Overview

overview

10

Static

static

6

8d244ac025...a2.apk

android-9-x86

10

8d244ac025...a2.apk

android-10-x64

10

8d244ac025...a2.apk

android-11-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    03-02-2024 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d244ac025fb51c1348003dc9c3c3ea2.apk

  • Size

    3.3MB

  • MD5

    8d244ac025fb51c1348003dc9c3c3ea2

  • SHA1

    fab5bd3e1504011efe253dfc344852f6b5c644a1

  • SHA256

    ee5632e3c0717693c9ab993c2b0c5b6edb503383215895f99800d915d92d1b8e

  • SHA512

    83b782add0d8aeb33e18e29749c30665fe9139a8926e8c01c143f1299671633525c25a9c727b9e2f542b3763c031f7116669a5d937c60c40117a6309b0881caa

  • SSDEEP

    49152:771bqaWjVs+yld286HLJ9USJ1Wad4g7f/S6/LB+hYcx19CFMbDTt/u6DI6GHwZyM:WVsjl/UoSqaXqIF+kaDTQAyCjenE

Score
10/10
alienbotcerberusbankerevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

https://instagrambuyukprofil.com

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 2 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Checks Android system properties for emulator presence. 1 IoCs
  • Loads dropped Dex/Jar 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion

Processes

  • umbrella.thought.elevator
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Checks Android system properties for emulator presence.
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4258
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/umbrella.thought.elevator/app_DynamicOptDex/dUlxss.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/umbrella.thought.elevator/app_DynamicOptDex/oat/x86/dUlxss.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/umbrella.thought.elevator/app_DynamicOptDex/dUlxss.json
    Filesize

    750KB

    MD5

    b09c79c73e85c95d5409091410312d62

    SHA1

    65844a73e7830d96ab9d8f82600b27ad2b7e97e2

    SHA256

    af0d4e3075b52f8f316710bed19fa065c0422e19cda2c2b0ab3da6c542c2b6db

    SHA512

    b9884524de07cb35bcc1413baa75a1224418cfdbde13100ee0206ed8289331231a43d0139bc58aaa5a74269b4d89b4fb8e33798b97259dc6dfc8251a5dc108f9

    Download Submit

  • /data/data/umbrella.thought.elevator/app_DynamicOptDex/dUlxss.json
    Filesize

    750KB

    MD5

    dfabaf12f2525cfc93875294f27aa02e

    SHA1

    5ad1e3c4e216ceaf232d7efe48100bd65e7ea0cc

    SHA256

    3f9c6c381b8eb307664813ccc4815ae24baa1bd41224c840f79acb65c95b9e49

    SHA512

    79fef0ae5defbdaaf8e12c41e789c8ed511bc1c11d060860d79fb0a3017b95cbd262d893b846d79b55efd38c8a4a7c8d1ed027ca1d4f8ab4701460a496cb920e

    Download Submit

  • /data/data/umbrella.thought.elevator/app_DynamicOptDex/oat/dUlxss.json.cur.prof
    Filesize

    515B

    MD5

    7e7fd9aff877f7177cee057091638ebe

    SHA1

    e20e6c25501989ff82d19931fe45f9d425abd1a6

    SHA256

    7baaa88130e2a2a30667637e94210b7f5b73ac8593a5103edda781c8f0896f6a

    SHA512

    1b600f2da1abf6a9b013f43e5d736e8f051a9790cbebec21dbef169a29bc8d42f03c9e48c41b283b4a4a58ad2ae745fd4d3b168bff8938b468fb099e50bbdc86

    Download Submit

  • /data/user/0/umbrella.thought.elevator/app_DynamicOptDex/dUlxss.json
    Filesize

    750KB

    MD5

    0c81be323d3ae9f444228a446c78758f

    SHA1

    171a8a59865926f24aefea0dede2e097a08875b0

    SHA256

    2885fe8f5f04ebeab0f3535685b62c2c81dd429b8f70d7e379387cff383cfcde

    SHA512

    1adb495606ce36533cbec958f62cf126a2c526e724376d81e22a009028f31610e2c07a3b70d83b3c3b3155ca98d5bef532ccbf1005732fd09ff02bad8e82b812

    Download Submit