Overview

overview

10

Static

static

6

da6f2b53a5...8e.apk

android-9-x86

10

da6f2b53a5...8e.apk

android-10-x64

10

da6f2b53a5...8e.apk

android-11-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    155s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    11/02/2025, 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da6f2b53a55368f43295bc54395ba923c0c46c098e2f3884844aaae64e571d8e.apk

  • Size

    2.2MB

  • MD5

    badc4bd55edfaad5b9ee0a80f625ed22

  • SHA1

    a2b9d606f8e4be2f05b9086d7a66bb3d6d907127

  • SHA256

    da6f2b53a55368f43295bc54395ba923c0c46c098e2f3884844aaae64e571d8e

  • SHA512

    cb25167aa1258b5ff8eb0da0bfdcaec60451ea23ef880755e7ba5cf95761245d831247631272dfd41d675b6e48a5c7398678ae52b7637f9ac8d0d0858b79e479

  • SSDEEP

    49152:BdHPL8KJCXyAGkCDvGMgnih52eHDMOX8seIIrVM/vmgAtSBCOJhTs:vz8TXyAGkCD+nihtjMOssb+NYZhg

Score
10/10
alienbotcerberusbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

cerberus

AES_key

Extracted

Family

alienbot

C2

http://217.8.117.104

AES_key

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Alienbot family
    alienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Cerberus payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.opvkhdin
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4332
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.opvkhdin/cache/payload.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.opvkhdin/cache/oat/x86/payload.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4356

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Stored Application Data

1
T1409

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.opvkhdin/cache/oat/payload.jar.cur.prof
    Filesize

    426B

    MD5

    74a5dabbf4252220d1d80f49e8b0a169

    SHA1

    2f4b90ca0fc672409c8f081497a476dc85a0058a

    SHA256

    4b0dae1c58eaa82013a0f8d5d560570a8f8207bae5adcba5537243278d421e41

    SHA512

    5d8f1d29621ddd4f991391fe4aac78d77ed5f9a4d86d4e12431fa27162dad4b48a2279ac811411c6d220e0649472af9bbd2ead8c925b1477cd90487a700278cd

    Download Submit

  • /data/data/com.opvkhdin/cache/payload.jar
    Filesize

    266KB

    MD5

    2f7df6ebe7d426fc6920781872085b71

    SHA1

    c57fc7f43e75ce0c59f5f96b7a28b0fbe2e35fbf

    SHA256

    3112b2284c817dbc860eb6b384453ea0c8baf290b66e1661cd6108d3023c9223

    SHA512

    3b204dcf15f59a7d8b7eb469a1a995d5457822f37502d0279e773ea0c79c73d8ad5da63c5a63ebc09cd87768bbb8e84e5f9e6a2ebaf612caa62730aa586cfc47

    Download Submit

  • /data/user/0/com.opvkhdin/cache/payload.jar
    Filesize

    505KB

    MD5

    6b17c578b12e9f69c863cad3879e9df8

    SHA1

    cbb8cd4daae00631eebe9533f54f4727d8b96a3b

    SHA256

    7bd3409d4681003f95825ed2294ac30fb4812d555b1c129b3a1159f1d9dc398b

    SHA512

    f16a892ef02a67ebdc1de8629dbd81a28131ff5a3b8996edf45d78970a26b92fe6367440919e514013d0b01c780739bd4b3e956b204b96db8066feee54efa65c

    Download Submit

  • /data/user/0/com.opvkhdin/cache/payload.jar
    Filesize

    505KB

    MD5

    c68813d8c9f135bc258f6a5669233ca5

    SHA1

    8b45381215ba1d22a5ce94a6e3239c2d641199fd

    SHA256

    51a402f29aa476f9eaf1a057746d1a9ddd0dcced310c37f9b8f54b9eff11a0d3

    SHA512

    fa4111ac8abd592f7daac329aa5c00e07d7a5af5a40618917e155b85993380ab26cd0750339d9925d62cc8cb07d0f89ea526cb6823b57d1f538f9b59d36342bd

    Download Submit