alienbot

General

Target

20424169451b0611912a8884b14197c1e85e6f4d7e59f6054a463668bb0fa06d.zip
Size

2.5MB
Sample

250325-n8sfeayq19
MD5

85d09c3ba68caadfd3ce452795bc0b3b
SHA1

52090680eff218025d6486e860a7e878c6c2312c
SHA256

20424169451b0611912a8884b14197c1e85e6f4d7e59f6054a463668bb0fa06d
SHA512

016e579e4863c740f16bd8e28ba5e8b85a7173a4c1e9099f85692c7e39629e92f5ac5194a875d74984f93844b41a48232e620a39d5d5b707057de0909832dc9a
SSDEEP

49152:VZmzB+3ZbTSi6vNuEuJecmLzPBFZVMl/Ogp/ImhSq+YOjLAb4sMM:VZmzUui6vNruI9fp9Ml/O1qOjLAb4/M

Score

10^/10

Malware Config

Extracted

Family

alienbot

C2

http://194.163.136.78

rc4.plain

Extracted

Family

alienbot

C2

http://194.163.136.78

Targets

- Target
  
  f808d05653ae38eef70954a583c9cacdf5d43bd28e73e689174d47c73e431da6.apk
- Size
  
  2.6MB
- MD5
  
  757be08495745e8f90e97d33fa946aff
- SHA1
  
  0a7af3d293c4bc9fa142e714f5be6f774aa0a112
- SHA256
  
  f808d05653ae38eef70954a583c9cacdf5d43bd28e73e689174d47c73e431da6
- SHA512
  
  a49c67ea1f2b92f0bd30c699567198033c5e0712474d77674cbed3127429dfe2b5a208b6b35141c91d3eb3360a970992929a28887d38ed90cfd06177af5694a2
- SSDEEP
  
  49152:dDFzDxnFGJvAMs5oC/kW2njHqN1EdJue2NV3zBDb32XIFtPWs3Sn:JFzDxnU+5HylepBfGXNj
Score

10^/10

alienbot cerberus banker collection credential_access defense_evasion discovery evasion execution infostealer persistence rat stealth trojan
- Alienbot
  Alienbot is a fork of Cerberus banker first seen in January 2020.
  banker trojan infostealer alienbot
- Alienbot family
  alienbot
- Cerberus
  An Android banker that is being rented to actors beginning in 2019.
  banker trojan infostealer evasion rat cerberus
- Cerberus family
  cerberus
- Cerberus payload
- Removes its main activity from the application launcher
  stealth trojan evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Queries account information for other applications stored on the device
  Application may abuse the framework's APIs to collect account information stored on the device.
  collection
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  defense_evasion
behavioral1 behavioral2 behavioral3