Analysis
-
max time kernel
20s -
max time network
35s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
26/02/2025, 02:55
General
-
Target
4fe5c2f3972b2856957742f7bcabf14102cb8d7df71e21c30dc6d6d023e9d7ee.apk
-
Size
1.8MB
-
MD5
985b428c39115820a7a5052fb1e68048
-
SHA1
e7ed680407b9bbc4eafb3554f83ce34973605f92
-
SHA256
4fe5c2f3972b2856957742f7bcabf14102cb8d7df71e21c30dc6d6d023e9d7ee
-
SHA512
29f581db92139a4c23fdd19deda902ff4952a4aa804f678a814562aef50b425943c59ab72c9409a5270f13e1f5213d4f167f810a0e7be00cadfe75ab06e386e1
-
SSDEEP
49152:E3kVPMcccM3O92Bt8Er2pmbvaAUGEXeHewEdYl68ux9:9520/4raAUNeHdEdq6Xx9
Malware Config
Extracted
alienbot
http://zesasar9.com
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Alienbot family
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus family
-
Cerberus payload 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 2 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes
-
tghqfaydexqpmsem.zxxeifzgsucaauejlhmw.zpgiowiwlipxct1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Performs UI accessibility actions on behalf of the user
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1Suppress Application Icon
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654KB
MD530d0e5851dc8d367455a26a74a068a85
SHA10333618cd37501cbe490b60d957194c7fd87683a
SHA256a828abc563b56a790fa9656c195802ff53e3576eab6e3fbbb7744416a4d44397
SHA512733787302e9cd0fd44dad31f09874c62d26260c2154fa2e1c8fc430724ba4127c316f9716460ef5e19affd894b8c14741680b99a9bc2bac40bd9bbdf29c56d40
-
Filesize
654KB
MD50ee42c3762c0f6c8f42f4a3bf46728e4
SHA1d56e357fdd3faeda8e4bb9f8d3a48fffa69ad5e8
SHA256c801d9678fea044e3405162075c7f1501eacba6e01313458b5d54d72f26a966c
SHA512adef03b13a145ce01da7e531917d139afafcfa68a1de4f5cf15f010e15403bfb50e001c6b084ebb135c7720d606da5cc3407bcb1d5ffc777c41e1cead144c1ba