Overview

overview

10

Static

static

6

e737a2cc26...bb.apk

android-9-x86

10

e737a2cc26...bb.apk

android-13-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    11-01-2025 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e737a2cc262280811d38d3496a2f56d1f0a7cb1532fd6c804d832a47072fe5bb.apk

  • Size

    3.8MB

  • MD5

    009ac5e6a0d9602891a91aeeb06c8899

  • SHA1

    ce6a61717ea1e34657636988b60ba0ada9ac6177

  • SHA256

    e737a2cc262280811d38d3496a2f56d1f0a7cb1532fd6c804d832a47072fe5bb

  • SHA512

    b2f7e5aaa106e9622837dff5d71a2f9ecbc937fb93fb7446e055f6b3e1db171199b370c943ab4c2943ffe8fa6625252d357e44316425b687792d6126ade51487

  • SSDEEP

    98304:IHEOmnCK0I5f52y0Jlscy/T/m9MrmlM4WQ9a:CEOmCmRcbZ2alMX

Score
10/10
alienbotbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistencetrojan

Malware Config

Extracted

Family

alienbot

C2

http://kvq9t8pe7ssjps8p4iqj.xyz

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Alienbot family
    alienbot
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • co.scratch.broadcast
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4468

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/co.scratch.broadcast/app_DynamicOptDex/EACKTUZbZhAIueq.json
    Filesize

    696KB

    MD5

    a5b5805605352067c5660bf6a3789c96

    SHA1

    e3bc838117bdacb7a91aa5dc87d8ab3c3a0ea77a

    SHA256

    e59ac878d28ae377a4ab107d1aa41825e145914c319dcf089705dfb9f70906f8

    SHA512

    9638ea3d58da3e8b435f129f4b380ae61e88a8d100b3afbf0747ebb2d4dfa97594cbdbca9e84a4dcd1adccd4aaff25bac8d8040780411914c8df33939a6e57e2

    Download Submit

  • /data/user/0/co.scratch.broadcast/app_DynamicOptDex/EACKTUZbZhAIueq.json
    Filesize

    696KB

    MD5

    339acb29cc5daea7cb4386860c5fe2ef

    SHA1

    2222030cefea62954e726b0e4b58d0c69d681f10

    SHA256

    99980467aa255b75ab06327e595133e252225995b4c13d65c6e29c18ae3b25ad

    SHA512

    8fba0f44a751917543c70ecfc2ec27c7a4c71700c5aa335e252db044314df32338534ac7eb8d62a44f19563acd51e0cde4de6505820d6ec669dc056d9d132501

    Download Submit

  • /data/user/0/co.scratch.broadcast/app_DynamicOptDex/EACKTUZbZhAIueq.json
    Filesize

    902KB

    MD5

    84ab3497e54dcf2a678229a376297e91

    SHA1

    d7c1be14c186b0ea60689e61b9eb003c8bf5010c

    SHA256

    ca37cef436bd5e63c5f988294550fba7f5b26f56e730a484d9042860176fd6f5

    SHA512

    6fda7ffbe798f0fb8a05ac1eca3acb7937e3884cbf954d6d16174d0e64ae98431999d2ba04a1942dc87095f68c3a15ccb7296b78434fadc4994bdf5e4423ff2e

    Download Submit

  • /data/user/0/co.scratch.broadcast/app_DynamicOptDex/oat/EACKTUZbZhAIueq.json.cur.prof
    Filesize

    345B

    MD5

    f5e6de63f21bd0cd3d8d045fc9a5b8c7

    SHA1

    56efbd72a4fb60b8e02175c314c4e6bdd0ac3da8

    SHA256

    790691edfdaad2dddecd8b43719f772123c7f417798914a140fdb0ad7b074120

    SHA512

    09fe7bbfff1bb50f1d425adb51e7f930a4c9e847f63c4756869b10b7bd764a740ca58f1565cb637e274beab45ea2221647da970a93610b1ae7cc88aaf425070b

    Download Submit