Overview

overview

10

Static

static

6

f808d05653...a6.apk

android-9-x86

10

f808d05653...a6.apk

android-10-x64

10

f808d05653...a6.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    25/03/2025, 12:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f808d05653ae38eef70954a583c9cacdf5d43bd28e73e689174d47c73e431da6.apk

  • Size

    2.6MB

  • MD5

    757be08495745e8f90e97d33fa946aff

  • SHA1

    0a7af3d293c4bc9fa142e714f5be6f774aa0a112

  • SHA256

    f808d05653ae38eef70954a583c9cacdf5d43bd28e73e689174d47c73e431da6

  • SHA512

    a49c67ea1f2b92f0bd30c699567198033c5e0712474d77674cbed3127429dfe2b5a208b6b35141c91d3eb3360a970992929a28887d38ed90cfd06177af5694a2

  • SSDEEP

    49152:dDFzDxnFGJvAMs5oC/kW2njHqN1EdJue2NV3zBDb32XIFtPWs3Sn:JFzDxnU+5HylepBfGXNj

Score
10/10
alienbotcerberusbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://194.163.136.78

rc4.plain

Extracted

Family

alienbot

C2

http://194.163.136.78

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Alienbot family
    alienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Cerberus payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 8 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • video.typical.scrap
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4596

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/video.typical.scrap/app_DynamicOptDex/jZ.json
    Filesize

    695KB

    MD5

    99ca162c256d1f74e74580a3110a05c3

    SHA1

    5626499829471270feac4413bfb807eb3a71bbce

    SHA256

    f2f00291c5dc5c33697dbaa02239985ab8d060687445f67c158ff62786793e4b

    SHA512

    c8791671cd895556c72fb7eb47001326c115133486191c38c8d97295f30f70d498ccaabe3b4f7270234bad4c434842b77ca715a04173408d56ab9b562cf113eb

    Download Submit

  • /data/user/0/video.typical.scrap/app_DynamicOptDex/jZ.json
    Filesize

    695KB

    MD5

    33f1dd56e54c4dcb29c2bcf0aa11bd86

    SHA1

    349040d578a550a758c8d6cae15f9a0e2d525f43

    SHA256

    d6ecf45bf1f6b71cc285cba4b477f891552ce3b1e2d75c3713e663164ae43729

    SHA512

    2a0a2e785a8c48eff88ec5b2106f8481c5ff10d13d15fb7bf381d8f1952cdc37c2c4e8af095ad018bdaf89da18f2d07e03073c5a4e1019626297431ad57fbbb4

    Download Submit

  • /data/user/0/video.typical.scrap/app_DynamicOptDex/oat/jZ.json.cur.prof
    Filesize

    367B

    MD5

    4b1ca149d34f8f49477ec01f54b067ee

    SHA1

    1bc85e12fa129a02a8e8b5794c5bb40bc3207287

    SHA256

    6d3dfdd3c596df1f2b0415710be0752603245ee8b2fe54da7ac473661beac8ee

    SHA512

    338f5d09665c4a7b1dbae9e97065ed87423318133ba6cf256add6e12ebc8584458509dc44e0bf5fe7af7d083f50fa5375076d18d8e00d8a7d625e63c48233bdb

    Download Submit