Overview

overview

10

Static

static

6

e737a2cc26...bb.apk

android-9-x86

10

e737a2cc26...bb.apk

android-13-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    11/01/2025, 22:06 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e737a2cc262280811d38d3496a2f56d1f0a7cb1532fd6c804d832a47072fe5bb.apk

  • Size

    3.8MB

  • MD5

    009ac5e6a0d9602891a91aeeb06c8899

  • SHA1

    ce6a61717ea1e34657636988b60ba0ada9ac6177

  • SHA256

    e737a2cc262280811d38d3496a2f56d1f0a7cb1532fd6c804d832a47072fe5bb

  • SHA512

    b2f7e5aaa106e9622837dff5d71a2f9ecbc937fb93fb7446e055f6b3e1db171199b370c943ab4c2943ffe8fa6625252d357e44316425b687792d6126ade51487

  • SSDEEP

    98304:IHEOmnCK0I5f52y0Jlscy/T/m9MrmlM4WQ9a:CEOmCmRcbZ2alMX

Score
10/10
alienbotbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://kvq9t8pe7ssjps8p4iqj.xyz

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Alienbot family
    alienbot
  • Removes its main activity from the application launcher 1 TTPs 7 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • co.scratch.broadcast
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4223

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.179.238
  • flag-us
    DNS
    jsonplaceholder.typicode.com
    Remote address:
    1.1.1.1:53
    Request
    jsonplaceholder.typicode.com
    IN A
    Response
    jsonplaceholder.typicode.com
    IN A
    104.21.32.1
    jsonplaceholder.typicode.com
    IN A
    104.21.64.1
    jsonplaceholder.typicode.com
    IN A
    104.21.16.1
    jsonplaceholder.typicode.com
    IN A
    104.21.96.1
    jsonplaceholder.typicode.com
    IN A
    104.21.48.1
    jsonplaceholder.typicode.com
    IN A
    104.21.80.1
    jsonplaceholder.typicode.com
    IN A
    104.21.112.1
  • flag-us
    POST
    https://jsonplaceholder.typicode.com/posts
    Remote address:
    104.21.32.1:443
    Request
    POST /posts HTTP/1.1
    Content-Length: 15
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: jsonplaceholder.typicode.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 201 Created
    Date: Sat, 11 Jan 2025 22:06:39 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 40
    Connection: keep-alive
    Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1736633199&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=kF5iJqyuA3mRB688MngWN8ZYh%2BZd7uxInK%2FTeED1FMQ%3D"}]}
    Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1736633199&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=kF5iJqyuA3mRB688MngWN8ZYh%2BZd7uxInK%2FTeED1FMQ%3D
    Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]}
    X-Powered-By: Express
    X-Ratelimit-Limit: 1000
    X-Ratelimit-Remaining: 998
    X-Ratelimit-Reset: 1736633209
    Vary: Origin, X-HTTP-Method-Override, Accept-Encoding
    Access-Control-Allow-Credentials: true
    Cache-Control: no-cache
    Pragma: no-cache
    Expires: -1
    Access-Control-Expose-Headers: Location
    Location: https://jsonplaceholder.typicode.com/posts/101
    X-Content-Type-Options: nosniff
    Etag: W/"28-qTfHrE6INSRTzBnUDwZIeKeN1Wk"
    Via: 1.1 vegur
    cf-cache-status: DYNAMIC
    Server: cloudflare
    CF-RAY: 9008371a0ffdef44-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=31104&min_rtt=30979&rtt_var=6766&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3298&recv_bytes=586&delivery_rate=129717&cwnd=253&unsent_bytes=0&cid=d84f1b6f4f87ca22&ts=209&x=0"
  • flag-us
    DNS
    kvq9t8pe7ssjps8p4iqj.xyz
    Remote address:
    1.1.1.1:53
    Request
    kvq9t8pe7ssjps8p4iqj.xyz
    IN A
    Response
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.178.14
  • 216.58.201.110:443
    tls, https
    915 B
     40 B
     1
    1
  • 216.58.201.110:443
    tls, https
    915 B
     40 B
     1
    1
  • 142.250.179.238:443
    android.apis.google.com
    tls
    1.1kB
     4.5kB
     9
    7
  • 172.217.169.42:443
    tls, https
    8.6kB
     40 B
     4
    1
  • 104.21.32.1:443
    https://jsonplaceholder.typicode.com/posts
    tls, http
    1.1kB
     5.3kB
     9
    9

    HTTP Request

    POST https://jsonplaceholder.typicode.com/posts

    HTTP Response

    201
  • 142.250.178.14:443
    android.apis.google.com
    tls
    2.9kB
     6.7kB
     12
    15
  • 216.58.204.68:80
    312 B
     6
  • 216.58.204.68:443
    tls
    135 B
     40 B
     2
    1
  • 142.250.200.35:80
    clientservices.googleapis.com
    260 B
     5
  • 216.58.201.98:443
    tls
    135 B
     40 B
     2
    1
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.179.238

  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    jsonplaceholder.typicode.com
    dns
    74 B
     186 B
     1
    1

    DNS Request

    jsonplaceholder.typicode.com

    DNS Response

    104.21.32.1
    104.21.64.1
    104.21.16.1
    104.21.96.1
    104.21.48.1
    104.21.80.1
    104.21.112.1

  • 1.1.1.1:53
    kvq9t8pe7ssjps8p4iqj.xyz
    dns
    70 B
     135 B
     1
    1

    DNS Request

    kvq9t8pe7ssjps8p4iqj.xyz

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.178.14

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Stored Application Data

1
T1409

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/co.scratch.broadcast/app_DynamicOptDex/EACKTUZbZhAIueq.json
    Filesize

    696KB

    MD5

    a5b5805605352067c5660bf6a3789c96

    SHA1

    e3bc838117bdacb7a91aa5dc87d8ab3c3a0ea77a

    SHA256

    e59ac878d28ae377a4ab107d1aa41825e145914c319dcf089705dfb9f70906f8

    SHA512

    9638ea3d58da3e8b435f129f4b380ae61e88a8d100b3afbf0747ebb2d4dfa97594cbdbca9e84a4dcd1adccd4aaff25bac8d8040780411914c8df33939a6e57e2

    Download Submit

  • /data/data/co.scratch.broadcast/app_DynamicOptDex/EACKTUZbZhAIueq.json
    Filesize

    696KB

    MD5

    339acb29cc5daea7cb4386860c5fe2ef

    SHA1

    2222030cefea62954e726b0e4b58d0c69d681f10

    SHA256

    99980467aa255b75ab06327e595133e252225995b4c13d65c6e29c18ae3b25ad

    SHA512

    8fba0f44a751917543c70ecfc2ec27c7a4c71700c5aa335e252db044314df32338534ac7eb8d62a44f19563acd51e0cde4de6505820d6ec669dc056d9d132501

    Download Submit

  • /data/data/co.scratch.broadcast/app_DynamicOptDex/oat/EACKTUZbZhAIueq.json.cur.prof
    Filesize

    466B

    MD5

    30aedfa5cb95bbe5ec7dc0b4acc07aac

    SHA1

    274a92fc241363552550c613c58e86e1961faa46

    SHA256

    4f82493d66774569c79ef671d85b06d854d5ce51841b66ca3a5736e29f2dc5c2

    SHA512

    5ec46ca68267207c9f44dd7574ac20f2b4b4cedfe69a3fd68f58e89891c33801a9ed2b366b4ed516074e1795d408b31a0d63ab4a460384e8c25e191c2c73b658

    Download Submit

  • /data/user/0/co.scratch.broadcast/app_DynamicOptDex/EACKTUZbZhAIueq.json
    Filesize

    902KB

    MD5

    84ab3497e54dcf2a678229a376297e91

    SHA1

    d7c1be14c186b0ea60689e61b9eb003c8bf5010c

    SHA256

    ca37cef436bd5e63c5f988294550fba7f5b26f56e730a484d9042860176fd6f5

    SHA512

    6fda7ffbe798f0fb8a05ac1eca3acb7937e3884cbf954d6d16174d0e64ae98431999d2ba04a1942dc87095f68c3a15ccb7296b78434fadc4994bdf5e4423ff2e

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.