alienbot | ffdf537102cad9f4b12795bde56c421e8d7a627e2939a56aff448ef04cdbe336

Analysis

max time kernel
3525539s
max time network
152s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
31-12-2023 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30c89c2cb856d9ec5ea26ac8cf8084b0.apk
Size

3.9MB
MD5

30c89c2cb856d9ec5ea26ac8cf8084b0
SHA1

b3511c4845849455079ffaa9ea8d38310990229c
SHA256

ffdf537102cad9f4b12795bde56c421e8d7a627e2939a56aff448ef04cdbe336
SHA512

a1b37c843e50fd7f1e4d3d69ab349159a26f490da9caaa00a69d87c4b80668a47e4593c218e88c7e3772e1392e7aafc5c5bcf684e0ed6930ac2f39db3413515f
SSDEEP

98304:HsNwtuKRIDpiP+JEPLrq+lrjoTQS9505ISGOO+q8PAooJCxgTF:MNyQi1LuQR1NRvAj8gB

Score

10^/10

alienbot banker infostealer stealth trojan

Malware Config

Extracted

Family

alienbot

http://qjqamv11oh6o.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	desire.because.driving
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	desire.because.driving
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	desire.because.driving

Removes its main activity from the application launcher 2 IoCs

stealth trojan

pid	Process
4987	desire.because.driving
4987	desire.because.driving

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/desire.because.driving/app_DynamicOptDex/PWXvdNDhc.json	4987	desire.because.driving

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	desire.because.driving

desire.because.driving
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
PID:4987

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/desire.because.driving/app_DynamicOptDex/PWXvdNDhc.json

Filesize
615KB

MD5
952f3334603bb10bebf9a23afdd3e5ff

SHA1
efad9bc7a2e73238319851eb417fc3351d888df3

SHA256
d0e8e8902f13d285432e9e5f9ecfaff4121a1e07469142b6f1cf3e1ab4db69ca

SHA512
af73b710e485b24f5f5582119669a3df78d3d7bb40e34e0399e86db861367ced63046c95368f98996e3c28e6d1b2517f4f3ce231c99a4a8be73215fc638a6df3

Download Submit
/data/data/desire.because.driving/app_DynamicOptDex/PWXvdNDhc.json

Filesize
615KB

MD5
586c1ea6331393405ba1753a8422f735

SHA1
57acea17257688ec5a9497f203a7a3b6728369e6

SHA256
dc8653fe7a49cb65bfbfaf67941a55681a9dd3668732ef7753b792bdf1fdf590

SHA512
dc4d1f532209e46823e72dfcaeeee0c47a933b8c840d7b04dc285ad4b29510bbda97602644e8be2213238db306e4f86f1d1e359bbb0dded2b533781be57421dc

Download Submit
/data/data/desire.because.driving/app_DynamicOptDex/oat/PWXvdNDhc.json.cur.prof

Filesize
1KB

MD5
bcb0d2ca191aaf9843d9d3b28f8e8d24

SHA1
49b0deafa49f3e0524b1ae5bf5a65df5a40c1904

SHA256
1ff72ddf715d0864ae3eca7cc9b1eadc3a19b54f99523331957abd44d688457e

SHA512
13047851d78545307888d61451eb6acf2bd9711534f932ec8d97072ca3694e930b8dcea83a4b9ebd83d819454f2bc3d6bc4de1c75a11c897b3c6da0fd9427acb

Download Submit
/data/user/0/desire.because.driving/app_DynamicOptDex/PWXvdNDhc.json

Filesize
767KB

MD5
195e40aa07616d080ea9eedb5881a54e

SHA1
5c07e0d2feed945bbbb59b25e4eba5d9745a5942

SHA256
7dadd1f073197b5c1cd9844b3f175dacf1cfba9c3cee4a6d7ba86a4a26a65f72

SHA512
270120dbf84adc0004decf6e4418aa6c284a70af7b53b97930ee4c1e2ef04114a75073e3106d1aa1e1fa96b9287a1671ce6b8e16aacd00617930ebc2fba1f0a7

Download Submit