alienbot | 59b0c482d02ef1211b936a329a99819f7c3c603808960b53eca558f293362c85

Analysis

max time kernel
149s
max time network
159s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
13-03-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c58cb2d542178830e7d1a52227116256.apk
Size

3.4MB
MD5

c58cb2d542178830e7d1a52227116256
SHA1

741f00d6ea8150d2baa39f27ca74c867284f993b
SHA256

59b0c482d02ef1211b936a329a99819f7c3c603808960b53eca558f293362c85
SHA512

36461b81c8dbb3fd5e3ded0d948a58b0f61e96753d4525fa0ce7671bef62078aeb69a292ccbf65071394d7bbec3277a3cec257a892f253cc86558bcb1c6d5657
SSDEEP

98304:4BoZZDIoNryzla4dBh1TL4bXmB4lAKW+PMTb721:4BoLIoYlHdBh1TLCXmB4l1Wr+1

Score

10^/10

alienbot cerberus banker collection evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://34.141.27.218

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/glove.resist.bring/app_DynamicOptDex/XSAyu.json	family_cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

Processes:

glove.resist.bring

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	glove.resist.bring
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	glove.resist.bring

Removes its main activity from the application launcher 1 TTPs 8 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

Processes:

glove.resist.bring

pid	process
5036	glove.resist.bring
5036	glove.resist.bring
5036	glove.resist.bring
5036	glove.resist.bring
5036	glove.resist.bring
5036	glove.resist.bring
5036	glove.resist.bring
5036	glove.resist.bring

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

glove.resist.bring

ioc	pid	process
/data/user/0/glove.resist.bring/app_DynamicOptDex/XSAyu.json	5036	glove.resist.bring
/data/user/0/glove.resist.bring/app_DynamicOptDex/XSAyu.json	5036	glove.resist.bring

glove.resist.bring
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
PID:5036

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/glove.resist.bring/app_DynamicOptDex/XSAyu.json

Filesize
3KB

MD5
e5d671ee84362b09222d013a220a6eeb

SHA1
d2980a2e12284bd169285ef1dc3e68162d0b948b

SHA256
f63c12f376baa191e4645d1dd0eb2db030958e64f9f81e56dac3c3ca081c1df5

SHA512
18009b49d43949f5d753c6d61806b277fd0eeeb53a9944d303179d728ecf3b09d8cb292d300b227aca38711999c5468855224d426053c12ee2f25ceeb3c2e281

Download Submit
/data/data/glove.resist.bring/app_DynamicOptDex/oat/XSAyu.json.cur.prof

Filesize
446B

MD5
ee544f9ae904faa10e434e996e65d2e0

SHA1
d096599125c199728ed4b2ca7f58f7fff0da4b4b

SHA256
f4ec5c2451f5f0c0c16194d01149170ea594bb768788a555b0643887578b6fe0

SHA512
fbbf24b1779b75a60c68ede589b89e55725607897251e3d9a380f3833e88e12cad51e6f5cc7845bd812dfca4d2c292cb31c3731fd78be3b34b61eaaf3e997e8d

Download Submit
/data/user/0/glove.resist.bring/app_DynamicOptDex/XSAyu.json

Filesize
708KB

MD5
cc0be1e0e8d8e477fcc17b3b0888953e

SHA1
79f8d1fbbcb54c34f3642289e9f10eeee696efbe

SHA256
2a4e4e568eb7eba81075ed151763466d6505a4cb9ee9e447f373eb1a40bc1bc7

SHA512
2982a62c5949e72d4dabd143a1ed305f532811f4ff2cb78bf54a2e04c47c38164cb6183e92e8d01c2b7a416e5fb1b7749cd2be0be7dfa7c1b1a8bbe0756ab9ce

Download Submit