alienbot | f808d05653ae38eef70954a583c9cacdf5d43bd28e73e689174d47c73e431da6

Analysis

max time kernel
141s
max time network
150s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
25-01-2024 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

757be08495745e8f90e97d33fa946aff.apk
Size

2.6MB
MD5

757be08495745e8f90e97d33fa946aff
SHA1

0a7af3d293c4bc9fa142e714f5be6f774aa0a112
SHA256

f808d05653ae38eef70954a583c9cacdf5d43bd28e73e689174d47c73e431da6
SHA512

a49c67ea1f2b92f0bd30c699567198033c5e0712474d77674cbed3127429dfe2b5a208b6b35141c91d3eb3360a970992929a28887d38ed90cfd06177af5694a2
SSDEEP

49152:dDFzDxnFGJvAMs5oC/kW2njHqN1EdJue2NV3zBDb32XIFtPWs3Sn:JFzDxnU+5HylepBfGXNj

Score

10^/10

alienbot cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://194.163.136.78

rc4.plain

Extracted

Family

alienbot

http://194.163.136.78

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/video.typical.scrap/app_DynamicOptDex/jZ.json	family_cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

video.typical.scrap

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	video.typical.scrap
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	video.typical.scrap

Removes its main activity from the application launcher 8 IoCs

stealth trojan

Processes:

video.typical.scrap

pid	process
4628	video.typical.scrap
4628	video.typical.scrap
4628	video.typical.scrap
4628	video.typical.scrap
4628	video.typical.scrap
4628	video.typical.scrap
4628	video.typical.scrap
4628	video.typical.scrap

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

video.typical.scrap

ioc	pid	process
/data/user/0/video.typical.scrap/app_DynamicOptDex/jZ.json	4628	video.typical.scrap
/data/user/0/video.typical.scrap/app_DynamicOptDex/jZ.json	4628	video.typical.scrap

Acquires the wake lock 1 IoCs

Processes:

video.typical.scrap

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock video.typical.scrap
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

video.typical.scrap

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS video.typical.scrap

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	video.typical.scrap

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	video.typical.scrap

video.typical.scrap
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/video.typical.scrap/app_DynamicOptDex/jZ.json

Filesize
695KB

MD5
99ca162c256d1f74e74580a3110a05c3

SHA1
5626499829471270feac4413bfb807eb3a71bbce

SHA256
f2f00291c5dc5c33697dbaa02239985ab8d060687445f67c158ff62786793e4b

SHA512
c8791671cd895556c72fb7eb47001326c115133486191c38c8d97295f30f70d498ccaabe3b4f7270234bad4c434842b77ca715a04173408d56ab9b562cf113eb

Download Submit
/data/user/0/video.typical.scrap/app_DynamicOptDex/jZ.json

Filesize
695KB

MD5
33f1dd56e54c4dcb29c2bcf0aa11bd86

SHA1
349040d578a550a758c8d6cae15f9a0e2d525f43

SHA256
d6ecf45bf1f6b71cc285cba4b477f891552ce3b1e2d75c3713e663164ae43729

SHA512
2a0a2e785a8c48eff88ec5b2106f8481c5ff10d13d15fb7bf381d8f1952cdc37c2c4e8af095ad018bdaf89da18f2d07e03073c5a4e1019626297431ad57fbbb4

Download Submit
/data/user/0/video.typical.scrap/app_DynamicOptDex/oat/jZ.json.cur.prof

Filesize
365B

MD5
67180d811aad0c6865307b2d58ebbd71

SHA1
2daf2e5e2d5f12d3c426cd39a80f8f5dedb5a036

SHA256
167ad8c9c1d3b1e6317bb430ab6c3f6de6a54a0260bb6063db219613204f4a7a

SHA512
84a03cad673482439e2723583911787c7107deb8a899d08cb165523dd923709424e9dce054442445f9ba29388bb805f826c8d33e472e849cf34503642238dcb9

Download Submit