alienbot | 93d77923edd54c80a9073ab529daa34e275334eea747daf3f496bce114116545

Analysis

max time kernel
2440667s
max time network
149s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 08:15

Target

93d77923edd54c80a9073ab529daa34e275334eea747daf3f496bce114116545.apk
Size

2.5MB
MD5

53cfbd65d6f0beec535d5c11b7b8ee68
SHA1

0e10eef11b6b6e9c1b81a0719f64ef4a85d68f8a
SHA256

93d77923edd54c80a9073ab529daa34e275334eea747daf3f496bce114116545
SHA512

92d8a47acf00065842903bab4ba4036e4b579c82f8215279a2e7fb55678b91490cfa6b7f2f52edcd902151ce80e30ca1ca28f886ac09267b1969ef7285e20061
SSDEEP

49152:/fTEOHkiXkXbOrT8KnIjyKVGwG2T0eZrmNGKqviEQxriESscXHKaj9aaxmIqmgLF:nTwbATZOkw0GmYKpZ6pfYLNmIJ3Rf

Score

10^/10

Family

alienbot

http://brobenim9.site

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/pact.praise.duty/app_DynamicOptDex/ruW.json	family_cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

pact.praise.duty

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	pact.praise.duty
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	pact.praise.duty

Removes its main activity from the application launcher 5 IoCs
stealth trojan

Processes:

pact.praise.duty

pid process

4469 pact.praise.duty
4469 pact.praise.duty
4469 pact.praise.duty
4469 pact.praise.duty
4469 pact.praise.duty

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

pact.praise.duty

ioc	pid	process
/data/user/0/pact.praise.duty/app_DynamicOptDex/ruW.json	4469	pact.praise.duty
/data/user/0/pact.praise.duty/app_DynamicOptDex/ruW.json	4469	pact.praise.duty

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

pact.praise.duty

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS pact.praise.duty

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	pact.praise.duty

/data/user/0/pact.praise.duty/app_DynamicOptDex/oat/ruW.json.cur.prof

Filesize
320B

MD5
b845c388b337b99cfa5af45e58540301

SHA1
0efcf21014df40fb9afe35a75a26d2ae33d15737

SHA256
d739e4d26c3414f5a83d1fd72167cc605baad25258a3b11df8de9ea9c7860bb2

SHA512
0e9c8bdc5e2fe3fedce97dc8d795c0acf913c4d4ce86054301b18962cdd206dc0f4aa42d13785a038a07306855fb0e58674c01b0ac82d9496fa0ce189f856b21

Download Submit
/data/user/0/pact.praise.duty/app_DynamicOptDex/ruW.json

Filesize
770KB

MD5
ef752c7eb8f3ca6848e22402d62eb323

SHA1
5f17225fdb4dfbc185ccf5dec24786f4596ade1d

SHA256
2c8c25001ed0b6d8e9ed5bb4ef31a6e1b464d042c5f6ab758a7d248f065f3aee

SHA512
edcb038621a1c710ceb6512c86d165bf0005a3de9064ef64ef9ca113ab0c4bab8b39e72342ef2f99c2b9e5924bcd36faf8414fcf70065240509489fc75a5b6e3

Download Submit
/data/user/0/pact.praise.duty/app_DynamicOptDex/ruW.json

Filesize
770KB

MD5
28661ee5d491cd59cd65233484056f82

SHA1
ce56c25dff73fb8cfe2f644566126713d762d83d

SHA256
7391ae613d0971120572a9c1f351a7088e1b0796920472758fec3449bbfc9e00

SHA512
f8f04701405f4289706028d1c267f290f386714eedfc789229b12c34a885cbbaa269eeaedc01d2f92570e00238a414a7749a58bc42c1269a29724b1254891eb6

Download Submit