Overview

overview

10

Static

static

6

25f8c85774...b9.apk

android-9-x86

25f8c85774...b9.apk

android-10-x64

10

25f8c85774...b9.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    27/03/2025, 20:58 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25f8c85774f2c0cfb7122f2a1de2301498c70c239a42d0cd9399c904c22a35b9.apk

  • Size

    1.4MB

  • MD5

    7557a88cf8e930d33675a1cf2a3ca0f0

  • SHA1

    dff8dd372f1d3137bb41820f89b67acecb7204c1

  • SHA256

    25f8c85774f2c0cfb7122f2a1de2301498c70c239a42d0cd9399c904c22a35b9

  • SHA512

    3d8214805293c47ed91b40653619396d1a82a9310a27c7979723a0f3b5d7d67c198802f534ba98ac882d5090c9913b7e930335edf13a7a4a658c8cdb9d4feed8

  • SSDEEP

    24576:1p9ZisGtk5hudq5nS6uVA16rhWSEsKfTiVRGp4v97dxyDheGvYwWb7owcGgEKC9k:1pfJ3HYFlWF3fTiVRC4v95x8heLRozPP

Score
10/10
alienbotcerberusbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

alienbot

C2

http://alskdalksdlaksdjlaigpopoinojasg.info/

Signatures

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot
  • Alienbot family
    alienbot
  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus
  • Cerberus family
    cerberus
  • Cerberus payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 8 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • ntmserpfdosfwguutcejnye.zohzrycfeqcfuuuxjdtztl.uhph
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Performs UI accessibility actions on behalf of the user
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:5115

Network

  • flag-au
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.180.14
  • flag-au
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.187.200
  • flag-au
    DNS
    alskdalksdlaksdjlaigpopoinojasg.info
    Remote address:
    1.1.1.1:53
    Request
    alskdalksdlaksdjlaigpopoinojasg.info
    IN A
    Response
  • flag-au
    DNS
    t.me
    Remote address:
    1.1.1.1:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-nl
    GET
    http://t.me/thaixyz
    Remote address:
    149.154.167.99:80
    Request
    GET /thaixyz HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Thu, 27 Mar 2025 20:58:48 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://t.me/thaixyz
  • flag-nl
    GET
    http://t.me/thaixyz
    Remote address:
    149.154.167.99:80
    Request
    GET /thaixyz HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Thu, 27 Mar 2025 20:58:48 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://t.me/thaixyz
  • flag-nl
    GET
    http://t.me/thaixyz
    Remote address:
    149.154.167.99:80
    Request
    GET /thaixyz HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Thu, 27 Mar 2025 20:59:18 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://t.me/thaixyz
  • flag-nl
    GET
    http://t.me/thaixyz
    Remote address:
    149.154.167.99:80
    Request
    GET /thaixyz HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Thu, 27 Mar 2025 20:59:18 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://t.me/thaixyz
  • flag-nl
    GET
    http://t.me/thaixyz
    Remote address:
    149.154.167.99:80
    Request
    GET /thaixyz HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Thu, 27 Mar 2025 20:59:26 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://t.me/thaixyz
  • flag-nl
    GET
    http://t.me/thaixyz
    Remote address:
    149.154.167.99:80
    Request
    GET /thaixyz HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Thu, 27 Mar 2025 20:59:26 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://t.me/thaixyz
  • flag-nl
    GET
    http://t.me/thaixyz
    Remote address:
    149.154.167.99:80
    Request
    GET /thaixyz HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Thu, 27 Mar 2025 20:59:51 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://t.me/thaixyz
  • flag-nl
    GET
    http://t.me/thaixyz
    Remote address:
    149.154.167.99:80
    Request
    GET /thaixyz HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Thu, 27 Mar 2025 20:59:51 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://t.me/thaixyz
  • flag-nl
    GET
    http://t.me/thaixyz
    Remote address:
    149.154.167.99:80
    Request
    GET /thaixyz HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Thu, 27 Mar 2025 21:00:06 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://t.me/thaixyz
  • flag-nl
    GET
    http://t.me/thaixyz
    Remote address:
    149.154.167.99:80
    Request
    GET /thaixyz HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Thu, 27 Mar 2025 21:00:06 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://t.me/thaixyz
  • flag-nl
    GET
    http://t.me/thaixyz
    Remote address:
    149.154.167.99:80
    Request
    GET /thaixyz HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Thu, 27 Mar 2025 21:00:21 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://t.me/thaixyz
  • flag-nl
    GET
    http://t.me/thaixyz
    Remote address:
    149.154.167.99:80
    Request
    GET /thaixyz HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Thu, 27 Mar 2025 21:00:21 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://t.me/thaixyz
  • flag-nl
    GET
    http://t.me/thaixyz
    Remote address:
    149.154.167.99:80
    Request
    GET /thaixyz HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Thu, 27 Mar 2025 21:00:46 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://t.me/thaixyz
  • flag-nl
    GET
    http://t.me/thaixyz
    Remote address:
    149.154.167.99:80
    Request
    GET /thaixyz HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Thu, 27 Mar 2025 21:00:46 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://t.me/thaixyz
  • flag-nl
    GET
    http://t.me/thaixyz
    Remote address:
    149.154.167.99:80
    Request
    GET /thaixyz HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Thu, 27 Mar 2025 21:01:03 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://t.me/thaixyz
  • flag-nl
    GET
    http://t.me/thaixyz
    Remote address:
    149.154.167.99:80
    Request
    GET /thaixyz HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Pixel 2 Build/QSR1.210802.001)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.18.0
    Date: Thu, 27 Mar 2025 21:01:04 GMT
    Content-Type: text/html
    Content-Length: 169
    Connection: keep-alive
    Location: https://t.me/thaixyz
  • 216.58.212.206:443
    tls, https
    914 B
     40 B
     1
    1
  • 216.58.212.206:443
    tls, https
    914 B
     40 B
     1
    1
  • 142.250.180.14:443
    android.apis.google.com
    tls
    5.4kB
     9.5kB
     20
    27
  • 142.250.187.200:443
    ssl.google-analytics.com
    tls
    1.3kB
     6.3kB
     9
    9
  • 149.154.167.99:80
    http://t.me/thaixyz
    http
    4.4kB
     6.8kB
     34
    18

    HTTP Request

    GET http://t.me/thaixyz

    HTTP Response

    301

    HTTP Request

    GET http://t.me/thaixyz

    HTTP Response

    301

    HTTP Request

    GET http://t.me/thaixyz

    HTTP Response

    301

    HTTP Request

    GET http://t.me/thaixyz

    HTTP Response

    301

    HTTP Request

    GET http://t.me/thaixyz

    HTTP Response

    301

    HTTP Request

    GET http://t.me/thaixyz

    HTTP Response

    301

    HTTP Request

    GET http://t.me/thaixyz

    HTTP Response

    301

    HTTP Request

    GET http://t.me/thaixyz

    HTTP Response

    301

    HTTP Request

    GET http://t.me/thaixyz

    HTTP Response

    301

    HTTP Request

    GET http://t.me/thaixyz

    HTTP Response

    301

    HTTP Request

    GET http://t.me/thaixyz

    HTTP Response

    301

    HTTP Request

    GET http://t.me/thaixyz

    HTTP Response

    301

    HTTP Request

    GET http://t.me/thaixyz

    HTTP Response

    301

    HTTP Request

    GET http://t.me/thaixyz

    HTTP Response

    301

    HTTP Request

    GET http://t.me/thaixyz

    HTTP Response

    301

    HTTP Request

    GET http://t.me/thaixyz

    HTTP Response

    301
  • 142.250.187.194:443
    tls
    135 B
     40 B
     2
    1
  • 224.0.0.251:5353
    3.9kB
     13
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.180.14

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.187.200

  • 1.1.1.1:53
    alskdalksdlaksdjlaigpopoinojasg.info
    dns
    82 B
     161 B
     1
    1

    DNS Request

    alskdalksdlaksdjlaigpopoinojasg.info

  • 1.1.1.1:53
    t.me
    dns
    50 B
     66 B
     1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/ntmserpfdosfwguutcejnye.zohzrycfeqcfuuuxjdtztl.uhph/app_DynamicOptDex/oat/qUbuD.json.cur.prof
    Filesize

    394B

    MD5

    a584a6818253467121c69a4084ab0356

    SHA1

    09a9f117fc26f1e77a4cce62ad7e0ac8c0e29d58

    SHA256

    950c115c9152c94b3a984652fdc5b9993bd0097989a5aec6ea6ebfa45a241896

    SHA512

    6f553d63f3c326590958abb347416d6da8f0fe0ab2346f8136ef6b07f6549621f4a74324124928701090ed4873420e0a5a74abd1ae03fe16e690e28dc1432818

    Download Submit

  • /data/data/ntmserpfdosfwguutcejnye.zohzrycfeqcfuuuxjdtztl.uhph/app_DynamicOptDex/qUbuD.json
    Filesize

    730KB

    MD5

    f57737c363419720b82c569be6a9cb04

    SHA1

    38816a25583a52ca3f5eb305acdd91be887376e3

    SHA256

    9f24e342bf3cc2b35e7fef63d682515a01193789acffe79ac74a62fb6e41d298

    SHA512

    73370947343d3331d14c0e5c2b061db982a66c5ff556e2a5d2f3ca02e63b5f913191c7983f83b0fa43c0669ff1ae6fb59ae17db6a0af59a41efdc8a97f59bf23

    Download Submit

  • /data/data/ntmserpfdosfwguutcejnye.zohzrycfeqcfuuuxjdtztl.uhph/app_DynamicOptDex/qUbuD.json
    Filesize

    730KB

    MD5

    bea1a26accb85be002f29ca8bed94444

    SHA1

    a27216ece47a8cc87c99855e40b3dbb0bfd659b5

    SHA256

    4f8b45eb438098549b76367305f5701ef53d467647d3479431771f1f767fb61b

    SHA512

    567770506afeba0ed5301e86983e94c627f752c1300ef60459ec11e8d652ebb51a8a008ee4e12a872f6adafd5b29cba1abf28780a76b28bbeefc3a668f8e1fcb

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.