Overview

overview

10

Static

static

6

c58cb2d542...56.apk

android-9-x86

10

c58cb2d542...56.apk

android-10-x64

10

c58cb2d542...56.apk

android-11-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    13-03-2024 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c58cb2d542178830e7d1a52227116256.apk

  • Size

    3.4MB

  • MD5

    c58cb2d542178830e7d1a52227116256

  • SHA1

    741f00d6ea8150d2baa39f27ca74c867284f993b

  • SHA256

    59b0c482d02ef1211b936a329a99819f7c3c603808960b53eca558f293362c85

  • SHA512

    36461b81c8dbb3fd5e3ded0d948a58b0f61e96753d4525fa0ce7671bef62078aeb69a292ccbf65071394d7bbec3277a3cec257a892f253cc86558bcb1c6d5657

  • SSDEEP

    98304:4BoZZDIoNryzla4dBh1TL4bXmB4lAKW+PMTb721:4BoLIoYlHdBh1TLCXmB4l1Wr+1

Score
10/10
alienbotcerberusbankercollectionevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://34.141.27.218

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 2 IoCs
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Requests enabling of the accessibility settings. 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion

Processes

  • glove.resist.bring
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests enabling of the accessibility settings.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4269
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/glove.resist.bring/app_DynamicOptDex/XSAyu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/glove.resist.bring/app_DynamicOptDex/oat/x86/XSAyu.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4294

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/glove.resist.bring/app_DynamicOptDex/XSAyu.json
    Filesize

    708KB

    MD5

    bea250ccba37ddcf3b0017e8731ce3a9

    SHA1

    bfd2e049b89dfb856ee8e7425ad8aa82409fd144

    SHA256

    04af61af06f512f39157a4aa3a200d0cf83f5985639837fdf87abe18f4d38699

    SHA512

    85604f40c8b84b2123721648a849660e723d87fef26aa250e2d0ac35c433d912d48addc32e0aeed4c74e294780c43a84e5a19aaa7eceb30ab87a7261137d2848

    Download Submit

  • /data/data/glove.resist.bring/app_DynamicOptDex/XSAyu.json
    Filesize

    708KB

    MD5

    cc0be1e0e8d8e477fcc17b3b0888953e

    SHA1

    79f8d1fbbcb54c34f3642289e9f10eeee696efbe

    SHA256

    2a4e4e568eb7eba81075ed151763466d6505a4cb9ee9e447f373eb1a40bc1bc7

    SHA512

    2982a62c5949e72d4dabd143a1ed305f532811f4ff2cb78bf54a2e04c47c38164cb6183e92e8d01c2b7a416e5fb1b7749cd2be0be7dfa7c1b1a8bbe0756ab9ce

    Download Submit

  • /data/data/glove.resist.bring/app_DynamicOptDex/oat/XSAyu.json.cur.prof
    Filesize

    485B

    MD5

    47b68ab3b097174aa08bc259c62c8a69

    SHA1

    89a181690204818ffdfc01cb4e4dc14779d453df

    SHA256

    090bb13dc8e1ac3054ae9a584184bebeb98f6def1af465701f439fdac0ead090

    SHA512

    0710bd9a9cb2408598a5e09d6f2172683a9285ba61f95cda5a0bdec249c3a74d2bb9109f62a5ea24d56766e3a802f9f15ae9afc32630876b4a1d9740a9d7e3d8

    Download Submit

  • /data/user/0/glove.resist.bring/app_DynamicOptDex/XSAyu.json
    Filesize

    708KB

    MD5

    c80ab914d8587d9c3acc31807e8359c7

    SHA1

    858e9e79cfe8cf4d05a2dad8e24d44c9980003d6

    SHA256

    fef7f83b50a0e96ed4f3260f54e8dabaac5790430a718e2ca035e297f6f2ccf0

    SHA512

    f635e4e1f1c39d03b8782fdfc5f9712d1e383837711528ccdf8193e42cd8ec841dec798b95cc7fb1497fcaadc8d983ec3023233e28d3ad825600e938a57079b9

    Download Submit