Overview

overview

10

Static

static

6

46fdb068ce...72.apk

android-9-x86

10

46fdb068ce...72.apk

android-10-x64

10

46fdb068ce...72.apk

android-11-x64

10

Analysis

  • max time kernel
    3761780s
  • max time network
    157s
  • platform
    android_x64
  • resource
    android-x64-arm64-20231215-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
  • submitted
    06-01-2024 19:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46fdb068ce8eda8fce387134a4fd4172.apk

  • Size

    3.3MB

  • MD5

    46fdb068ce8eda8fce387134a4fd4172

  • SHA1

    2f56a65676d377f552a86a4482ee1bf104d05b09

  • SHA256

    8e168f31f3bf0564d11b01e180d301f41e3582a89efc5ca15ed40a402c0ca3dd

  • SHA512

    e34acb562bbda4702da6f83bd6c4b79aea02a0b982d8a88aadf298db27bb524220b8b7be17cddffa78f662f93d95dac118b77fe831e669a158387cdcce72ec06

  • SSDEEP

    49152:Hsjwrl65NLyheuX0HK/tYhZRpfO9uDtIlhf7Ln0LmeDfb6iIZtiXvDyUhVEtRGML:K5N+hbf6d3to7eme2GxhVURGAyznop

Score
10/10
alienbotcerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://34.89.151.222

rc4.plain

Extracted

Family

alienbot

C2

http://34.89.151.222

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 8 IoCs
    stealthtrojan
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion

Processes

  • half.soap.civil
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/half.soap.civil/app_DynamicOptDex/OCWRke.json
    Filesize

    704KB

    MD5

    ed34f7a0b358db36436688a8482a9186

    SHA1

    650e5ac5783db6c4fe003d9e1e1af72735e44982

    SHA256

    7f40fee4c6842559da50b7e7cbb45e17737f0290525058e4c348792bf500aaaa

    SHA512

    8e124ebca6ac5cc498dd21297f2faf7038ab7693d6dda2fb0e8445d68d1011e0d39cae02d6951f90f42db35c846ea45a8f28c86177c979a300a95096a83e7236

    Download Submit

  • /data/user/0/half.soap.civil/app_DynamicOptDex/OCWRke.json
    Filesize

    704KB

    MD5

    e02f74e213e4248fa71e725cb89ef152

    SHA1

    7144708ce00d81fc10f6f1f3b3430ac61b351aa9

    SHA256

    4bb01aa0d64e90f69106ebfd760f57ee5864aed39f3d7f6bcfc9f013032424df

    SHA512

    dfd54f7fdba8945ff81a78a4c42e6f5d5691792809f9ff615708fcd398b8d42023f93825d3fde71a41c9f7207304cb183b02760e85a1294436f83b238c75f586

    Download Submit

  • /data/user/0/half.soap.civil/app_DynamicOptDex/oat/OCWRke.json.cur.prof
    Filesize

    373B

    MD5

    272078be086ad6b80f054613d533df8f

    SHA1

    cbae793d0b807331c33741de87b4db8d7257d0dc

    SHA256

    7eee84bf77e91cefa76b6941029056905efdd2693185481aecc430e812b38f77

    SHA512

    5e12d6c93ee719bee3290b0bc63f2c2e3a30903a7eb32811f01a3e0c7f5111ca70b71cec5fbe4f60963c22ee114f9aa57845e8648b31bd4b20b9a5c5935b869c

    Download Submit