alienbot | f160c63d67ebf9a3a0c4ceba97386c52ba36f6255708d9374d04b5cf8857d0f7

Analysis

max time kernel
152s
max time network
144s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
21-01-2024 09:44

Target

6cfcb56eb93a507447e3ddba3cf76b3b.apk
Size

3.0MB
MD5

6cfcb56eb93a507447e3ddba3cf76b3b
SHA1

86f4f6c1d1ec35c27e2d24b652ab94a4ccfa19c6
SHA256

f160c63d67ebf9a3a0c4ceba97386c52ba36f6255708d9374d04b5cf8857d0f7
SHA512

421da1eadce4571f4de76917a990da086977b8dd0c3e0616ac72f328fc921cd8f2ecadb85fa1db576ab6322a3f16993ace11d774fd6338ecead1ddec28aa7dda
SSDEEP

98304:mpl/KrDT94tYFOljKUA/XIK1jllhUlLnelEgM3PciY:q9wF4EJ1jlnUK78g

Score

10^/10

Family

alienbot

http://bua591qkf2xx.xyz

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

editor.damage.exclude

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	editor.damage.exclude
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	editor.damage.exclude
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	editor.damage.exclude

Removes its main activity from the application launcher 3 IoCs
stealth trojan

Processes:

editor.damage.exclude

pid process

4605 editor.damage.exclude
4605 editor.damage.exclude
4605 editor.damage.exclude
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

editor.damage.exclude

ioc pid process

/data/user/0/editor.damage.exclude/app_DynamicOptDex/ShoxRJesSQujMDYn.json 4605 editor.damage.exclude
Acquires the wake lock 1 IoCs

Processes:

editor.damage.exclude

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock editor.damage.exclude
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

editor.damage.exclude

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS editor.damage.exclude

ioc	pid	process
/data/user/0/editor.damage.exclude/app_DynamicOptDex/ShoxRJesSQujMDYn.json	4605	editor.damage.exclude

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	editor.damage.exclude

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	editor.damage.exclude

/data/user/0/editor.damage.exclude/app_DynamicOptDex/ShoxRJesSQujMDYn.json

Filesize
616KB

MD5
bb10ef559dfcc1ba3d83bc5b56dd9efc

SHA1
fb78a56d7ee2c8f6d98dcd637e26dbdd9c0ffce2

SHA256
1e9a6d58e9c22c6db1eaf35498c1bdb6f48a615e342641a9128c1e1fb6534337

SHA512
5ee172d153cbdbf57662b69e42b79554aac7a4665df54c0d063071bb78cd468e26866efb96a4f74321f05c1e66e512636d0a2b84645cabb7730060e263e5887d

Download Submit
/data/user/0/editor.damage.exclude/app_DynamicOptDex/ShoxRJesSQujMDYn.json

Filesize
767KB

MD5
68d31ddf193e687eec400ae80ac81812

SHA1
b853357963926ba7336096072943d61f05bac7b6

SHA256
9e8c3e3fe9ffc9627d6da70f1ad32a99987227e7b5c4cdcfd8b16b7e4180d431

SHA512
1f9d9ff832de618a2c617df92275be65e8b06fddffad8612c296085c703c8fe60a16c4b70965bd876fbdaae35c7d501e9b1dd2d5998aa8a40642cad270e84424

Download Submit
/data/user/0/editor.damage.exclude/app_DynamicOptDex/oat/ShoxRJesSQujMDYn.json.cur.prof

Filesize
263B

MD5
f70eb52d52d8b11b1857234901ada7bc

SHA1
3e2411adcb9a7fa352923bf68120c7b8582aae5d

SHA256
23c552613ec46cbf7101f3b8f929ec36d2cbba2c2c550cda1914f0db80d273ed

SHA512
489427263e0e6093720574c5d9f2c5fd62dd64146b9c60316738da42ac501661598a88a73eafb578f82d0a163d3a7815bae2d28636a368adc153858b41e475d0

Download Submit