Analysis
-
max time kernel
146s -
max time network
150s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
25/03/2025, 17:06
General
-
Target
87cff4f61b32306eaec1f50af02d0521937aadd6f1c1a3b3d5ea177ebe690f47.apk
-
Size
1.9MB
-
MD5
8b219d57fafcdb3b2e0d053d344c98c8
-
SHA1
566bdae1390d8e9c910064c9f4a3812f3abc9a67
-
SHA256
87cff4f61b32306eaec1f50af02d0521937aadd6f1c1a3b3d5ea177ebe690f47
-
SHA512
53d4fb2e8b2e2269968e93cf3d5d18e3a8d3ce82f44a9f9324ad84c7103e36746099a2ca7f6d656d11e75e9253cd9fb37053afcea6c144d727353a0da208f690
-
SSDEEP
49152:ndCaJyQk1wecel5BxDIk4fQ5QFFTF+pqeBRobd0C1HybrbD:njJytcYlnqZRyENI
Malware Config
Extracted
alienbot
http://ricktreemonkey54st.com
Signatures
-
Alienbot
Alienbot is a fork of Cerberus banker first seen in January 2020.
-
Alienbot family
-
Cerberus
An Android banker that is being rented to actors beginning in 2019.
-
Cerberus family
-
Cerberus payload 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 8 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes
-
valve.general.hour1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
735KB
MD5ac2fff9e7638b9cf91dce98e13d91709
SHA1820ce6370aa4b440743100910312f82f756fa2b3
SHA256983d54b64dc5b2db827ca7f7514fd6f21d5ef6a412f2d159ab561c1db8b7f5c8
SHA51244230e6d19d536cb0b8489ea80cf4f5f737df33140aba8ead61c114186910f094071d9a22b9459827bbad41809dec1143c5423ce4ecf5a4e50252220caa45e09
-
Filesize
735KB
MD5ff8d98b46eb2f78ca3eb9a563def2c5a
SHA1a5d2cb0a76995aaecf3db94f59c1d19434d2eda4
SHA2567b27de007e67d4627b268740a8c683325dc426b66074119a9d1339ce5f278f07
SHA512d065a61b7456eecbcbd81b05245e8f8398bcfa9c0946e388887f745b5ff4fc94da36ed1f38ac5250444d59ee3f3c46a8f7014c161e6c640b13d07aa24a8d1031