Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

504c737c44...78.apk

android-9-x86

10

504c737c44...78.apk

android-10-x64

10

504c737c44...78.apk

android-11-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    158s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    09/11/2024, 22:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    504c737c440e9195a40512dcfae4978e4d8ca305b89b1aefbba418d772d16c78.apk

  • Size

    1.3MB

  • MD5

    7976601149e04fc939bfbc8e552c74cc

  • SHA1

    8f7865a16219a938ed36a328e30c86851a52f288

  • SHA256

    504c737c440e9195a40512dcfae4978e4d8ca305b89b1aefbba418d772d16c78

  • SHA512

    3c97d7318ff4789631d0e9a1cb391b41a8af956e93add979434597147c2017f688897e856043b378e85056596ebcb04e6a8930fcace37e8e3d6cb2fe7d043b69

  • SSDEEP

    24576:ZZPV1hz3QDP1YFw/RNj9amEFwfFcjw9bN7YYFB+8sGCOCjC3eFKAxi+NMXByzL5w:ZZPfh8xWwZ+wf0wv7b+iNXQKAE+NUBye

Score
10/10
alienbotcerberusbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://telsmlebaglanhayata.net

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Alienbot family
    alienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Removes its main activity from the application launcher 1 TTPs 8 IoCs
    stealthtrojanevasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • com.mhiauaqmlacl.ypmsfwbkjhsbeoz
    1⤵
    • Removes its main activity from the application launcher
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:5070

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.204.78
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    216.58.204.72
  • flag-us
    DNS
    jsonplaceholder.typicode.com
    Remote address:
    1.1.1.1:53
    Request
    jsonplaceholder.typicode.com
    IN A
    Response
    jsonplaceholder.typicode.com
    IN A
    104.21.59.19
    jsonplaceholder.typicode.com
    IN A
    172.67.167.151
  • flag-us
    POST
    https://jsonplaceholder.typicode.com/posts
    Remote address:
    104.21.59.19:443
    Request
    POST /posts HTTP/1.1
    Content-Length: 15
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: jsonplaceholder.typicode.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 201 Created
    Date: Sat, 09 Nov 2024 22:06:05 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 40
    Connection: keep-alive
    Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1731189965&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=o8YyPOOc5cWqZpj01il4ZgqcRZDr1d2Y3vv2obRtt7k%3D"}]}
    Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1731189965&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=o8YyPOOc5cWqZpj01il4ZgqcRZDr1d2Y3vv2obRtt7k%3D
    Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
    X-Powered-By: Express
    X-Ratelimit-Limit: 1000
    X-Ratelimit-Remaining: 998
    X-Ratelimit-Reset: 1731189982
    Vary: Origin, X-HTTP-Method-Override, Accept-Encoding
    Access-Control-Allow-Credentials: true
    Cache-Control: no-cache
    Pragma: no-cache
    Expires: -1
    Access-Control-Expose-Headers: Location
    Location: https://jsonplaceholder.typicode.com/posts/101
    X-Content-Type-Options: nosniff
    Etag: W/"28-qTfHrE6INSRTzBnUDwZIeKeN1Wk"
    Via: 1.1 vegur
    cf-cache-status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8e011ba2feeabef8-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=28267&sent=6&recv=6&lost=0&retrans=0&sent_bytes=3114&recv_bytes=874&delivery_rate=153714&cwnd=252&unsent_bytes=0&cid=a72756d70ee4d521&ts=473&x=0"
  • flag-us
    DNS
    telsmlebaglanhayata.net
    Remote address:
    1.1.1.1:53
    Request
    telsmlebaglanhayata.net
    IN A
    Response
  • 172.217.16.234:443
    tls, https
    1.2kB
     40 B
     1
    1
  • 172.217.16.238:443
    tls, https
    914 B
     40 B
     1
    1
  • 172.217.16.238:443
    tls, https
    914 B
     40 B
     1
    1
  • 216.58.204.78:443
    android.apis.google.com
    tls
    4.5kB
     8.5kB
     15
    21
  • 142.250.178.10:443
    tls, https
    2.3kB
     40 B
     1
    1
  • 216.58.204.72:443
    ssl.google-analytics.com
    tls
    1.3kB
     6.2kB
     8
    8
  • 104.21.59.19:443
    https://jsonplaceholder.typicode.com/posts
    tls, http
    1.3kB
     5.6kB
     8
    10

    HTTP Request

    POST https://jsonplaceholder.typicode.com/posts

    HTTP Response

    201
  • 172.217.16.226:443
    tls, https
    128 B
     40 B
     2
    1
  • 224.0.0.251:5353
    3.8kB
     12
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.204.78

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    216.58.204.72

  • 1.1.1.1:53
    jsonplaceholder.typicode.com
    dns
    74 B
     106 B
     1
    1

    DNS Request

    jsonplaceholder.typicode.com

    DNS Response

    104.21.59.19
    172.67.167.151

  • 1.1.1.1:53
    telsmlebaglanhayata.net
    dns
    69 B
     142 B
     1
    1

    DNS Request

    telsmlebaglanhayata.net

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.