alienbot | dfa0b638bcb149da421ccb28395c625e2b28cdb036e78e0937d10764a083f82b

Analysis

max time kernel
3782323s
max time network
151s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
07-01-2024 01:00

Target

479dcd56775e176083561ebbeeb40954.apk
Size

3.5MB
MD5

479dcd56775e176083561ebbeeb40954
SHA1

462a7c02a47a464d9a39f1c97a7a94072ad40e99
SHA256

dfa0b638bcb149da421ccb28395c625e2b28cdb036e78e0937d10764a083f82b
SHA512

0cc972ee88bd1f751318366c15734c95f044a8691a91e9237bd2e0cc273d3b7d13fecc9f11808b26dab3bdbb240da24ae1f20be3a814540c39471abc34d34fd2
SSDEEP

98304:n44rplYwrtY9L+NWKIQJK3hhjU3pigBmHZb0HUa4KQL/aHfTZEy:p9SwRuDKIQ+hjcBe3KkOf9l

Score

10^/10

Family

alienbot

http://lryuxoqak84d.xyz

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

perceived.coordinate.scheme

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	perceived.coordinate.scheme
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	perceived.coordinate.scheme
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	perceived.coordinate.scheme

Removes its main activity from the application launcher 3 IoCs
stealth trojan

Processes:

perceived.coordinate.scheme

pid process

4600 perceived.coordinate.scheme
4600 perceived.coordinate.scheme
4600 perceived.coordinate.scheme
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

perceived.coordinate.scheme

ioc pid process

/data/user/0/perceived.coordinate.scheme/app_DynamicOptDex/ZYdwxkqBHHB.json 4600 perceived.coordinate.scheme
Acquires the wake lock 1 IoCs

Processes:

perceived.coordinate.scheme

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock perceived.coordinate.scheme
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

perceived.coordinate.scheme

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS perceived.coordinate.scheme

pid	process
4600	perceived.coordinate.scheme
4600	perceived.coordinate.scheme
4600	perceived.coordinate.scheme

ioc	pid	process
/data/user/0/perceived.coordinate.scheme/app_DynamicOptDex/ZYdwxkqBHHB.json	4600	perceived.coordinate.scheme

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	perceived.coordinate.scheme

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	perceived.coordinate.scheme

/data/user/0/perceived.coordinate.scheme/app_DynamicOptDex/ZYdwxkqBHHB.json

Filesize
767KB

MD5
e5e9c498f1acffe0b07ad0400d9b665f

SHA1
8228d527d1e096c92a12514e739616657de7cb38

SHA256
7f690862c66fd40829660e816778c6a65e87551c5295c2627e08c80c46043b74

SHA512
5bd9aabc3f3c1331a451f4791069eb3aa1a9d0307cf77222803af36ff8a7509435798f6dbd33fc7eca0d1a75992f9a738a374df75c035e5786fdd1a5c6bb07d7

Download Submit
/data/user/0/perceived.coordinate.scheme/app_DynamicOptDex/oat/ZYdwxkqBHHB.json.cur.prof

Filesize
247B

MD5
b031846f3b8dd88dd8cc25e203d6facc

SHA1
a89df6752fb41a2488755bff8a78906abad393f4

SHA256
2396cec6176ac797b73d81a24d810f592d336b036c8afabbb42abc7cbff51954

SHA512
55c46b637a6ea66998e2ed6835c97b6879042f3e371e0a6e80f09744bf1d1295445645b3b9c94e1efb9b23ba66fe9f17f0111f83c3ca4020bb2fccfcb25a08ce

Download Submit