Overview

overview

10

Static

static

6

331e239de1...06.apk

android-9-x86

10

331e239de1...06.apk

android-13-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    139s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    13-04-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    331e239de166370ab59ae9715b8883ed6bbb642e721bd99854532b96d5b97806.apk

  • Size

    4.1MB

  • MD5

    144ecbe7fe5f52577163493160d3d9a8

  • SHA1

    4a7345612480c4d01f158cabc73d204f6d5bcc25

  • SHA256

    331e239de166370ab59ae9715b8883ed6bbb642e721bd99854532b96d5b97806

  • SHA512

    612db01f4724d05b1cf1fc771b6e96094ebe4aa3879f51151b94e5ea0b3d785f8e97df30a27a2bfc29364c57a385d92d79a11550cc15ddaf0c8b83274fa6d91b

  • SSDEEP

    98304:ZZL4xaxIGqxrZuK1LO6JLSJKr5n/W/A9hVqP2CXyQMbEaE1lNKCCfs:juai7xrwWTmw51g+CdM0vNlCs

Score
10/10
alienbotbankercollectiondiscoveryevasioninfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://wf4sctx9cksg94528o7o.xyz

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 7 IoCs
    stealthtrojanevasion
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries account information for other applications stored on the device. 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion

Processes

  • au.actress.spring
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries account information for other applications stored on the device.
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4189

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/au.actress.spring/app_DynamicOptDex/gLhLFq.json
    Filesize

    705KB

    MD5

    ab9ca8077281c6a12d0b4a4d60b24515

    SHA1

    08d15b078336e8f54d0d63a116182dea6ba425b3

    SHA256

    7e8596da57a57483072d27483c02e8dc4e13808e49cd742aa286aa04f6848002

    SHA512

    9b6a2b3b07ff62881f064b9b50aec8b679240ecbe41c4dcaf82e8e841b595036268aa1748da7883bf2b8b75a04394865b0062c06bc2b7b835ed7bf8eacfb3912

    Download Submit

  • /data/data/au.actress.spring/app_DynamicOptDex/gLhLFq.json
    Filesize

    705KB

    MD5

    0056c5b0bab09737b6ade5706a217297

    SHA1

    f59c37b33940793f86b0876bbe1327099b676340

    SHA256

    ab75a7d1aecbfbacf76557fbd7836144cfd38fdf29c8e45e73ae458020a5aa09

    SHA512

    e0867fcb7a3217db18e699b16d656eda9316b4338c2d2cef5dc36bd0702c56aec8b2ea8222ee75072cc21c2249ae7805f6e08da25775e400111267e7592399c3

    Download Submit

  • /data/data/au.actress.spring/app_DynamicOptDex/oat/gLhLFq.json.cur.prof
    Filesize

    424B

    MD5

    b20127613a739b20232456ad88aacb6a

    SHA1

    52a7a8e10e7d4cec2f60dd326429d03f9562367e

    SHA256

    8d429e032391ea2eacb10dd0a9ed36a523fecfb01876ef0af4ef48c819261f08

    SHA512

    de3bad026d4bf816b3914b6207b01e40c4db952ed1a7ec702bfe405a0e5dac72c6377576360ef8a7cd620790731b6db5bf23c8bc56c6b5a48c7b60f755bf231a

    Download Submit

  • /data/user/0/au.actress.spring/app_DynamicOptDex/gLhLFq.json
    Filesize

    916KB

    MD5

    0492ff282c4448ff6204e0a25d662ada

    SHA1

    c7287913394537230a53e0177422427c03c080f2

    SHA256

    4c937a69cf24f1590c46cd2a2506ce4612f2a0cef7a9e8b070412085f0ee7e78

    SHA512

    23ebb4255f7d5396d3890db65e83b52628b6afe54e9bad2b81c3edea72978a5a1ab55b314b55a55770f211d0d96e1d4aebce63acb642f4c1c8d69b6c1c0dd9b7

    Download Submit