alienbot | 00c462f5b13e3bf21cc7b913719188644fac34cfb7a80893d551bbf512bb8570

Analysis

max time kernel
158s
max time network
134s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
25-01-2024 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73f666b3dc5ee66e202b3e365a524d5d.apk
Size

3.9MB
MD5

73f666b3dc5ee66e202b3e365a524d5d
SHA1

3195a268d5fe4c181cf4178322afe629b03f1064
SHA256

00c462f5b13e3bf21cc7b913719188644fac34cfb7a80893d551bbf512bb8570
SHA512

5abd49342885a144ae0284cd258fd3ba2a8311b6c932e2fe5619dc89e3947f9c7478978d44c836c4348f17d73f51c9ce4516d2dc204e9b93d800720d1cb9217c
SSDEEP

98304:Xi2uReewCW9W0rXFHK5WHofObKH150wISG1qwlE9:S2SIvX+Gbc0mcqGo

Score

10^/10

alienbot banker evasion infostealer stealth trojan

Malware Config

Extracted

Family

alienbot

http://a05qdzfe6qa1.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	there.discovery.excitement
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	there.discovery.excitement
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	there.discovery.excitement

Removes its main activity from the application launcher 3 IoCs

stealth trojan

pid	Process
4603	there.discovery.excitement
4603	there.discovery.excitement
4603	there.discovery.excitement

Loads dropped Dex/Jar 1 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/there.discovery.excitement/app_DynamicOptDex/dEVDuX.json	4603	there.discovery.excitement

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	there.discovery.excitement

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	there.discovery.excitement

there.discovery.excitement
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4603

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/there.discovery.excitement/app_DynamicOptDex/dEVDuX.json

Filesize
767KB

MD5
dee5e8662ab0b775dc93113ad5400cef

SHA1
b5968d985092053164d905a89dd776ecb4500c23

SHA256
72a5de7e03d5ce7b7c9b35cbeb96c31a6242c672badc7be7415def7ec71bca3d

SHA512
16821e0795397253c8f3495487b0d85d1938b4f5ec33079bcb49ac4a8c05e7a90b6ba80d7563dfa9d0df439c7741e2a530a72116ac90c7dee5e8d322287a635d

Download Submit
/data/user/0/there.discovery.excitement/app_DynamicOptDex/oat/dEVDuX.json.cur.prof

Filesize
248B

MD5
d86411eefbc9fa96cb7a9c2095397b67

SHA1
1feb5db15b0455a46253e9f30fa68508cccb6e8a

SHA256
8874410a725d385db8706f62224e5a2045b15a96a34c0008df7777bbae4d0871

SHA512
e96bf76ce4b11e093d25d67fb3c9f1201f0af22a06c62104fef3c75813048ac12ff35818c6520a5ea9f2a7c44d8170bae6543296df65ccfd6c5d7af0c3c3b063

Download Submit