alienbot

General

Target

a405a802e506f2660e066c6e46bc2361d3627d0c6cf787a437a7095caeffaf41.zip
Size

3.8MB
Sample

250326-23qxaawqx4
MD5

f0febf0702b534243c2788c47e66b4ed
SHA1

4d5016499fc8aa6fe64df125c6298bcbffece2b2
SHA256

a405a802e506f2660e066c6e46bc2361d3627d0c6cf787a437a7095caeffaf41
SHA512

4e6bb26ab18b79585f38d75ea30b887a5568325671f4992032a4799d6edb74031b4f2cb0cb4b774219035b56b0392ee98df2c73263b63f56c3a2dc708f5e4c78
SSDEEP

98304:MR9VE+vs7LJt6+d3JlRVdToonXGOA/Cui0WYuN+pKy:oElRLToonWyuiY5

Score

10^/10

Malware Config

Extracted

Family

alienbot

C2

http://a05qdzfe6qa1.xyz

Targets

- Target
  
  1cd7bab3a22cf44741925eb1ee5f969ccca01ff78ce6f3f010fdf6f93875c8fb.apk
- Size
  
  3.9MB
- MD5
  
  894fe2772e0dcacb289aec6c2e270309
- SHA1
  
  8e7dce465a012b44541f2d69706712dca633477a
- SHA256
  
  1cd7bab3a22cf44741925eb1ee5f969ccca01ff78ce6f3f010fdf6f93875c8fb
- SHA512
  
  71ce5ce44c6d9679aef9420552990e26ae634ad4c2ca293ce1c22002f794029c5253d3653f1114ca0e8d5eba7ad49517539c7bfd6e8a6e6e01061703ab3640cd
- SSDEEP
  
  98304:LXCg2SRsXt8VogpJ/teBDVq5rgpcBQY50QISGaGs:7qSRTpJ/teBamcBQvGX
Score

10^/10

alienbot banker collection credential_access defense_evasion discovery evasion execution infostealer persistence stealth trojan
- Alienbot
  Alienbot is a fork of Cerberus banker first seen in January 2020.
  banker trojan infostealer alienbot
- Alienbot family
  alienbot
- Removes its main activity from the application launcher
  stealth trojan evasion
- Checks Android system properties for emulator presence.
  defense_evasion
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
  evasion
- Makes use of the framework's Accessibility service
  Retrieves information displayed on the phone screen using AccessibilityService.
  collection defense_evasion credential_access
- Queries account information for other applications stored on the device
  Application may abuse the framework's APIs to collect account information stored on the device.
  collection
- Queries the phone number (MSISDN for GSM devices)
  discovery
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
  Application may abuse the framework's foreground service to continue running in the foreground.
  defense_evasion persistence
- Performs UI accessibility actions on behalf of the user
  Application may abuse the accessibility service to prevent their removal.
  evasion
- Queries the mobile country code (MCC)
  discovery
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  defense_evasion
behavioral1 behavioral2