flubot | d3226d16892b6965ceb86f10133aafb93f967d48fe98b43d0af30330d4227fb5

Analysis

max time kernel
3654238s
max time network
168s
platform
android_x64
resource
android-x64-arm64-20230831-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230831-enlocale:en-usos:android-11-x64system
submitted
28-09-2023 03:19

Target

4bf1e7a6e5febfb345b13a596b954e50c59d9506046592d39d4a6e9f01dfea53.apk
Size

5.6MB
MD5

8289bde90df26a68d5e7205f008a2d0f
SHA1

d816fb5dc1fc5a02d2787a01d1b84b72b7e46b67
SHA256

4bf1e7a6e5febfb345b13a596b954e50c59d9506046592d39d4a6e9f01dfea53
SHA512

855dac2cfa00e9d6b3581b0f46309ccd7ab5719a585b2ad70f76e6af2eaf99aee60b44dc2c5a832fb87054f1de1f97599d81e258ab8a929de89b9e437efdef04
SSDEEP

98304:6fOYaX5kvxq+Vcyscc6I4QzCbt9Y7hvy+UXYNvzsKYr8OZPyxrf:IaJKE2c6I3Cbt9GhqlY1zs1rPPyNf

Score

10^/10

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.tencent.mtt/gGTggfjg9U/hygyUtg78qgdGug/base.apk.jwUw8fI1.fIy	family_flubot

Makes use of the framework's Accessibility service. 1 IoCs

Processes:

com.tencent.mtt

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mtt

Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.tencent.mtt

ioc pid process

/data/user/0/com.tencent.mtt/gGTggfjg9U/hygyUtg78qgdGug/base.apk.jwUw8fI1.fIy 4561 com.tencent.mtt
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 icanhazip.com
28 icanhazip.com
31 ipinfo.io
240 icanhazip.com
243 icanhazip.com
494 ipinfo.io
497 ipinfo.io
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.tencent.mtt

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.tencent.mtt

ioc	pid	process
/data/user/0/com.tencent.mtt/gGTggfjg9U/hygyUtg78qgdGug/base.apk.jwUw8fI1.fIy	4561	com.tencent.mtt

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mtt

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

/data/user/0/com.tencent.mtt/gGTggfjg9U/hygyUtg78qgdGug/base.apk.jwUw8fI1.fIy

Filesize
2.0MB

MD5
fedf5904b8284b9ca9c1050cb2460beb

SHA1
0d15bb251093f79701fff7cc9fcb81a5a1366a23

SHA256
d3cb089682763f902160ca61352cb282216ff42407a83a17d06e2ec57c7a8d6e

SHA512
39680d46ddee9713f112afe57800807093024ef00175fe9c9caa58a532b3fe11e25fd5aefc955a920e31ac18f1996701b83fceddae0a5ec751a0b02f8bf3ded8

Download Submit
/data/user/0/com.tencent.mtt/gGTggfjg9U/hygyUtg78qgdGug/tmp-base.apk.jwUw8fI7078689802909564950.fIy

Filesize
925KB

MD5
f65f9baff80a0a15d5ec92aaae235dcf

SHA1
836da1f2e92b1ec426531b5ae1aaaa619c9a5f2a

SHA256
1eee2ef3b6ba06ed10571100a4e2c29303321922baad7e04e04658395e949d8f

SHA512
b2b13cf88e6001756037a61e1829ec653fd140928e0846167e92e79e70dd511b591c4beca7116b438d2da3c4e0867393f04da63150a2c1998ae752c20ca32a92

Download Submit