Overview

overview

10

Static

static

6

c58cb2d542...56.apk

android-9-x86

10

c58cb2d542...56.apk

android-10-x64

10

c58cb2d542...56.apk

android-11-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240221-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
  • submitted
    13-03-2024 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c58cb2d542178830e7d1a52227116256.apk

  • Size

    3.4MB

  • MD5

    c58cb2d542178830e7d1a52227116256

  • SHA1

    741f00d6ea8150d2baa39f27ca74c867284f993b

  • SHA256

    59b0c482d02ef1211b936a329a99819f7c3c603808960b53eca558f293362c85

  • SHA512

    36461b81c8dbb3fd5e3ded0d948a58b0f61e96753d4525fa0ce7671bef62078aeb69a292ccbf65071394d7bbec3277a3cec257a892f253cc86558bcb1c6d5657

  • SSDEEP

    98304:4BoZZDIoNryzla4dBh1TL4bXmB4lAKW+PMTb721:4BoLIoYlHdBh1TLCXmB4l1Wr+1

Score
10/10
alienbotcerberusbankercollectionevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://34.141.27.218

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 8 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion

Processes

  • glove.resist.bring
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4403

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/glove.resist.bring/app_DynamicOptDex/XSAyu.json
    Filesize

    708KB

    MD5

    bea250ccba37ddcf3b0017e8731ce3a9

    SHA1

    bfd2e049b89dfb856ee8e7425ad8aa82409fd144

    SHA256

    04af61af06f512f39157a4aa3a200d0cf83f5985639837fdf87abe18f4d38699

    SHA512

    85604f40c8b84b2123721648a849660e723d87fef26aa250e2d0ac35c433d912d48addc32e0aeed4c74e294780c43a84e5a19aaa7eceb30ab87a7261137d2848

    Download Submit

  • /data/user/0/glove.resist.bring/app_DynamicOptDex/XSAyu.json
    Filesize

    708KB

    MD5

    cc0be1e0e8d8e477fcc17b3b0888953e

    SHA1

    79f8d1fbbcb54c34f3642289e9f10eeee696efbe

    SHA256

    2a4e4e568eb7eba81075ed151763466d6505a4cb9ee9e447f373eb1a40bc1bc7

    SHA512

    2982a62c5949e72d4dabd143a1ed305f532811f4ff2cb78bf54a2e04c47c38164cb6183e92e8d01c2b7a416e5fb1b7749cd2be0be7dfa7c1b1a8bbe0756ab9ce

    Download Submit

  • /data/user/0/glove.resist.bring/app_DynamicOptDex/oat/XSAyu.json.cur.prof
    Filesize

    331B

    MD5

    7e63084134f25aa8d9e97bdc54bd6ad3

    SHA1

    7d9a3491d4bce26e259668c1ece36241e6016378

    SHA256

    bf0166435e177fa0e1baf441614e2e12eb13c8b09ed497c360cf8c032b6283eb

    SHA512

    ba1a643df1f985fafa806f34e3a666dc6b4c38e66f3ba062eac537db3f6e8e858bca358b4bdb09ab496e150f4fa9870d43068a2c6f42586c5e6a365d4540e3cc

    Download Submit