alienbot | 96515ec94f2bce57561174f2516246c16b73ddfc5f0aadf2aa576f65604df213

Analysis

max time kernel
12s
max time network
37s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
23-11-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01e6cb93ee9ab6e67340d1f9e6ede5efc9c64f9e.apk
Size

1.1MB
MD5

53138b3f0f98b6433d28b5aef525f7b3
SHA1

01e6cb93ee9ab6e67340d1f9e6ede5efc9c64f9e
SHA256

31b0c269aebb2c98f47d73b0224f29a39ee0eac0b0f4989e741acf1e0606124d
SHA512

2a010c4013891417e9d6f4e8a32d8f20b71f2d5aaf401ea071ad8099270dd0aee29402c6c78862bf1e4ce1c341fa9cc1785fbafd43aee6975e8c052142f74a82
SSDEEP

24576:9rp4PsCmh+Tsn3m+wK536DCIMjyBugmhUpk3Ka1oob9jU4R7QHoHO2Edq:N6y+wn3mEGij6g5v1LNR7WZ2N

Score

10^/10

alienbot cerberus banker evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

alienbot

http://84.32.214.45

rc4.plain

Extracted

Family

alienbot

http://84.32.214.45

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Alienbot family
alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus
Cerberus family
cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral1/memory/4338-0.dex	family_cerberus

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.cable.sword/app_DynamicOptDex/Pn.json	4338	com.cable.sword

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.cable.sword

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.cable.sword

com.cable.sword
1⤵
- Loads dropped Dex/Jar
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
PID:4338

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.cable.sword/app_DynamicOptDex/Pn.json

Filesize
238KB

MD5
242ff55710b86a773739a04e09fad3d9

SHA1
89036ad92697e41d41e457f892e7bf3bc0567fa3

SHA256
2c6b3ead0237ffa7fca6e26b88661e9bf2b3f672f7955ef9ec53f1d9f9bdfd46

SHA512
f9b2cb2cd7cf11ae6f01869570cb08241ebfcf33acd8581f8b3e5e4b5d84a08b50d8802581a4f11e09da6e68651cd8c492512fd7725cedf961c1a7951b3f4643

Download Submit
/data/user/0/com.cable.sword/app_DynamicOptDex/Pn.json

Filesize
238KB

MD5
77c71ae64968cf1f0089cfef960d0052

SHA1
bf192d2d6a9ae2c43f0b9d98bf7a167fbc9531cf

SHA256
9d1bd8a3f8147ffba0380fe5317b78555224abaa84c11279937bb6f8f3d80a10

SHA512
5a7f51cbb23af8cfc7c92e7430c644ea25faeee356a2ae391c0974a712e48059dc9c4eab2a80d9fbec93e5af09aaf447d79406edc38854d4b7fb0804652fc98f

Download Submit
/data/user/0/com.cable.sword/app_DynamicOptDex/Pn.json

Filesize
483KB

MD5
97ec800f656664eeb0cdda11478068b0

SHA1
02db30a789b44b816e8f356cda5b5602b9611da4

SHA256
1bdad53f20f3fe0e17204cac9c0478faf624ead18175d99276ebd333bfd7b0e8

SHA512
6a9a03071e4272e4ce5222f9b4827601eaddf154718c48f3d00323da7e55fbaf2a15f195732f1a19d48ea43260806150b71414b980d534ae7c7a914d8c30580d

Download Submit
/data/user/0/com.cable.sword/app_DynamicOptDex/oat/x86_64/Pn.vdex

Filesize
5KB

MD5
5732a145d06d8fdd7e434d9299d870f6

SHA1
a79979781273ceed644994abf7990de989b7ad09

SHA256
d2be299fc337d04c37acff398d7bdaff6cdfad36082fbc55aec0324a15c3adbf

SHA512
949303c0a01ebe16c6d4d991ee3a9bfe260ec9fbfd0e541b5bd0827f6cb9de8cc73b49bd6513edc75734eb43847d59e36bb7a8d5e686840eb37350d572629ae0

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads