alienbot | b7869b123154eb461599a0b3f30fc18174787b0ed05a825d4371d54112de24b2

General

Target

Player.apk
Size

3.7MB
MD5

934d0d9425168fb975604dae2b93f000
SHA1

410d06356d4417111adc21595fd34e8fac47b13b
SHA256

b7869b123154eb461599a0b3f30fc18174787b0ed05a825d4371d54112de24b2
SHA512

6bde86e6f731ab9cfbab91789817561d7ec48141811271a12bb33c0322025669c6ebde7a530a49e633719bcd4a438ed9efd67468d3a3865e2dd293e9318283ea
SSDEEP

98304:uRW/t6GJtaDudtOBNkfmEnd/VgyMd+RDr/qrx5h:8WjnOB2f3ntMeDy

Score

10^/10

alienbot cerberus banker collection discovery evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://apkinstalll.xyz

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-2.dat	family_cerberus

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	leg.grunt.hub
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	leg.grunt.hub

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4180	leg.grunt.hub

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	leg.grunt.hub

Checks memory information 2 TTPs 1 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	leg.grunt.hub

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/leg.grunt.hub/app_DynamicOptDex/KDyQ.json	4180	leg.grunt.hub
/data/user/0/leg.grunt.hub/app_DynamicOptDex/KDyQ.json	4180	leg.grunt.hub

Queries account information for other applications stored on the device. 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	leg.grunt.hub

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	leg.grunt.hub

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	leg.grunt.hub

leg.grunt.hub
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device.
- Requests enabling of the accessibility settings.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4180

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

2

T1628

Suppress Application Icon

1

T1628.001

User Evasion

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Discovery

System Information Discovery

2

T1426

Lateral Movement

Collection

Screen Capture

1

T1513

Stored Application Data

1

T1409

Command and Control

Exfiltration

Impact

Input Injection

1

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/leg.grunt.hub/app_DynamicOptDex/KDyQ.json

Filesize
720KB

MD5
86e0c9d94944285573a77e4b90d7057d

SHA1
f6af962ede455f0b879b27b4bf97cf949d60305e

SHA256
5583e65591338e795f702b91163a18405cd1fecf8386b3084ab0c118d5747605

SHA512
e25411c2509fb6134902cf1b10b8b918167af632743dea542f683f33cc62b1d3066f3eab9a4c9060879616209911ad7f9b1a8195c1acf7a7197e632c3bf4b6cb

Download Submit
/data/data/leg.grunt.hub/app_DynamicOptDex/KDyQ.json

Filesize
720KB

MD5
942d3a82b974137ffa673c062a85b156

SHA1
a10f7192e11b596aa43db1979e9926035a395364

SHA256
8270325878efa484e783c040dbda2a8ec2daab3246033b5004183a54d7b25fff

SHA512
4248619f0f4a2ea660b5b545c3671785c2c56e78439c4c518083bd1f893247506d69b6140b56b6c899c21cac2bbbbbee38774ace9f40ebd32e73e3562f341f52

Download Submit
/data/data/leg.grunt.hub/app_DynamicOptDex/oat/KDyQ.json.cur.prof

Filesize
517B

MD5
cdae0fb861385546ce5191a436d0f4d2

SHA1
6bf72362fb2e7963e4f309a574ff84ab05eafdcb

SHA256
0c13c61bee87152c4f789eecccceba8c0bac661208c9f05492f0afe089d82f67

SHA512
22fc1708646b5e7d42a8cee19ff847112ed22bb61051dde974ac35a3d5a97c23cf6e753a3981867a121a9ced841b63ba880e5da179697e2bd8007410ae0af080

Download Submit
/data/data/leg.grunt.hub/app_DynamicOptDex/oat/KDyQ.json.cur.prof

Filesize
598B

MD5
6a4753459c62bfd956aee814dc3650a6

SHA1
aa1efba71de44c798cedc14db115b784aec0bacb

SHA256
50152fcee36652b0223092ecca8bb81247af72060f6358e3febe23a6be5bc737

SHA512
04c48f8c19515105f985cb0da65fd2a8bc9f50ef5b1c496c38f85a9eecb2245c11df9ea4b5b4680f9942ff13a6651e920f4ada03d85a67a6a3768884ec6e620d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads