alienbot

General

Target

1d6834559d2d7d5a74b02682d339aeab762a61115df1c9c9f7f7e68c2651fed6.zip
Size

1.5MB
Sample

250325-m5awhsylz7
MD5

c3feecc96e6272d779e6b04fcf7fe0dc
SHA1

92ec60a0f6eec61aac4ab709704c5b837545888d
SHA256

1d6834559d2d7d5a74b02682d339aeab762a61115df1c9c9f7f7e68c2651fed6
SHA512

76c85677191d0001f6da4bebff41cd2805be68e9a829a75f81e5bf0101d2d6c656e411809379e0a5c2599dc845f5302fdc79e6f093e936eee12d96715b29ba8b
SSDEEP

24576:GEQdqI/08Bm/D27Y8FQAkYLFkscnlEDLyYShTSKpribIo2q6JG+IE:GEQdqI/0DbQqscnWHyR9nribI6Y7

Score

10^/10

Malware Config

Extracted

Family

alienbot

C2

http://cemkeskin.xyz/

Targets

- Target
  
  03c67802e809e75a774527c60517a5ba7ffdd496bb5efba91e231c45d4a971f8.apk
- Size
  
  1.6MB
- MD5
  
  f8f96afdb7b8f09149d3c408bb3ebc9d
- SHA1
  
  55a330a6e878c25fb0668d77a68c645a4b5277f7
- SHA256
  
  03c67802e809e75a774527c60517a5ba7ffdd496bb5efba91e231c45d4a971f8
- SHA512
  
  c13d9dba50a1d9b2bfbf20b58dafef1a6720f6e21df5add56ff67cbb195ccbe76ab7112ef1c8073f4b10647c4068f256bc8e86a7f9dd76641c330fdcae1948d0
- SSDEEP
  
  24576:/nt/nJgKAIR0IYxxVsvBntmg/VFLvxO0oDaJfdk4q5PiUsdTYS2lXmRBa38F:/ngf4ln/VFbo2fdk4qAUsGWa38F
Score

10^/10

alienbot cerberus banker collection credential_access defense_evasion discovery evasion execution infostealer persistence rat stealth trojan
- Alienbot
  Alienbot is a fork of Cerberus banker first seen in January 2020.
  banker trojan infostealer alienbot
- Alienbot family
  alienbot
- Cerberus
  An Android banker that is being rented to actors beginning in 2019.
  banker trojan infostealer evasion rat cerberus
- Cerberus family
  cerberus
- Cerberus payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Checks Android system properties for emulator presence.
  defense_evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Queries account information for other applications stored on the device
  Application may abuse the framework's APIs to collect account information stored on the device.
  collection
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  defense_evasion
behavioral1 behavioral2 behavioral3