Overview

overview

10

Static

static

6

Player.apk

android-9-x86

10

Player.apk

android-10-x64

10

Player.apk

android-11-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240221-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
  • submitted
    13-04-2024 16:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Player.apk

  • Size

    3.7MB

  • MD5

    934d0d9425168fb975604dae2b93f000

  • SHA1

    410d06356d4417111adc21595fd34e8fac47b13b

  • SHA256

    b7869b123154eb461599a0b3f30fc18174787b0ed05a825d4371d54112de24b2

  • SHA512

    6bde86e6f731ab9cfbab91789817561d7ec48141811271a12bb33c0322025669c6ebde7a530a49e633719bcd4a438ed9efd67468d3a3865e2dd293e9318283ea

  • SSDEEP

    98304:uRW/t6GJtaDudtOBNkfmEnd/VgyMd+RDr/qrx5h:8WjnOB2f3ntMeDy

Score
10/10
alienbotcerberusbankercollectiondiscoveryevasioninfostealerratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://apkinstalll.xyz

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Removes its main activity from the application launcher 1 TTPs 3 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries account information for other applications stored on the device. 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion

Processes

  • leg.grunt.hub
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4419

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/leg.grunt.hub/app_DynamicOptDex/KDyQ.json
    Filesize

    720KB

    MD5

    86e0c9d94944285573a77e4b90d7057d

    SHA1

    f6af962ede455f0b879b27b4bf97cf949d60305e

    SHA256

    5583e65591338e795f702b91163a18405cd1fecf8386b3084ab0c118d5747605

    SHA512

    e25411c2509fb6134902cf1b10b8b918167af632743dea542f683f33cc62b1d3066f3eab9a4c9060879616209911ad7f9b1a8195c1acf7a7197e632c3bf4b6cb

    Download Submit

  • /data/user/0/leg.grunt.hub/app_DynamicOptDex/KDyQ.json
    Filesize

    720KB

    MD5

    942d3a82b974137ffa673c062a85b156

    SHA1

    a10f7192e11b596aa43db1979e9926035a395364

    SHA256

    8270325878efa484e783c040dbda2a8ec2daab3246033b5004183a54d7b25fff

    SHA512

    4248619f0f4a2ea660b5b545c3671785c2c56e78439c4c518083bd1f893247506d69b6140b56b6c899c21cac2bbbbbee38774ace9f40ebd32e73e3562f341f52

    Download Submit

  • /data/user/0/leg.grunt.hub/app_DynamicOptDex/oat/KDyQ.json.cur.prof
    Filesize

    330B

    MD5

    2a239590e9864337db0b0972c9208ed2

    SHA1

    31b508b931a8e8ed889c8afeb10d91ec425e5326

    SHA256

    1b7c16b0f57c934fa029be6d8b32454ff7bfe639c28b79716a2a1ed1c5278d0f

    SHA512

    d8ae6edb24c0d67f0dab0e6827d01c3d1de4c04fd3ac8013f6adc660c3a3193bda2b90ca898897f9040edd46a3539cb68c9f06cf8412e81a86911266251597b1

    Download Submit