Overview

overview

10

Static

static

6

20bf0d3262...0b.apk

android-9-x86

10

20bf0d3262...0b.apk

android-10-x64

10

20bf0d3262...0b.apk

android-11-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    130s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    14-01-2025 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20bf0d3262150730fdf6869243e6bdf19feda0c15d0d09b6611f57075fed6b0b.apk

  • Size

    1.4MB

  • MD5

    a215f520a027c6d8896862e28fb4bcb8

  • SHA1

    827df4030fe8ca6aebb038727c4348a50cc9566f

  • SHA256

    20bf0d3262150730fdf6869243e6bdf19feda0c15d0d09b6611f57075fed6b0b

  • SHA512

    b5aabcd5280c7ce13d3155d8661cc871cce06ffbaa4c1920f9043f385f762553b3347225f3ec78dd196c62794a1268558f3fd101393d14547b1256d8805b33a0

  • SSDEEP

    24576:HsZs6jT0x4AytNk8RmYjX/Tq6v9yJuRrtTt+1O5lXi2Si/dgRtLKeN+0:Hsq6jTC4AytV8YjvTtv9yJuRp5+1OXih

Score
10/10
alienbotcerberusbankercollectioncredential_accessdiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

https://hosgeldin2023.com

rc4.plain

Extracted

Family

alienbot

C2

https://hosgeldin2023.com

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Alienbot family
    alienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Cerberus payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 5 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • com.later.gaze
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4963

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.later.gaze/app_DynamicOptDex/hTmUMU.json
    Filesize

    238KB

    MD5

    9d24bf25aa3efb28357a2fbc95d1fd59

    SHA1

    5844fc73e8db6223ba78db30fe57da80eed37f8e

    SHA256

    e54e0e3302239e1af4978940ffc33f8f2d295b55efca756de48bd5d7168de7b1

    SHA512

    ab81a44b7481987515d56ffecd888c35236fb5addd7f2ed14619cd03538d220275a4beca34f836f41eaa2f678f254e2fa32ed70879fbd11704466342c6c1f0a7

    Download Submit

  • /data/data/com.later.gaze/app_DynamicOptDex/hTmUMU.json
    Filesize

    238KB

    MD5

    aa6b07098357450e722fb755133d7147

    SHA1

    14eabec23fc941fc77365e5f452f58e0791ba45c

    SHA256

    4147b6a93680470d8686159af6fcc920b57117a324b838e47a28a1896e3f3729

    SHA512

    6b78655cf806201dba55a695bf3745231ab0d30869b138ca7b9e43b45686c80512800b15d0bfab16876143c65450018dd5b9b42e505bb9fee4d6cf1414477190

    Download Submit

  • /data/data/com.later.gaze/app_DynamicOptDex/oat/hTmUMU.json.cur.prof
    Filesize

    437B

    MD5

    7faa41d8b1206752e62a40d6c005a0e8

    SHA1

    135c252ae1deaa0afa51137197dbec6d9960cb0f

    SHA256

    da48a2b8ecd87862ee4f036dba29186037e1e1d09bba3aa67fa8e4b2456541fb

    SHA512

    484cc1e67cdb9f210642004f49a0f8ce025c8d6a8f55a17623db8dcaf7381220fd1387e0630e02290a18970c6450f106a083865c56916a13daa155badc21fb37

    Download Submit

  • /data/user/0/com.later.gaze/app_DynamicOptDex/hTmUMU.json
    Filesize

    483KB

    MD5

    310d174a08f6df51307a6a2a05a1321c

    SHA1

    e262caf64a460d4e5e46a9eb09e5f26d70ec8162

    SHA256

    e5377f5bfda35377b2ceb723539f4b1e78f0765cfd6f06cdedb54b770ab54ed7

    SHA512

    4b5044e26aa75a4757ee17958fce14d09e9437a0cc9cbda920e15f23a3d61c4b0f0fe84386792fbfb77a8c6940866d80c0a4ff55952c62f2d076a5cdf3dacee1

    Download Submit