alienbot | 617ec2c8e213b27bee59716033fe62074986872d31c30376dceb7e737e3533f6

Analysis

max time kernel
146s
max time network
138s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
20-03-2024 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d780257e0bb666be027137b631af1c12.apk
Size

2.9MB
MD5

d780257e0bb666be027137b631af1c12
SHA1

44935c16e5e66978b8950f81f3a3b2273edc6daa
SHA256

617ec2c8e213b27bee59716033fe62074986872d31c30376dceb7e737e3533f6
SHA512

449b59b57f1543f72a9e7a4e04ed6e755ca5a8f0e4d87a74dda9a0149b22cce59286b16b7c8da325817adedf0e6fc7c65e8d219cb00e626ed5e4913d7b799324
SSDEEP

49152:tRCnMKa2mz3yutQroZRydxCUuHLZeNvuDTYqVL2EWFriBm0ELjTIRtw:tYnfdBoZQd7ACGvlVLuFWIpjTIRG

Score

10^/10

alienbot cerberus banker collection evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

http://

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

Processes:

resource	yara_rule
/data/data/celery.roast.lawn/app_DynamicOptDex/NoT.json	family_cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

Processes:

celery.roast.lawn

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	celery.roast.lawn
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	celery.roast.lawn

Removes its main activity from the application launcher 1 TTPs 3 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

celery.roast.lawn

pid process

5045 celery.roast.lawn
5045 celery.roast.lawn
5045 celery.roast.lawn

pid	process
5045	celery.roast.lawn
5045	celery.roast.lawn
5045	celery.roast.lawn

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

celery.roast.lawn

ioc	pid	process
/data/user/0/celery.roast.lawn/app_DynamicOptDex/NoT.json	5045	celery.roast.lawn
/data/user/0/celery.roast.lawn/app_DynamicOptDex/NoT.json	5045	celery.roast.lawn

celery.roast.lawn
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
PID:5045

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/celery.roast.lawn/app_DynamicOptDex/NoT.json

Filesize
85KB

MD5
c7f1c000536e98968bf749f5c3518997

SHA1
82ffc85cda6a0a67176925ee372555d8cf99f16d

SHA256
99bc4bf2a9898392a4405a533af78b6386f2b0aa7ab0248e9872ac859d95bc5e

SHA512
854a7efa1f0f6a8473227f30a8e6850950cc875e39e3a1de2a9fcb9bb2b999836861806d83f22e5abeb57680599b0a97354b6441296ffaf2df6d26c45d773891

Download Submit
/data/data/celery.roast.lawn/app_DynamicOptDex/NoT.json

Filesize
653KB

MD5
142b5cd973e8a5b0d4201c58f9918c1e

SHA1
5c91a1f3ed47a4d725213e7cf81ee5438a9766a3

SHA256
cd7bf34bc3afc3e969f844ba7bd3a4b1ee259c6c748e9e3777efb4cd9996b91c

SHA512
7ea4ea6cd28b6c4805ae338f2bf7f35899a8ffabf1564a5612b615600bc41ed1a8c2866365c32f58d07fd2b9a2b2538610654bace271c666a2f4044a7c1c122a

Download Submit
/data/data/celery.roast.lawn/app_DynamicOptDex/oat/NoT.json.cur.prof

Filesize
431B

MD5
e86aef379ba5a16769e48da79aef5fd6

SHA1
e62e7a65d936c65c3611ff70ecb1bc33b664cf59

SHA256
78306ed2e17de7d3254432bf74ddc0064add155381e8b8c5f09b62244ec437db

SHA512
8202d8d587aa4e46397db3024e2cd5463e37ec25014f145b927c46749b3cf1576ff59d1f0bb536ef0e9e36cd340feb93b1c04af9c2221ff400e5d9101d68151a

Download Submit