alienbot | add237b89e88279d19b58da5bd06c371d982853a536dbf906c5b3b42ba13cd2a

Analysis

max time kernel
2513222s
max time network
160s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

add237b89e88279d19b58da5bd06c371d982853a536dbf906c5b3b42ba13cd2a.apk
Size

1.8MB
MD5

bd57fd2e64f0db396735a2550bfea9a3
SHA1

b84061c464aa04a9a626b82d058311ae4e26f9c8
SHA256

add237b89e88279d19b58da5bd06c371d982853a536dbf906c5b3b42ba13cd2a
SHA512

69cbd5b32a56a38a074609cf38e17f29b2ccdd1e873da4a1ae845623a994a47ddf4ad86fd07a346c5f61c412e5c37e00d1b567373b53adeb4514d5fbf334fad9
SSDEEP

49152:5xrM1GsLmakKZfCVodEhDfTUcHiwwIrtkBgDHjRJeQ1prHKze20uL:5S1GLapZf+omhDfDiwJLHNJrKy2ZL

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://heklpplaldmeroads.shop

rc4.plain

Extracted

Family

alienbot

http://heklpplaldmeroads.shop

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.advice.multiply/app_DynamicOptDex/Wr.json	family_cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.advice.multiply

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.advice.multiply
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.advice.multiply

Removes its main activity from the application launcher 8 IoCs

stealth trojan

Processes:

com.advice.multiply

pid	process
4633	com.advice.multiply
4633	com.advice.multiply
4633	com.advice.multiply
4633	com.advice.multiply
4633	com.advice.multiply
4633	com.advice.multiply
4633	com.advice.multiply
4633	com.advice.multiply

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.advice.multiply

ioc pid process

/data/user/0/com.advice.multiply/app_DynamicOptDex/Wr.json 4633 com.advice.multiply
Acquires the wake lock 1 IoCs

Processes:

com.advice.multiply

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.advice.multiply
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.advice.multiply

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.advice.multiply

ioc	pid	process
/data/user/0/com.advice.multiply/app_DynamicOptDex/Wr.json	4633	com.advice.multiply

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.advice.multiply

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.advice.multiply

com.advice.multiply
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4633

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.advice.multiply/app_DynamicOptDex/Wr.json

Filesize
238KB

MD5
7b573341f2d1f7cbfafb14024c782bb6

SHA1
2b1b0921b508a668391c3b9f195bb469ead98993

SHA256
8905ece2ab8418bf0549bd1a2c126558eac45e84e81ef77fb17bfa66003c49a7

SHA512
c7525be3a663cd6738bf0d79d2b8060fad130af7a2f875ed757b6b6f9d8b8d2f6a496aac330386032af3e180572282245a12e27c2fd2390c423bb5ff448305c2

Download Submit
/data/user/0/com.advice.multiply/app_DynamicOptDex/Wr.json

Filesize
238KB

MD5
bfd8def3fa05f7f5eb18b59305759bc2

SHA1
5e4cc7d643d80f17f205f33fd729287269e5d025

SHA256
ce202fbcfe24df8c892b8724f46a905cf522b12a407e56821e991b668fd10842

SHA512
474fe5119817d7863e16aaab653b906c22e170cf8380e8e20ffe63d79e6e80074d29f8b260cc28ad962014c6c0285e6458f8f74a2e39ce33b8d756cb7d2d22c6

Download Submit
/data/user/0/com.advice.multiply/app_DynamicOptDex/Wr.json

Filesize
483KB

MD5
27c5cd2bbe52d6e99a63850ca02a9827

SHA1
02a983694c540ce8eb652ed9af99932359c42273

SHA256
b9459b71aa16913164edcfeed97bd60b98fd57050b93fddc48061c94e2d327f1

SHA512
8df7e3837a7691c5b41c39d858a22f4bcc5ae316aa002c13179f7b88f0d941239017d24b2cd7df35a64f7070bfe57b608093d5269c408ee568ef4e72b54bd379

Download Submit
/data/user/0/com.advice.multiply/app_DynamicOptDex/oat/Wr.json.cur.prof

Filesize
315B

MD5
2a70414263a23429dedf8688441f2810

SHA1
4ae8b72504d289a465a10072bedfb2ef17a8ef7d

SHA256
4c51197231bd59f724bda997467942493ea97fa6c3a32d29a94bb68fda44cb6e

SHA512
62110e0fc793a333b2cba9195aaaebc580363731ff612c05d96bc9c8764cb52991f74deb5e5159d5752a8229a939e08c230ab6b2533c3223c46947a0e6d61a20

Download Submit