Overview

overview

10

Static

static

6

Player.apk

android-9-x86

10

Player.apk

android-10-x64

10

Player.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android_x64
  • resource
    android-x64-20240221-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
  • submitted
    13-04-2024 16:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Player.apk

  • Size

    3.7MB

  • MD5

    934d0d9425168fb975604dae2b93f000

  • SHA1

    410d06356d4417111adc21595fd34e8fac47b13b

  • SHA256

    b7869b123154eb461599a0b3f30fc18174787b0ed05a825d4371d54112de24b2

  • SHA512

    6bde86e6f731ab9cfbab91789817561d7ec48141811271a12bb33c0322025669c6ebde7a530a49e633719bcd4a438ed9efd67468d3a3865e2dd293e9318283ea

  • SSDEEP

    98304:uRW/t6GJtaDudtOBNkfmEnd/VgyMd+RDr/qrx5h:8WjnOB2f3ntMeDy

Score
10/10
alienbotcerberusbankercollectiondiscoveryevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://apkinstalll.xyz

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 5 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries account information for other applications stored on the device. 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery

Processes

  • leg.grunt.hub
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device.
    PID:5027

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/leg.grunt.hub/app_DynamicOptDex/KDyQ.json
    Filesize

    720KB

    MD5

    86e0c9d94944285573a77e4b90d7057d

    SHA1

    f6af962ede455f0b879b27b4bf97cf949d60305e

    SHA256

    5583e65591338e795f702b91163a18405cd1fecf8386b3084ab0c118d5747605

    SHA512

    e25411c2509fb6134902cf1b10b8b918167af632743dea542f683f33cc62b1d3066f3eab9a4c9060879616209911ad7f9b1a8195c1acf7a7197e632c3bf4b6cb

    Download Submit

  • /data/data/leg.grunt.hub/app_DynamicOptDex/KDyQ.json
    Filesize

    720KB

    MD5

    942d3a82b974137ffa673c062a85b156

    SHA1

    a10f7192e11b596aa43db1979e9926035a395364

    SHA256

    8270325878efa484e783c040dbda2a8ec2daab3246033b5004183a54d7b25fff

    SHA512

    4248619f0f4a2ea660b5b545c3671785c2c56e78439c4c518083bd1f893247506d69b6140b56b6c899c21cac2bbbbbee38774ace9f40ebd32e73e3562f341f52

    Download Submit

  • /data/data/leg.grunt.hub/app_DynamicOptDex/oat/KDyQ.json.cur.prof
    Filesize

    386B

    MD5

    d887e3657a3d2327829c059fd2f97b68

    SHA1

    96f90a9e3231e0263ac13ecd65bbbb0a8952798b

    SHA256

    adb254dfa33526f21a3839a6fc7f8a71ca2cb40340e71c667ade0b9adfb2074b

    SHA512

    4c2d95d97231acc818fd5b15ad55e4e53f2b51e1a4ed160058ad25605adb7a9fff31d660106a4f06901f1032134a423bde401d8ff63ce4721f7a656742735a04

    Download Submit