alienbot | 1122a8215822a30c43ad684be7a2c8e4e4733d12b7e5a3aea4b570dc807ce8f1

Analysis

max time kernel
146s
max time network
143s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
16-03-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf326fbe332f899b85f210dbee70dbca.apk
Size

3.4MB
MD5

cf326fbe332f899b85f210dbee70dbca
SHA1

835ff482e4c037e8f5aa66bcf6dc4ac83abea6a0
SHA256

1122a8215822a30c43ad684be7a2c8e4e4733d12b7e5a3aea4b570dc807ce8f1
SHA512

f7c9227cd1e9b92a960c027fe998aa191ee31e0898d27ffeeba05e6c4b20aaf3c87fbe3be5e915c37f041ec36d190c89e7a75125b75558caf499f130d4df6f79
SSDEEP

98304:c+RoZL1TRC1xLRffffTeipEXg/B0aLkjyn05Bv0azfkj:c+RoF1TRWlT2Xg/LYyn05Bsifw

Score

10^/10

alienbot cerberus banker collection evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://mysqlsystem.com

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/data/spot.mistake.apart/app_DynamicOptDex/Xk.json	family_cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

Processes:

spot.mistake.apart

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	spot.mistake.apart
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	spot.mistake.apart

Removes its main activity from the application launcher 1 TTPs 8 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

Processes:

spot.mistake.apart

pid	process
5052	spot.mistake.apart
5052	spot.mistake.apart
5052	spot.mistake.apart
5052	spot.mistake.apart
5052	spot.mistake.apart
5052	spot.mistake.apart
5052	spot.mistake.apart
5052	spot.mistake.apart

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

spot.mistake.apart

ioc	pid	process
/data/user/0/spot.mistake.apart/app_DynamicOptDex/Xk.json	5052	spot.mistake.apart
/data/user/0/spot.mistake.apart/app_DynamicOptDex/Xk.json	5052	spot.mistake.apart

spot.mistake.apart
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
PID:5052

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/spot.mistake.apart/app_DynamicOptDex/Xk.json

Filesize
725KB

MD5
8a31b0ea54e8991589f79d8a52d5552e

SHA1
bca8c0129e19757094a04e1d2e32511f9395af96

SHA256
f43a4ddd98a94712f15b813dd2b48b1b1aaebfd201f51cfc918e9e81125c287c

SHA512
09ef9e9e10e897a924e7f9a5c8b4ffb8d2723408136e28b4026f704dd3f7f5a33d0ac3b17c5687b284fcd9fdded8bf42d49ad56c472c86ca6a16ddbd486a08d6

Download Submit
/data/data/spot.mistake.apart/app_DynamicOptDex/Xk.json

Filesize
725KB

MD5
7dbc3f9c9f85779869e8a4ea0c2a9780

SHA1
ffc759d8c5e0fe8b9e72f4224b4c07e7c70e8bd9

SHA256
4343c7feefd68663faabaeaf8d65220c2545f136bd86064f50e1e14ecdd4e9c2

SHA512
17e01545edd1edcb911b460c7c5dc330e0a9d8c48af2f9346cbfeb61b399c37f5bbe2f0a4bb6644f61f2446c2141471a3ecdec55cd14a3c20c301095559b018d

Download Submit
/data/data/spot.mistake.apart/app_DynamicOptDex/oat/Xk.json.cur.prof

Filesize
403B

MD5
b07dbf249dc74a6f10a22b7692f7534a

SHA1
cc5723f3fbaed0153354236c7bb9280abe0495de

SHA256
6bd1ee1710928db7ddf658da3ecf1c533747216479664da40fbf0178e6c16770

SHA512
0021e0e9a18cfe6b887706564be8ad0d6087ab9e2e24f9b033b20ae5cf0f485d04962cda430f8c6f533a14a071468f607a53a451f34781e3392521d72f64d3ae

Download Submit