Overview

overview

10

Static

static

6

22156d5d8b...55.apk

android-9-x86

10

22156d5d8b...55.apk

android-10-x64

10

22156d5d8b...55.apk

android-11-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    157s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    21-01-2025 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22156d5d8b763a1f10bce4fe14d13ad98a73522ad9da8d923e0d3b1b0dd04655.apk

  • Size

    1.6MB

  • MD5

    48e697323a0779f4e0e7b0fff8618400

  • SHA1

    3c3172d219d942dd7636f7373f01c9fd38141211

  • SHA256

    22156d5d8b763a1f10bce4fe14d13ad98a73522ad9da8d923e0d3b1b0dd04655

  • SHA512

    37599aadb30b31d10e2e5dcbfa138d16b0f9c47b02d0ac49f5b6bd559cc8dea6399d777aa3382b7588b64c0c574acce570326afa398086d89bebd8b6902d9771

  • SSDEEP

    24576:hcycIR0aeP9Ji8GU6ICuVOFlnlUa8vBQ6LBUAXhQLh7guvqYanpNwYYT8ABwR:hcyc3WU6PuwF216yhohE6qYipNwYYTpK

Score
10/10
alienbotcerberusbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://akrepbaba323.net

rc4.plain

Extracted

Family

alienbot

C2

http://akrepbaba323.net

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Alienbot family
    alienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Cerberus payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 8 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • com.manage.decade
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4786

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.manage.decade/app_DynamicOptDex/ick.json
    Filesize

    238KB

    MD5

    71a2e5ce421b408c7750b39b6791ec77

    SHA1

    c8b7603f7de04b2fce4577cd746ca5d70ddd548e

    SHA256

    59eedcf74638fac737fbdc4823e053aa237f2f2b96077fedf7a512cd9a91fd78

    SHA512

    a37a9637523ae9259190dcce753aa3c32c8fc12a372e601cabe33aa3da5bf9155e7f8a35d4043fd624801e424c0175fddacb798f3aa6aab46d2e1af5b52ba27d

    Download Submit

  • /data/user/0/com.manage.decade/app_DynamicOptDex/ick.json
    Filesize

    238KB

    MD5

    c97c173757c162edadf2c175c111d4f3

    SHA1

    ecc2e50188692034baa9df231f1a02d8d48158c8

    SHA256

    75ec426d5647f05b60e9689337f911d6d00db926121b7dc70d93ca83d5f9a82a

    SHA512

    993496ba2a55ff7c66f9c215f7bfda3def106f79d4eeafbc0084b8a48c2d4d3609723f509155e0b2423988c0b824e76a5304a43b7cf7923c0d80fba4c155deb3

    Download Submit

  • /data/user/0/com.manage.decade/app_DynamicOptDex/ick.json
    Filesize

    483KB

    MD5

    9fa33990983350ae0d7c3ceedd471320

    SHA1

    983dd45a782d3514c26dc6a809603eb67ae0a059

    SHA256

    4385ed115259680065796fde235affa74d1c55c0ce2f58186572e45ba819a80e

    SHA512

    71df84dd6cf7942c7fa741c1f68b9a1fed86b9f7eff0ba661c66d7eb6768ad14f9579deb92926fa2534a3d263a9130fe796509fc7de51ff06f862aaef49aa54e

    Download Submit