alienbot | 9957a03540292e79743545af7912af20328b7ead26a07f6321f895e1aa0548e2

Analysis

max time kernel
2462285s
max time network
132s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9957a03540292e79743545af7912af20328b7ead26a07f6321f895e1aa0548e2.apk
Size

2.1MB
MD5

8b86e31274d87061683e29ec9b91ddcf
SHA1

738724ddf869cf688be01df41c8eeb8db6a139d2
SHA256

9957a03540292e79743545af7912af20328b7ead26a07f6321f895e1aa0548e2
SHA512

afa1b7568a8e3bbd7317e8bb96546d3e3f3942c26d91e3e56ba64b5f0f5c880f91bc970669ba14021311946730deb57dfdb41bc8b9f823eeed8b9733337b301c
SSDEEP

49152:LjMTXASrW3Kbj2DrR3uYRdHwjpcCqRw/NTfkOctLT:LjVEnqrXnHCh4LLT

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://saglamsiparislerburada.shop

rc4.plain

Extracted

Family

alienbot

http://saglamsiparislerburada.shop

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.parrot.habit/app_DynamicOptDex/Qi.json	family_cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.parrot.habit

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.parrot.habit
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.parrot.habit

Removes its main activity from the application launcher 8 IoCs

stealth trojan

Processes:

com.parrot.habit

pid	process
4598	com.parrot.habit
4598	com.parrot.habit
4598	com.parrot.habit
4598	com.parrot.habit
4598	com.parrot.habit
4598	com.parrot.habit
4598	com.parrot.habit
4598	com.parrot.habit

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.parrot.habit

ioc pid process

/data/user/0/com.parrot.habit/app_DynamicOptDex/Qi.json 4598 com.parrot.habit
Acquires the wake lock 1 IoCs

Processes:

com.parrot.habit

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.parrot.habit
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.parrot.habit

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.parrot.habit

ioc	pid	process
/data/user/0/com.parrot.habit/app_DynamicOptDex/Qi.json	4598	com.parrot.habit

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.parrot.habit

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.parrot.habit

com.parrot.habit
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4598

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.parrot.habit/app_DynamicOptDex/Qi.json

Filesize
238KB

MD5
bc7a72d29a3ee138b384a862e0d94a49

SHA1
524c3250e4331f262b6b4951f097321b759770e8

SHA256
085a36cdd7714117adebda66564035d8d8f14898276348c6d9069779bb2c35c9

SHA512
6c91825a4358e2203cb88d06aee9a47d29708852fe90e58717308a1f6b186f1284a0d9edd8217b6dda95f61ce4495e032c4ce5f21155a9f4424199fa55eefeb9

Download Submit
/data/user/0/com.parrot.habit/app_DynamicOptDex/Qi.json

Filesize
238KB

MD5
358ed62467278f06e995a860550958a4

SHA1
5ec0fc78fb6b11af00c557e0778d68665bdd8a53

SHA256
d1e6b3cb5d6a861a52f6b364c258be9b45bd3a19c68ba3701e4ed36305f10b05

SHA512
468b3321e46a0aa9fae170b2c1a0c7776b67cc1da9117b44615ecf1c426f88fe147fab7ce372e5da3f101bea087fce62999fd9bc6a14b9b3a863b1b9873da395

Download Submit
/data/user/0/com.parrot.habit/app_DynamicOptDex/Qi.json

Filesize
482KB

MD5
80dc669760f82e56e80e1131262decc8

SHA1
57cacfb1f3b0fce023b98985bf81b066782babbc

SHA256
0a6592aad6877b72f85a6f7164053d80d2740405f52d9a8f94743fb75fa4188f

SHA512
e3bd86c7f9c928181ccfc46fa7774231b0e949b15961a6d5fd9d0d14b75dce53db5050d259d0e9510bddd4a09762c56a9439441adf57f14978d0390d630980ce

Download Submit
/data/user/0/com.parrot.habit/app_DynamicOptDex/oat/Qi.json.cur.prof

Filesize
316B

MD5
3a8c45400db2b78caed20d78edb541a2

SHA1
f8f26b8bfcd130ae7810ad54adcebffbeb876a97

SHA256
82f253f58789a1eb6276f7882d5fa41ef0ac4ab0825f96995fcd54f09e6542ed

SHA512
42993d44e80eb89cc16a962e62b18d2e50900d2e6f82fd782e3ab7c8b5c6b11e4ba571d29de9b22ffb2c69fcea10025c91958df633b6c51d44903e1c3bce21bc

Download Submit