Overview

overview

10

Static

static

6

e737a2cc26...bb.apk

android-9-x86

10

e737a2cc26...bb.apk

android-13-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    11-01-2025 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e737a2cc262280811d38d3496a2f56d1f0a7cb1532fd6c804d832a47072fe5bb.apk

  • Size

    3.8MB

  • MD5

    009ac5e6a0d9602891a91aeeb06c8899

  • SHA1

    ce6a61717ea1e34657636988b60ba0ada9ac6177

  • SHA256

    e737a2cc262280811d38d3496a2f56d1f0a7cb1532fd6c804d832a47072fe5bb

  • SHA512

    b2f7e5aaa106e9622837dff5d71a2f9ecbc937fb93fb7446e055f6b3e1db171199b370c943ab4c2943ffe8fa6625252d357e44316425b687792d6126ade51487

  • SSDEEP

    98304:IHEOmnCK0I5f52y0Jlscy/T/m9MrmlM4WQ9a:CEOmCmRcbZ2alMX

Score
10/10
alienbotbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistencestealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://kvq9t8pe7ssjps8p4iqj.xyz

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Alienbot family
    alienbot
  • Removes its main activity from the application launcher 1 TTPs 7 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • co.scratch.broadcast
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4223

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Stored Application Data

1
T1409

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/co.scratch.broadcast/app_DynamicOptDex/EACKTUZbZhAIueq.json
    Filesize

    696KB

    MD5

    a5b5805605352067c5660bf6a3789c96

    SHA1

    e3bc838117bdacb7a91aa5dc87d8ab3c3a0ea77a

    SHA256

    e59ac878d28ae377a4ab107d1aa41825e145914c319dcf089705dfb9f70906f8

    SHA512

    9638ea3d58da3e8b435f129f4b380ae61e88a8d100b3afbf0747ebb2d4dfa97594cbdbca9e84a4dcd1adccd4aaff25bac8d8040780411914c8df33939a6e57e2

    Download Submit

  • /data/data/co.scratch.broadcast/app_DynamicOptDex/EACKTUZbZhAIueq.json
    Filesize

    696KB

    MD5

    339acb29cc5daea7cb4386860c5fe2ef

    SHA1

    2222030cefea62954e726b0e4b58d0c69d681f10

    SHA256

    99980467aa255b75ab06327e595133e252225995b4c13d65c6e29c18ae3b25ad

    SHA512

    8fba0f44a751917543c70ecfc2ec27c7a4c71700c5aa335e252db044314df32338534ac7eb8d62a44f19563acd51e0cde4de6505820d6ec669dc056d9d132501

    Download Submit

  • /data/data/co.scratch.broadcast/app_DynamicOptDex/oat/EACKTUZbZhAIueq.json.cur.prof
    Filesize

    466B

    MD5

    30aedfa5cb95bbe5ec7dc0b4acc07aac

    SHA1

    274a92fc241363552550c613c58e86e1961faa46

    SHA256

    4f82493d66774569c79ef671d85b06d854d5ce51841b66ca3a5736e29f2dc5c2

    SHA512

    5ec46ca68267207c9f44dd7574ac20f2b4b4cedfe69a3fd68f58e89891c33801a9ed2b366b4ed516074e1795d408b31a0d63ab4a460384e8c25e191c2c73b658

    Download Submit

  • /data/user/0/co.scratch.broadcast/app_DynamicOptDex/EACKTUZbZhAIueq.json
    Filesize

    902KB

    MD5

    84ab3497e54dcf2a678229a376297e91

    SHA1

    d7c1be14c186b0ea60689e61b9eb003c8bf5010c

    SHA256

    ca37cef436bd5e63c5f988294550fba7f5b26f56e730a484d9042860176fd6f5

    SHA512

    6fda7ffbe798f0fb8a05ac1eca3acb7937e3884cbf954d6d16174d0e64ae98431999d2ba04a1942dc87095f68c3a15ccb7296b78434fadc4994bdf5e4423ff2e

    Download Submit