Analysis
-
max time kernel
18s -
max time network
37s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
11/02/2025, 02:17
General
-
Target
4D5764BE41FD0E422C7FE7222BAA5169D162AB89A48A00C3512BF401514BC07F.apk
-
Size
1.8MB
-
MD5
1cb9d2ecaca4d972d09cca05dcffb519
-
SHA1
491fff2df906b86fe493d9613494c350a94bd125
-
SHA256
4d5764be41fd0e422c7fe7222baa5169d162ab89a48a00c3512bf401514bc07f
-
SHA512
8ff3e80a62f2c97ffb6f6fd9dc5d839de728b928a31c8d45bf14fe73db4e08cca7aa772b6436ece91685487d6f641027da1b2cd7a7d440cf3b474b2bcebf1420
-
SSDEEP
49152:mWBOUUH7kX5TQZtFxHsvn7dU6EU9DspIsBAP:cH7UOZtFQn7m6E6Dwm
Malware Config
Extracted
alienbot
http://tayyipbey31.com
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Alienbot family
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus family
-
Cerberus payload 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 3 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes
-
nhtoylgqwkblqaa.etpfnimh.igaohffeeamwoemzgxedpymxpe1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
698KB
MD51bf6b813ee95cb23b0702b0faf829d3d
SHA1b8c5879e925f33ca19f1d05ec5eebb0c834f25e7
SHA25619fde71ace596430c1e9f5b963429de7acca7d47e3870e4c801c1713467011aa
SHA5121f4d4c1de7a6ad5bbee035a525d4640de66c0758d176798681771ddd44650aed576eeaaf741d111b6cfa9875b1b5a2401a9ff0d8a9eccf5467547a9f7f110097
-
Filesize
698KB
MD5bc5845a7907e5856f418adf9cc1efbb3
SHA15cf82f3f397e153a822c78cb1df6b740331065fe
SHA256506d95179d2329473199d2c280cd0d02c67346afde1be5319666fdbf6f6028da
SHA512915e1d74dfef31073d3dd1f87b72d5619ba81fc8c5bb6e69c21cc98acafc1b70bc4156c6b3c900a7e6c0f05321f15bbdd5bee2857f5d708d4ff61999481d0625