alienbot | e9d76237d04e6f4eb66425f26e6c8441effd2fbbc6cb29cd5d2a2605491c7502

Analysis

max time kernel
3166050s
max time network
155s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
30-12-2023 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e4f6a0903ba99d6595ba32ee172dad3.apk
Size

3.3MB
MD5

0e4f6a0903ba99d6595ba32ee172dad3
SHA1

fae70fdbf2872e09860a1f875c36a9229d52d03f
SHA256

e9d76237d04e6f4eb66425f26e6c8441effd2fbbc6cb29cd5d2a2605491c7502
SHA512

ee541d58e4b5adf22ebd47bd6ff4cc944c2987ad6613a6f79850fe848925f9d803a32559f25f303ebcae199a7ab7eeb4bc65486522e027ffd1c3df4c9a0e0f3a
SSDEEP

49152:RfmKD7keCyZ4eBtW2hD07yzniXl8zzHUzy1vgqXppqj3FN3A89uKuzW5LnTnSkLQ:JkevZA2hl+Xezg0e3xuNW5jSkLneD

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

https://instagrambuyukprofil.com

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-2.dat	family_cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	gun.scrub.end
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	gun.scrub.end

Removes its main activity from the application launcher 7 IoCs

stealth trojan

pid	Process
4980	gun.scrub.end
4980	gun.scrub.end
4980	gun.scrub.end
4980	gun.scrub.end
4980	gun.scrub.end
4980	gun.scrub.end
4980	gun.scrub.end

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/gun.scrub.end/app_DynamicOptDex/fhF.json	4980	gun.scrub.end
/data/user/0/gun.scrub.end/app_DynamicOptDex/fhF.json	4980	gun.scrub.end

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	gun.scrub.end

gun.scrub.end
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
PID:4980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/gun.scrub.end/app_DynamicOptDex/fhF.json

Filesize
759KB

MD5
0381be385b39dc1d914f1d8196624a8d

SHA1
102fb8fc1a0e26953aff2cdc2543e9b24e6f14d7

SHA256
f4ab9f012c4379b1e126cb430733e08d6ec4d171b7a8acaad57b050f0c8ebd2d

SHA512
d0056ceca92dc401c98cc7ea729e381a455f867bf4f5eb0fb5fc7d8eb19bb8f59785a802d35a798a34ec48d076b3726692c257396b74de4a4537a846be32a8ae

Download Submit
/data/data/gun.scrub.end/app_DynamicOptDex/fhF.json

Filesize
759KB

MD5
637504b24fa979af68ddb70fa2ca9272

SHA1
091b0dd1cd4d5ff53abd4926eed1ea980d44ff4c

SHA256
6dbf6c49b93849c9611850772c7a261460973b53ef23da9b751eed398569ca7e

SHA512
32ee4a5bb2df8de0155903435a44ab85847873ba9ae9a33db6a2018776186b591895239898c1d6e62cd7e0c0461b535bde9d9165992ecd268e42b1408c64f52f

Download Submit
/data/data/gun.scrub.end/app_DynamicOptDex/oat/fhF.json.cur.prof

Filesize
420B

MD5
32f8a95b361dfd6e11e411230dfc3a64

SHA1
a507c50183c5849ecfea68a5a01ef34a13232760

SHA256
f0787b736d5716b0da0498fa4ffa2c0181f3c094b6204314299873dedbe8f240

SHA512
84b4037b404cfa249608bea6a7d83d02944bd07e4c9879190c88956fa82bfd6241c66c84f2fe2326eda1e5cc6a4452add68eb32210374c581310825296fc6a56

Download Submit