Overview

overview

10

Static

static

6

da6f2b53a5...8e.apk

android-9-x86

10

da6f2b53a5...8e.apk

android-10-x64

10

da6f2b53a5...8e.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    11/02/2025, 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da6f2b53a55368f43295bc54395ba923c0c46c098e2f3884844aaae64e571d8e.apk

  • Size

    2.2MB

  • MD5

    badc4bd55edfaad5b9ee0a80f625ed22

  • SHA1

    a2b9d606f8e4be2f05b9086d7a66bb3d6d907127

  • SHA256

    da6f2b53a55368f43295bc54395ba923c0c46c098e2f3884844aaae64e571d8e

  • SHA512

    cb25167aa1258b5ff8eb0da0bfdcaec60451ea23ef880755e7ba5cf95761245d831247631272dfd41d675b6e48a5c7398678ae52b7637f9ac8d0d0858b79e479

  • SSDEEP

    49152:BdHPL8KJCXyAGkCDvGMgnih52eHDMOX8seIIrVM/vmgAtSBCOJhTs:vz8TXyAGkCD+nihtjMOssb+NYZhg

Score
10/10
alienbotcerberusbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

cerberus

AES_key

Extracted

Family

alienbot

C2

http://217.8.117.104

AES_key

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Alienbot family
    alienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Cerberus payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 5 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • com.opvkhdin
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Performs UI accessibility actions on behalf of the user
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:5126

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.opvkhdin/cache/oat/payload.jar.cur.prof
    Filesize

    370B

    MD5

    498d2b7d3557d03dfc5543da53016c0b

    SHA1

    398a2be80ae75487eefe35b854cbe2d242db0e0e

    SHA256

    82770f7ed7505ad2ab8f60f2b932bd2ffd945c680245524773ec0176e8f9ca48

    SHA512

    2e392a9c2191708613be3f5dcb622bda6045f14f6feccf47c5b150e9cbc9bd1ff69c6ee8e84f43f00ab0205897799f469009aca94031f9a24b705b1a41170fd8

    Download Submit

  • /data/data/com.opvkhdin/cache/payload.jar
    Filesize

    266KB

    MD5

    2f7df6ebe7d426fc6920781872085b71

    SHA1

    c57fc7f43e75ce0c59f5f96b7a28b0fbe2e35fbf

    SHA256

    3112b2284c817dbc860eb6b384453ea0c8baf290b66e1661cd6108d3023c9223

    SHA512

    3b204dcf15f59a7d8b7eb469a1a995d5457822f37502d0279e773ea0c79c73d8ad5da63c5a63ebc09cd87768bbb8e84e5f9e6a2ebaf612caa62730aa586cfc47

    Download Submit

  • /data/user/0/com.opvkhdin/cache/payload.jar
    Filesize

    505KB

    MD5

    c68813d8c9f135bc258f6a5669233ca5

    SHA1

    8b45381215ba1d22a5ce94a6e3239c2d641199fd

    SHA256

    51a402f29aa476f9eaf1a057746d1a9ddd0dcced310c37f9b8f54b9eff11a0d3

    SHA512

    fa4111ac8abd592f7daac329aa5c00e07d7a5af5a40618917e155b85993380ab26cd0750339d9925d62cc8cb07d0f89ea526cb6823b57d1f538f9b59d36342bd

    Download Submit