Analysis
-
max time kernel
142s -
max time network
151s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
04-02-2025 22:08
General
-
Target
a52d2105d680d029f9cc5c9c77f639e47ae520e41ce7294bbad77b8f2931796a.apk
-
Size
2.3MB
-
MD5
bcdb634ff9ab3e08e47dcf1caf89abd2
-
SHA1
213506113a6d73dcb8d632a85470688a682fb026
-
SHA256
a52d2105d680d029f9cc5c9c77f639e47ae520e41ce7294bbad77b8f2931796a
-
SHA512
42d2a75b8a6b056fc75011c9c717fdd9c38c255e953e8180631c096d4969ba1729b75ae750c64f8dca532890e95eff41241cdcb9b5790fc97f39e0c10959d522
-
SSDEEP
49152:fpZjJBuD3wv+ugforIlCNTbKOcsXtffdVpbhRW0zB:hRuDfunIImOcsxfdjW01
Malware Config
Extracted
alienbot
http://217.8.117.30
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Alienbot family
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus family
-
Cerberus payload 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 8 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes
-
com.hmxuxgdngpi.bkqrlzkuwzuj1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238KB
MD50e421b714166a1c5063d3fe243544d2e
SHA18ec5538657c10121296da904e7194428abdb0188
SHA256ba72f3124a5e164d0bf7e6e1442ec37958740eb4b9df5999c6becdbcb1cf26b2
SHA512f037a61829365507ec28b4c3583eb18c1bab7b8e291563c6143fc397aa187671b61169117ca76a30d107500b096691bc0ed61549ad2af136ea8d7cbb4ac6bb68
-
Filesize
475KB
MD5f94b1751c1c9c48f53c18f69f03bcf47
SHA1a5f88e0e66c35567cc4ee061cbb00dd94b14bc17
SHA25646c4115efc12d7129de2a7b908698d20362e68e4dcb3a75a6565d0c1c9a9a997
SHA5121281546dc92ae8ca0591b7c5841084445e183f02da9ffc8233168e8b8d9701a87721e3bf3ada4effed5bdc3c15aeb111715c4d1c842fe9556328dc058bbf499b