043aea4454576

Analysis

max time kernel
2359301s
max time network
139s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8586757efc2359fa24f98fb9cd3c42827aefea7e69fa568be38043aea4454576.apk
Size

2.1MB
MD5

f6bfa60529092c4b02cbb194ca1b90f1
SHA1

87f57d6783cc626ecd87d56a2ae6f0a5a51debaa
SHA256

8586757efc2359fa24f98fb9cd3c42827aefea7e69fa568be38043aea4454576
SHA512

3579de3d544473c47e2b6a0db9cc75e1f095b6be0fc8b7075755165e6cab9d8c48cabf9ee8b9fa786d992edd85eece7cd1359c1e979bff2e557cdacae570521e
SSDEEP

49152:kN1PNgSNd83DXd5AuytWc0D3l9zT074rIWQgAV1Y5AqYRsByL+:krlg6kn9AboH874rIWyXL+

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://saglamsiparislerburada.shop

rc4.plain

Extracted

Family

alienbot

http://saglamsiparislerburada.shop

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json	family_cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.scout.reopen

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.scout.reopen
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.scout.reopen

Removes its main activity from the application launcher 8 IoCs

stealth trojan

Processes:

com.scout.reopen

pid	process
4619	com.scout.reopen
4619	com.scout.reopen
4619	com.scout.reopen
4619	com.scout.reopen
4619	com.scout.reopen
4619	com.scout.reopen
4619	com.scout.reopen
4619	com.scout.reopen

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.scout.reopen

ioc pid process

/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json 4619 com.scout.reopen
Acquires the wake lock 1 IoCs

Processes:

com.scout.reopen

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.scout.reopen
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.scout.reopen

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.scout.reopen

ioc	pid	process
/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json	4619	com.scout.reopen

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.scout.reopen

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.scout.reopen

com.scout.reopen
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4619

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json

Filesize
238KB

MD5
b36eb84093714d6fcff081b1593b811a

SHA1
6bd217666e550ebc28d0f81e09be88f37f4c1307

SHA256
b8918f025b3e4d5c20a0c3d29ee1f087230d4cefbfd2eda86b6a1abdceabb821

SHA512
3bfffdedf670499c9b041a608f25035ece4ab5f825d9709a650bd281991c5a4d434b45d4951e0d60bd5d55f1bc08dff1b0564ede32e4579d8c3d09d5b28d1077

Download Submit
/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json

Filesize
238KB

MD5
5ee1bede9feaba1e40b0e2ec6865d69f

SHA1
a63af22b9b39f9cc6683026e0aed88407f8f561d

SHA256
f4d58b7b70d2e60cf0e579bf068b49568862b7ae96d937fee8a12803aa59d914

SHA512
ab1fb790f65ac993f419e4be1a1242264826707d9688aaf1287a6aaf937a11e5ea63279deb54dde0eea4abae0c09ce3509ac85d7580727d8547452afb920eedb

Download Submit
/data/user/0/com.scout.reopen/app_DynamicOptDex/klblxHG.json

Filesize
482KB

MD5
a75b81dbafbf0927c126004c729ca3c6

SHA1
6571802a07b56a9f7a75d1e184eb0f26e3e2a746

SHA256
6333e8a28e7af5d55ba7c76c91a9f8ab2b542490f2a453deca6b8205b92ef131

SHA512
5019bc1a52b8e2d826d125126ef879513d1b738ebc0ec687ce224d3854100513c964a85d0265d7e536cecdef2618e75411733495b2171ed070dc6f2f03d4f053

Download Submit
/data/user/0/com.scout.reopen/app_DynamicOptDex/oat/klblxHG.json.cur.prof

Filesize
320B

MD5
c6b4815a5b9177ed3348455f4e5109bf

SHA1
fd0db82448cd4c06645921116558297ea4638509

SHA256
c757b0ba1639358e3ed1b7d779165ccbb3057d707deb70e8573691d43cece2d7

SHA512
1373fa68d79f1f8569fd46c4a152d52bd8627494ec47f5d5b62e8175c74a92f6059c7b8a6651fd951ad6ebe6bc9cbe15158dee133305077cfb3a274d6243fcb7

Download Submit