Resubmissions

19-01-2022 11:21

220119-nge11ahce2 10

19-01-2022 11:18

220119-nehn4shchl 7

Analysis

  • max time kernel
    1913933s
  • max time network
    159s
  • platform
    android_x64
  • resource
    android-x64-arm64
  • submitted
    19-01-2022 11:21

General

  • Target

    4859ab9cd5efbe0d4f63799126110d744a42eff057fa22ff1bd11cb59b49608c.apk

  • Size

    6.0MB

  • MD5

    06371fc75740162de9e6275102012e6c

  • SHA1

    9b45243e89541ae26fea5ff2b9c7d14ff69044ed

  • SHA256

    4859ab9cd5efbe0d4f63799126110d744a42eff057fa22ff1bd11cb59b49608c

  • SHA512

    c865d89143effb176c4be93fc16f54e06d248f5b7e22ffbf19754137f9da181f6d7f6019cdb28d2d7964375b1978a255c475dd3d17487fddb9fa0e4eda8bf248

Malware Config

Signatures

  • FluBot

    FluBot is an android banking trojan that uses overlays.

  • FluBot Payload 1 IoCs
  • Makes use of the framework's Accessibility service. 1 IoCs
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

Processes

  • com.tencent.mobileqq
    1⤵
    • Makes use of the framework's Accessibility service.
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Uses Crypto APIs (Might try to encrypt user data).
    PID:6093

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads