alienbot | 8e168f31f3bf0564d11b01e180d301f41e3582a89efc5ca15ed40a402c0ca3dd

Analysis

max time kernel
3761807s
max time network
156s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
06-01-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46fdb068ce8eda8fce387134a4fd4172.apk
Size

3.3MB
MD5

46fdb068ce8eda8fce387134a4fd4172
SHA1

2f56a65676d377f552a86a4482ee1bf104d05b09
SHA256

8e168f31f3bf0564d11b01e180d301f41e3582a89efc5ca15ed40a402c0ca3dd
SHA512

e34acb562bbda4702da6f83bd6c4b79aea02a0b982d8a88aadf298db27bb524220b8b7be17cddffa78f662f93d95dac118b77fe831e669a158387cdcce72ec06
SSDEEP

49152:Hsjwrl65NLyheuX0HK/tYhZRpfO9uDtIlhf7Ln0LmeDfb6iIZtiXvDyUhVEtRGML:K5N+hbf6d3to7eme2GxhVURGAyznop

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://34.89.151.222

rc4.plain

Extracted

Family

alienbot

http://34.89.151.222

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-2.dat	family_cerberus
behavioral1/memory/4239-1.dex	family_cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	half.soap.civil
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	half.soap.civil

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4239	half.soap.civil

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/half.soap.civil/app_DynamicOptDex/OCWRke.json	4239	half.soap.civil
/data/user/0/half.soap.civil/app_DynamicOptDex/OCWRke.json	4266	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/half.soap.civil/app_DynamicOptDex/OCWRke.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/half.soap.civil/app_DynamicOptDex/oat/x86/OCWRke.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/half.soap.civil/app_DynamicOptDex/OCWRke.json	4239	half.soap.civil

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	half.soap.civil

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	half.soap.civil

half.soap.civil
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4239
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/half.soap.civil/app_DynamicOptDex/OCWRke.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/half.soap.civil/app_DynamicOptDex/oat/x86/OCWRke.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4266

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/half.soap.civil/app_DynamicOptDex/OCWRke.json

Filesize
704KB

MD5
ed34f7a0b358db36436688a8482a9186

SHA1
650e5ac5783db6c4fe003d9e1e1af72735e44982

SHA256
7f40fee4c6842559da50b7e7cbb45e17737f0290525058e4c348792bf500aaaa

SHA512
8e124ebca6ac5cc498dd21297f2faf7038ab7693d6dda2fb0e8445d68d1011e0d39cae02d6951f90f42db35c846ea45a8f28c86177c979a300a95096a83e7236

Download Submit
/data/data/half.soap.civil/app_DynamicOptDex/OCWRke.json

Filesize
704KB

MD5
e02f74e213e4248fa71e725cb89ef152

SHA1
7144708ce00d81fc10f6f1f3b3430ac61b351aa9

SHA256
4bb01aa0d64e90f69106ebfd760f57ee5864aed39f3d7f6bcfc9f013032424df

SHA512
dfd54f7fdba8945ff81a78a4c42e6f5d5691792809f9ff615708fcd398b8d42023f93825d3fde71a41c9f7207304cb183b02760e85a1294436f83b238c75f586

Download Submit
/data/data/half.soap.civil/app_DynamicOptDex/oat/OCWRke.json.cur.prof

Filesize
508B

MD5
6655a96a530e956630a6b504f1f15511

SHA1
71a85c9f6cd69737d304ffb3c8d3cb2fa9e17a87

SHA256
72f915def7d797d09c7c5a16fc8539201e7ee86b3b10ac80f7b56b81554a36e6

SHA512
747ba0516633b9ddeb6365ac4380fbd8677906b97f05944cdb3db79a0f4ecf20280c8edc657d65de97299c1b03648649a23db945fe552ed27d544ac7c801ec7d

Download Submit
/data/user/0/half.soap.civil/app_DynamicOptDex/OCWRke.json

Filesize
704KB

MD5
d8e2f1a8b552a25a90586cb66d8ee94b

SHA1
ccdd0ca1210baeb824c20a0b0a78e181b48efd11

SHA256
697e71584f53118f9f5d7f35e550687a50aa050e2e2927ad847068e0c7be6adc

SHA512
368996fb30961a0ecd536584478bf1f97f828b285fc426f9e5a7ed127c9ce17d57ca38e65f4f02c6fd681692f4398209940ee27b64c6f9259b4f889d7dba7c61

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads