Overview

overview

10

Static

static

6

6303d0ea43...0e.apk

android-9-x86

10

6303d0ea43...0e.apk

android-10-x64

10

6303d0ea43...0e.apk

android-11-x64

10

Analysis

  • max time kernel
    4030878s
  • max time network
    150s
  • platform
    android_x64
  • resource
    android-x64-arm64-20231215-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
  • submitted
    09-01-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6303d0ea4311fa394008b6c9025ea432f5f50008687d40662d806a9790602b0e.apk

  • Size

    3.3MB

  • MD5

    c87881f61bc910d3ea2f3d4a5d1a5441

  • SHA1

    443205431f54a41558d92d930e0c18787f2fe85f

  • SHA256

    6303d0ea4311fa394008b6c9025ea432f5f50008687d40662d806a9790602b0e

  • SHA512

    bfa1df7da152b498503e30ee78d6ed557b752a629dc11402674580c895489b4ae87c18376c87fa73693dfb80e92cb7cc150a362d28edf4b4d3d36932619b8602

  • SSDEEP

    98304:q4p3pFvQy78F2y/xLDoMu2wYIromgnWRC:q41F784y/hxuXBrgWRC

Score
10/10
alienbotcerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://guiopl.ga

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 8 IoCs
    stealthtrojan
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion

Processes

  • twice.wheat.ceiling
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4521

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/twice.wheat.ceiling/app_DynamicOptDex/WFnOKW.json
    Filesize

    688KB

    MD5

    9f0aaa55342abf6283c6153130ac57b3

    SHA1

    3680269cfc230c72c7c89ba5aafb58b7d30a55fc

    SHA256

    06cf80e5e582fcc9c2cc062f7916712fd49fb972fbfaae8b8c81fd56e9de4d62

    SHA512

    61251b09c3f652c6d4bf48ec66be5a00e44f3a7c59594ab27cd0520eee75af5f2e3680602eac3c22a154d1740ad7a8a0a2366ed6fc9ba1a82c4dc05da78864a5

    Download Submit

  • /data/user/0/twice.wheat.ceiling/app_DynamicOptDex/WFnOKW.json
    Filesize

    688KB

    MD5

    058be3b4f353d6743b9a40b5a093755e

    SHA1

    72e26de59bb09d3704665bf61a144f823d5b5a6d

    SHA256

    426aecdeef82dac72b65d72472bbc90882ae3eb40808e19e93730c42d7b40c5f

    SHA512

    6e402bcc8391f59096a0e75707f0a847f8889b34b57b50fefdfcdcc97ba3a0388618cfe0c34505492e56aafbd43aab3367a7a21a8e56e3459208d1f9acdd4cca

    Download Submit

  • /data/user/0/twice.wheat.ceiling/app_DynamicOptDex/oat/WFnOKW.json.cur.prof
    Filesize

    341B

    MD5

    19cba9f624ff141fea505b30d486cf64

    SHA1

    de9bcfa7df4757abcf94de1ed57c47ade61677bc

    SHA256

    c221e16c90422237344fd7598055d7882b549b74985cf6b5102a6e81aa9fb7cd

    SHA512

    09aaa14a0014a943180bc93552a06c0adab6f54a36a15bb0554ed1a5f1bbaf2d67f9c42c50fb019b8716be081fdd001a781c0ad50d4987b24f1993e6f1073d1d

    Download Submit