alienbot | 98d85e9e46043780fc863a30d149505e377c82f2d668afae4fb4c647bf07a9af

Analysis

max time kernel
156s
max time network
140s
platform
android_x64
resource
android-x64-arm64-20240221-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
submitted
26-02-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98D85E9E46043780FC863A30D149505E377C82F2D668AFAE4FB4C647BF07A9AF.apk
Size

456KB
MD5

b72c6108be79544049a01a1e35769f9d
SHA1

8e32645c945c37fe68d42dd439a65dc6efae8e5f
SHA256

98d85e9e46043780fc863a30d149505e377c82f2d668afae4fb4c647bf07a9af
SHA512

383761c5584a25626c8ab5ece2c723110f32cae412fedb4f8036cbd82e13c23ea08e1f56adfc21ef845c1f38083fffb21ff614fc5ed05b5c77ea657925556d59
SSDEEP

6144:g1ieJKhn6YB7IfTLrQKV8EHCtxS5uxWet9zXRVGVF6XT3XXT3e1/D3DhcM8nD1AP:g0ngfrdks8ddGVYjHjo8DO7n88DO7nq

Score

10^/10

alienbot cerberus banker collection evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://kremmilk.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

Processes:

com.hcgetl.nysgtxkveqdzrpb

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.hcgetl.nysgtxkveqdzrpb
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.hcgetl.nysgtxkveqdzrpb

Removes its main activity from the application launcher 8 IoCs

stealth trojan

Processes:

com.hcgetl.nysgtxkveqdzrpb

pid	process
4434	com.hcgetl.nysgtxkveqdzrpb
4434	com.hcgetl.nysgtxkveqdzrpb
4434	com.hcgetl.nysgtxkveqdzrpb
4434	com.hcgetl.nysgtxkveqdzrpb
4434	com.hcgetl.nysgtxkveqdzrpb
4434	com.hcgetl.nysgtxkveqdzrpb
4434	com.hcgetl.nysgtxkveqdzrpb
4434	com.hcgetl.nysgtxkveqdzrpb

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.hcgetl.nysgtxkveqdzrpb

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.hcgetl.nysgtxkveqdzrpb

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.hcgetl.nysgtxkveqdzrpb

com.hcgetl.nysgtxkveqdzrpb
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4434

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads