alienbot | 1d6834559d2d7d5a74b02682d339aeab762a61115df1c9c9f7f7e68c2651fed6

General

Target

03c67802e809e75a774527c60517a5ba7ffdd496bb5efba91e231c45d4a971f8.apk
Size

1.6MB
MD5

f8f96afdb7b8f09149d3c408bb3ebc9d
SHA1

55a330a6e878c25fb0668d77a68c645a4b5277f7
SHA256

03c67802e809e75a774527c60517a5ba7ffdd496bb5efba91e231c45d4a971f8
SHA512

c13d9dba50a1d9b2bfbf20b58dafef1a6720f6e21df5add56ff67cbb195ccbe76ab7112ef1c8073f4b10647c4068f256bc8e86a7f9dd76641c330fdcae1948d0
SSDEEP

24576:/nt/nJgKAIR0IYxxVsvBntmg/VFLvxO0oDaJfdk4q5PiUsdTYS2lXmRBa38F:/ngf4ln/VFbo2fdk4qAUsGWa38F

Score

10^/10

alienbot cerberus banker collection credential_access defense_evasion discovery evasion execution infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

alienbot

C2

http://cemkeskin.xyz/

Signatures

Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
banker trojan infostealer alienbot
Alienbot family
alienbot
Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus
Cerberus family
cerberus

Cerberus payload 1 IoCs

resource	yara_rule
behavioral3/files/fstream-2.dat	family_cerberus

Removes its main activity from the application launcher 1 TTPs 8 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4845	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl
4845	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl
4845	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl
4845	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl
4845	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl
4845	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl
4845	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl
4845	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl/app_DynamicOptDex/ZWnaZ.json	4845	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl
/data/user/0/flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl/app_DynamicOptDex/ZWnaZ.json	4845	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl

flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
PID:4845

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1

T1603

Persistence

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Foreground Persistence

1

T1541

Hide Artifacts

2

T1628

Suppress Application Icon

1

T1628.001

User Evasion

1

T1628.002

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Credential Access

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

System Network Configuration Discovery

1

T1422

Lateral Movement

Collection

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Stored Application Data

1

T1409

Command and Control

Exfiltration

Impact

Input Injection

1

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl/app_DynamicOptDex/ZWnaZ.json

Filesize
698KB

MD5
cef8e24389f57dc2a2b92a72da539586

SHA1
b114b455cd9eb46034d81356e67902214900a97f

SHA256
0d71e77c76f121ea0a1a4f4ca8130586dbe3c8941bae11f5181960c26a2a51cd

SHA512
e9ae28fd4c19a17ce34b012414e9911f2d6c0be20b34f1ac251ef47559cbbe9841cbd9cc359c288381eb6bd2ad93c11d766c70376573bd5331890e3acb72c86e

Download Submit
/data/user/0/flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl/app_DynamicOptDex/ZWnaZ.json

Filesize
698KB

MD5
08b1f6ddcb0157998e5e5fb923faa885

SHA1
8db192ae7d0b182e8540f6eb7e9e6c60b970d6e0

SHA256
020f7686a0d473992d3094be78e798f2ede7a69c2ce34731457475a32368e1e7

SHA512
d3d3180aa6f3d3e69837eb39c015f9d707426bcbeab0ae24f7ed73137adf65e4e857c782a0e3ef83dedc1dd8b8305010eecd7ca9d71ed392bdb77f1456aa2c47

Download Submit
/data/user/0/flftowpyhygfa.kchoyulzgssarwo.mlypjkpnjqxbkxztjifzonl/app_DynamicOptDex/oat/ZWnaZ.json.cur.prof

Filesize
365B

MD5
3cb4c12ee71fcedd5d58df4c44bc7cf2

SHA1
a34e0941ccb1e265059d4bdb5bbc7de642eee09e

SHA256
b29f0bb1052014738505fbcbac6c335632975e2d153cc4a3c3efc814cc63c80f

SHA512
f13f1960bba7f1da04c2a82711d2a176e9581dd2916f266a4e16632a0b1595d6b7cf2705a64a3940cb65908e70edafcad344a97162d6a9c2caa55ce2c7e327aa

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads