Overview

overview

10

Static

static

6

d4862294c6...7b.apk

android-9-x86

10

d4862294c6...7b.apk

android-13-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    10-03-2024 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4862294c6ff8f0143477daa672a185ab11bec2ea4dc519154ba40f18eee537b.apk

  • Size

    4.2MB

  • MD5

    323dca576f6f80d4686a114e5bbd4630

  • SHA1

    25db138426c117b696cc3557a0a83bc93daf1747

  • SHA256

    d4862294c6ff8f0143477daa672a185ab11bec2ea4dc519154ba40f18eee537b

  • SHA512

    4f4517100df7c81af27ae3bdc7b8865e682b0d74810effea80b1456c95f5abca79bae69c6483976ed1fb00184c12fdef973a275c0e7dafe653f2ca86cc2720f3

  • SSDEEP

    98304:VY5l5X9MwuU6udn2fc/q/K9tASvCxwSBrO5quGigyC7Lj5onhMv9TfgDv:K5n74u12MeDAqliY7LjWhMv9TgD

Score
10/10
alienbotbankercollectionevasioninfostealerstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://wf4sctx9cksg94528o7o.xyz

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 7 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion

Processes

  • com.birthday.purple
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4287
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.birthday.purple/app_DynamicOptDex/lWykzdP.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.birthday.purple/app_DynamicOptDex/oat/x86/lWykzdP.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4312

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.birthday.purple/app_DynamicOptDex/lWykzdP.json
    Filesize

    697KB

    MD5

    9ed1f2f3e6b49ce806f1e39d6ac758e1

    SHA1

    6ed13c6d1601e74402e1f93dfcb144d73b8d9117

    SHA256

    96be1d9fefd5157c1efac79b44ea29cd3ed23e32af692c70cff0edb6cb8a1172

    SHA512

    45ec7a09429ddb4dba92cdf5f9aa2dd778e1747e74b255fcd9dae7a4e263fc035aaeaaa758ee75b35dc8456eda01597efd8aa9b0609eee23cc4b632fbf300b20

    Download Submit

  • /data/data/com.birthday.purple/app_DynamicOptDex/lWykzdP.json
    Filesize

    697KB

    MD5

    d8eb871ba6eb7eb9741eaeb16443239e

    SHA1

    3d6b4bd50d381cfc380c0b0851dbd7ed90fb5ab0

    SHA256

    d031b64bf66332840a6c4da99d8c5dc4550e778e59d44fb4f6f78ac0c86f2548

    SHA512

    93992ed6432d07922c52a6e2a722812da09921fdb91bec086b3ae06303e4e7b6252d6eb292eeea6971e3fdf879a8d8356f8400bf900ef0e7b5c6a19d7bc91113

    Download Submit

  • /data/data/com.birthday.purple/app_DynamicOptDex/oat/lWykzdP.json.cur.prof
    Filesize

    1KB

    MD5

    e209e9fc47ab69f38f10d25658e196a2

    SHA1

    949335e4aa0d4a700e4cb3c0453fb3619d19e8bc

    SHA256

    aebd53236a2bb1606a8a0488c1d10a974575d7a657f63aa9671ca50a6dffa30a

    SHA512

    c22a2d10b4795db69ef6cf018e794cd0e5407d54e3d99ca21eba627f8160caececf119a24adcd6f71151b3a734fd4be67d51f49c91cf13bceee909528c8eaf6e

    Download Submit

  • /data/user/0/com.birthday.purple/app_DynamicOptDex/lWykzdP.json
    Filesize

    917KB

    MD5

    492144a167c760c4dabc81b0424ba312

    SHA1

    597dbe03aa0ea0988905098dce8829f89fd8c582

    SHA256

    7855344a559d880c12ecc92c40cc0d4d68f0ef39a0b162f3339299c0a1c94a6a

    SHA512

    c78725cb55efe22bd85c46147cc26749427513cdf20c37c6a26832fb0d7fe125afe3404f1833d5ead278372df54f22d3a97ef528b61f55cb42d77268552e5083

    Download Submit

  • /data/user/0/com.birthday.purple/app_DynamicOptDex/lWykzdP.json
    Filesize

    917KB

    MD5

    ff232e9e7bec582a91bf4d1a0fd6eb6f

    SHA1

    77e34f4ff036bb043443e36b541e655939720990

    SHA256

    f641805319fb83b7167e69df31c23922eed4fe7ce1b81211dbf692f744e2cb11

    SHA512

    ccc41280ed882fc03a8749882edf9a9e27007aa5f37f001f2bfbc1ea3f31327ee3977167766a0c9afc3d545e4138b1458039c02ae6ef6f96b69d9affa8429198

    Download Submit