Overview

overview

10

Static

static

6

3f44e53892...f7.apk

android-9-x86

10

3f44e53892...f7.apk

android-10-x64

10

3f44e53892...f7.apk

android-11-x64

10

Analysis

  • max time kernel
    3516572s
  • max time network
    150s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    03-01-2024 23:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f44e53892fe1ea4abb5eb537ca347f7.apk

  • Size

    3.1MB

  • MD5

    3f44e53892fe1ea4abb5eb537ca347f7

  • SHA1

    7514748d3f77056e71055134bb417ee519f460bd

  • SHA256

    463ca1a29f83ee11ed4d37bf6ce314dcad99c8fcfe4ae3e3f7fcc2574f3c70c7

  • SHA512

    cc9e3a6cb21d1105484cfbeb2dcb9c022720aa45ba7c1415a17d9c60f48c512d2ff69d315afbacf4ae029e3e6537f0143c6efda4f41cf852c7f8e3bf4a9a0d6c

  • SSDEEP

    49152:4DbPoWUOyc0t9TEw+YGFLcHiLJMnbA53gZ8fmrPQycdFIVVGolJNhkV3rzjQBYC+:oUTZt9JtMLaA3irgIDhm3rzkY511N

Score
10/10
alienbotcerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://34.89.218.199

rc4.plain

Extracted

Family

alienbot

C2

http://34.89.218.199

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 2 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Checks Android system properties for emulator presence. 1 IoCs
  • Loads dropped Dex/Jar 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion

Processes

  • shop.unlock.subway
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Checks Android system properties for emulator presence.
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4256
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/shop.unlock.subway/app_DynamicOptDex/Bc.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/shop.unlock.subway/app_DynamicOptDex/oat/x86/Bc.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4281

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/shop.unlock.subway/app_DynamicOptDex/Bc.json
    Filesize

    608KB

    MD5

    397579cf246506aa9b1963c7a7a2ed45

    SHA1

    24eaeb94d5af2c67144270534ef3866ca2a8fd9a

    SHA256

    3e37b8dc23f612f45644610a564870a5e8f4083dc42c6ba55b3ebd1e5690f24c

    SHA512

    75de40ffa81e0e6204cfa7e0c66fde9f0e8c2ec8dd9a9194d7e9fbec71a4697123a8b9fa5759054b11127193c78d090e62971fc210d70ed3133dae05a05acdf6

    Download Submit

  • /data/data/shop.unlock.subway/app_DynamicOptDex/Bc.json
    Filesize

    608KB

    MD5

    6e6c44930cf0757f1dbccfc883f6f942

    SHA1

    204c94c635e9423c009fc5b7ac8f3c6733ac85d8

    SHA256

    8cd67d0a0de284ec0be28cb2fa3f69a601735cbae0fb44c69d877a4a5634f871

    SHA512

    c96df88cb73221a6d01abcb6e3a89927d858bf79ec5eb3a10d3e4d9cf0106495c68cfadc0dbef46ff35ceb9e57d0e7f5b222dff7a68a87fa5b2a265c4eb03e5b

    Download Submit

  • /data/data/shop.unlock.subway/app_DynamicOptDex/oat/Bc.json.cur.prof
    Filesize

    523B

    MD5

    78ceb42ee67d63be00767f21f1ec7116

    SHA1

    90806a0d596721cd9bd127485edbf73c84c5f535

    SHA256

    fbc973a175dd4c27b195b2fe57fa77484ac239f56e73cf1c771b8ea7d090ef18

    SHA512

    09051b88d2d15507f38858d6f7ad862f90923cda7092d54f8bbd38c457e24ab19e1bbc59fd83485d001a37d2b96e0bc9e66b98df61eafa3b806d6a02bd198685

    Download Submit

  • /data/user/0/shop.unlock.subway/app_DynamicOptDex/Bc.json
    Filesize

    608KB

    MD5

    5a6313ff9f175f532747c62ff1253333

    SHA1

    6b095e6bff3627d10a7e6cd8428dd2dda7af63e8

    SHA256

    35ca35ef6dfc4d6c0195801564fa604cb8cd4bd70284cc1691e697e16523832e

    SHA512

    b50dbc70041cf2762db005615483ab0080d1853b03374cede0896c61e852a43794108c2388d940a2f27587eda30f1ef48804998a34386abf71c1bf1424c3449b

    Download Submit