alienbot | 6303d0ea4311fa394008b6c9025ea432f5f50008687d40662d806a9790602b0e

Analysis

max time kernel
4030859s
max time network
150s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
09-01-2024 22:01

Target

6303d0ea4311fa394008b6c9025ea432f5f50008687d40662d806a9790602b0e.apk
Size

3.3MB
MD5

c87881f61bc910d3ea2f3d4a5d1a5441
SHA1

443205431f54a41558d92d930e0c18787f2fe85f
SHA256

6303d0ea4311fa394008b6c9025ea432f5f50008687d40662d806a9790602b0e
SHA512

bfa1df7da152b498503e30ee78d6ed557b752a629dc11402674580c895489b4ae87c18376c87fa73693dfb80e92cb7cc150a362d28edf4b4d3d36932619b8602
SSDEEP

98304:q4p3pFvQy78F2y/xLDoMu2wYIromgnWRC:q41F784y/hxuXBrgWRC

Score

10^/10

Family

alienbot

http://guiopl.ga

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/twice.wheat.ceiling/app_DynamicOptDex/WFnOKW.json	family_cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

twice.wheat.ceiling

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	twice.wheat.ceiling
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	twice.wheat.ceiling

Removes its main activity from the application launcher 7 IoCs

Processes:

twice.wheat.ceiling

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

twice.wheat.ceiling

ioc	pid	process
/data/user/0/twice.wheat.ceiling/app_DynamicOptDex/WFnOKW.json	4963	twice.wheat.ceiling
/data/user/0/twice.wheat.ceiling/app_DynamicOptDex/WFnOKW.json	4963	twice.wheat.ceiling

/data/data/twice.wheat.ceiling/app_DynamicOptDex/WFnOKW.json

Filesize
688KB

MD5
9f0aaa55342abf6283c6153130ac57b3

SHA1
3680269cfc230c72c7c89ba5aafb58b7d30a55fc

SHA256
06cf80e5e582fcc9c2cc062f7916712fd49fb972fbfaae8b8c81fd56e9de4d62

SHA512
61251b09c3f652c6d4bf48ec66be5a00e44f3a7c59594ab27cd0520eee75af5f2e3680602eac3c22a154d1740ad7a8a0a2366ed6fc9ba1a82c4dc05da78864a5

Download Submit
/data/data/twice.wheat.ceiling/app_DynamicOptDex/oat/WFnOKW.json.cur.prof

Filesize
392B

MD5
bbc2e713bf8903ae362228c0d4904534

SHA1
f6ebf3c6447d34c6adc15f4668e04912e06a026d

SHA256
d2d9ed63c88492d618ba330d45f64d5d05187ae896c763dcf3b064135c69db10

SHA512
6da4eea3f8bb2e9a98ebe165821bf0bd53ccb59eca9e53832c36613f9d875e14a1731218b9958e7f27e20299ec53eebd651a306b40a93f5d5e2c4201776d7e8a

Download Submit
/data/user/0/twice.wheat.ceiling/app_DynamicOptDex/WFnOKW.json

Filesize
688KB

MD5
058be3b4f353d6743b9a40b5a093755e

SHA1
72e26de59bb09d3704665bf61a144f823d5b5a6d

SHA256
426aecdeef82dac72b65d72472bbc90882ae3eb40808e19e93730c42d7b40c5f

SHA512
6e402bcc8391f59096a0e75707f0a847f8889b34b57b50fefdfcdcc97ba3a0388618cfe0c34505492e56aafbd43aab3367a7a21a8e56e3459208d1f9acdd4cca

Download Submit