alienbot | 1122a8215822a30c43ad684be7a2c8e4e4733d12b7e5a3aea4b570dc807ce8f1

Analysis

max time kernel
155s
max time network
134s
platform
android_x64
resource
android-x64-arm64-20240221-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
submitted
16-03-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf326fbe332f899b85f210dbee70dbca.apk
Size

3.4MB
MD5

cf326fbe332f899b85f210dbee70dbca
SHA1

835ff482e4c037e8f5aa66bcf6dc4ac83abea6a0
SHA256

1122a8215822a30c43ad684be7a2c8e4e4733d12b7e5a3aea4b570dc807ce8f1
SHA512

f7c9227cd1e9b92a960c027fe998aa191ee31e0898d27ffeeba05e6c4b20aaf3c87fbe3be5e915c37f041ec36d190c89e7a75125b75558caf499f130d4df6f79
SSDEEP

98304:c+RoZL1TRC1xLRffffTeipEXg/B0aLkjyn05Bv0azfkj:c+RoF1TRWlT2Xg/LYyn05Bsifw

Score

10^/10

alienbot cerberus banker collection evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://mysqlsystem.com

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral3/files/fstream-2.dat	family_cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	spot.mistake.apart
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	spot.mistake.apart

Removes its main activity from the application launcher 1 TTPs 8 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4456	spot.mistake.apart
4456	spot.mistake.apart
4456	spot.mistake.apart
4456	spot.mistake.apart
4456	spot.mistake.apart
4456	spot.mistake.apart
4456	spot.mistake.apart
4456	spot.mistake.apart

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/spot.mistake.apart/app_DynamicOptDex/Xk.json	4456	spot.mistake.apart
/data/user/0/spot.mistake.apart/app_DynamicOptDex/Xk.json	4456	spot.mistake.apart

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	spot.mistake.apart

spot.mistake.apart
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4456

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/spot.mistake.apart/app_DynamicOptDex/Xk.json

Filesize
725KB

MD5
8a31b0ea54e8991589f79d8a52d5552e

SHA1
bca8c0129e19757094a04e1d2e32511f9395af96

SHA256
f43a4ddd98a94712f15b813dd2b48b1b1aaebfd201f51cfc918e9e81125c287c

SHA512
09ef9e9e10e897a924e7f9a5c8b4ffb8d2723408136e28b4026f704dd3f7f5a33d0ac3b17c5687b284fcd9fdded8bf42d49ad56c472c86ca6a16ddbd486a08d6

Download Submit
/data/user/0/spot.mistake.apart/app_DynamicOptDex/Xk.json

Filesize
725KB

MD5
7dbc3f9c9f85779869e8a4ea0c2a9780

SHA1
ffc759d8c5e0fe8b9e72f4224b4c07e7c70e8bd9

SHA256
4343c7feefd68663faabaeaf8d65220c2545f136bd86064f50e1e14ecdd4e9c2

SHA512
17e01545edd1edcb911b460c7c5dc330e0a9d8c48af2f9346cbfeb61b399c37f5bbe2f0a4bb6644f61f2446c2141471a3ecdec55cd14a3c20c301095559b018d

Download Submit
/data/user/0/spot.mistake.apart/app_DynamicOptDex/oat/Xk.json.cur.prof

Filesize
336B

MD5
63b645f03c28260eefd63f63bfc862a2

SHA1
cc801cc088aa33a0a74ddafdc1cbaff74b40ce8a

SHA256
71027a6a458e69e59838f651354de8b5263754846ec236a7bcc77e5e05234c19

SHA512
5e9a9c5beb7dd2276ad76f6717c51ade6d4c8cf7c89d1d35c8b80cc512eacd52079da337103840bc5198f8780140b0fec46ca15a862741ffeef5b36cdae3807a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads