alienbot | 947c8d44144d81f95a93fab15ebaae7fbfb63794f2a1a34eeedecb1007aa608e

Analysis

max time kernel
151s
max time network
160s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
15-02-2024 22:02

Target

947c8d44144d81f95a93fab15ebaae7fbfb63794f2a1a34eeedecb1007aa608e.apk
Size

3.9MB
MD5

5accee10223e4527eab88fba93403a0e
SHA1

cddd2579a928cca9855f96fc0579d2b668792232
SHA256

947c8d44144d81f95a93fab15ebaae7fbfb63794f2a1a34eeedecb1007aa608e
SHA512

358bcd1c5f8a4e31670e6b01968d3ade123bc081cb3cd5d080551c84c26a8f6e29dab40acdf8b131499e341d1409d73bc90a08c4265bd1fde86c169943809e28
SSDEEP

98304:IbSNi7wdynQlJ0GEswbTK4oytTl/6HnDH:IbSNi7KGgJ0o071t4H7

Score

10^/10

Family

alienbot

http://panamaxb.digital/

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/fringe.gadget.wage/app_DynamicOptDex/UQDhhsU.json	family_cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

fringe.gadget.wage

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	fringe.gadget.wage
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	fringe.gadget.wage

Removes its main activity from the application launcher 5 IoCs
stealth trojan

Processes:

fringe.gadget.wage

pid process

4633 fringe.gadget.wage
4633 fringe.gadget.wage
4633 fringe.gadget.wage
4633 fringe.gadget.wage
4633 fringe.gadget.wage

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

fringe.gadget.wage

ioc	pid	process
/data/user/0/fringe.gadget.wage/app_DynamicOptDex/UQDhhsU.json	4633	fringe.gadget.wage
/data/user/0/fringe.gadget.wage/app_DynamicOptDex/UQDhhsU.json	4633	fringe.gadget.wage

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

fringe.gadget.wage

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS fringe.gadget.wage

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	fringe.gadget.wage

/data/user/0/fringe.gadget.wage/app_DynamicOptDex/UQDhhsU.json

Filesize
786KB

MD5
7a1dec2283f3fc2ae2837f56969baaad

SHA1
17d8469d664766a654b03a80ab500162ab775dd8

SHA256
ce081f7982ec6f4a0f7714e5424b8f39679b0033293d90e1c4597c542fb6bd80

SHA512
a8ebdf3fa4d9e83fc245c4f06484b52110f401eeeddb4a8513df4cb4643eace343953c2574652ab0481502326eb626890680d49b89b404a036899fd9c7e243b7

Download Submit
/data/user/0/fringe.gadget.wage/app_DynamicOptDex/UQDhhsU.json

Filesize
786KB

MD5
9dcb577c3701787eefd9f8030126d9d8

SHA1
dd58ad14d55b00c9d35c4ac9f24d2ef02c7c661b

SHA256
b2f7a4e2a4ef7f79c99fb3cfec5472d417ee200121ce4477e87260ecd75a4463

SHA512
513e467c5414287f903bcdf3c2a5bcb73d1dbdfe47953ac6f63b22641f8c61b9fb66256dd8bc5b22d7acb0c14f2b4cf6b5daa18660bfc04c1c376722ac9999e2

Download Submit
/data/user/0/fringe.gadget.wage/app_DynamicOptDex/oat/UQDhhsU.json.cur.prof

Filesize
340B

MD5
21683fd54d05464b3d9f7bc5ec63c817

SHA1
9a439c3966eaae8a0cbac0258f773dd8fff17d79

SHA256
dad9d0b6ddefe3f7a77e48625a9f9acb2824c32cb11e580c77720baae867a698

SHA512
441ddfe0e9596d36c46a114adbd4753b413ca7da09f1803bfebc27608c55cb6ba7b13295061c72a15d3a8a7c7541040e063ccf14cb9aed2c96a8939fb27e22ea

Download Submit