alienbot | 983cd93ceec7451eed08dea0c83b05e9665e8ae0c433b564efcc55657ebc2598

Analysis

max time kernel
2458162s
max time network
158s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
20-12-2023 08:51

Target

983cd93ceec7451eed08dea0c83b05e9665e8ae0c433b564efcc55657ebc2598.apk
Size

2.2MB
MD5

95cfd5efd2526e4166849004b357effe
SHA1

e57518888c1e20a71cfd9e3fb41f04dc6fd066b7
SHA256

983cd93ceec7451eed08dea0c83b05e9665e8ae0c433b564efcc55657ebc2598
SHA512

d5059df8b04d5b91c2afcddf92f531db82ee7bd65d73273ae6625252605589acd29ffc2b443fe9438e2b9d3ddeb1d63a3c27187f66383e1faf115ad90d0ed032
SSDEEP

49152:iHujnsSVC4tvraZm6dyNJipahpdUvs8W4Vbr+34opM:Q8Np2ZSkarSVWz0

Score

10^/10

Family

alienbot

http://ukalasey2.com

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-2.dat	family_cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm

Removes its main activity from the application launcher 5 IoCs

pid	Process
4982	ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm
4982	ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm
4982	ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm
4982	ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm
4982	ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm/app_DynamicOptDex/GXsTi.json	4982	ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm
/data/user/0/ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm/app_DynamicOptDex/GXsTi.json	4982	ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm

/data/data/ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm/app_DynamicOptDex/GXsTi.json

Filesize
767KB

MD5
2bc89aade90294152d7ea29e36ac48e9

SHA1
4d1e4ca7044e97798aa88eb6829e3664dc41628b

SHA256
34fe80e5af092d641e11e042f7aec42f9b68231959c113e28c801741c18ce211

SHA512
ad0a3b986677910e77e5466f8d5b4eb4255e5ec313283f3dadc22458382971f1416114df51d400a27ff8de0eb6c0a79977ccbe6b665c5fa8c71f7074336914ef

Download Submit
/data/data/ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm/app_DynamicOptDex/GXsTi.json

Filesize
767KB

MD5
d4d6d0f4cbfe76d620ced317c2240137

SHA1
f62e5ac2e1f388b074907da335979acc4abb2919

SHA256
1e968ee9b7a194c662b4fab586c6ed7139101b742b22258b7580012a420483bc

SHA512
312c16a82c21d1d2a7e013352d4ffbc039de27f6b680898e2c72e8d9395d9e28a77006d678b99a99649a4abecf089dbb8be304accb9286f1830086b6b32cdbb6

Download Submit
/data/data/ctsdijqewczjhww.gnsxtstbwrjbrxh.mkypmybqnlsidgxzunmwbekbm/app_DynamicOptDex/oat/GXsTi.json.cur.prof

Filesize
380B

MD5
81f5afa074470eb7146e447c903865fa

SHA1
39a71a971787eb3d88972adf541ce15088fdd03a

SHA256
d0b3f13f9d238b42c7944535fa2145443167387c11d75e81bce31057473835e8

SHA512
9cb407ca2727090b5705e4014ad1e060ce8bb23c0fd8db8989afd293c5f315cd1b002c4a10753988bfc48f8dba48b32b09c129523c2afae3704b52bda3e61db1

Download Submit