flubot | cb43d09133f6c65bdd25001f231cc1379aa63bd8ad5a20e8671861f5f0da2b74

Analysis

max time kernel
377750s
max time network
154s
platform
android_x86
resource
android-x86-arm-20230831-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20230831-enlocale:en-usos:android-9-x86system
submitted
09-10-2023 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb43d09133f6c65bdd25001f231cc1379aa63bd8ad5a20e8671861f5f0da2b74.apk
Size

3.9MB
MD5

4e5b975596521d64b8f9ae1cbe4a9879
SHA1

64569d6caecae1cb0a7982bdcbaec104f99eb7d4
SHA256

cb43d09133f6c65bdd25001f231cc1379aa63bd8ad5a20e8671861f5f0da2b74
SHA512

530b27bed6d9b06086d3b80347acbd73c3fabc3198fb53a35918a3222586b791adee1323132e0bffd6971c75ba31f2c966a5719956a5c840e4398a0f17311199
SSDEEP

98304:eqC/loKvtb7KA0mTsL6kr3dQf+AC7rjZRFJtYvw:eqC/e47lElLdC6rj7FJz

Score

10^/10

flubot banker evasion infostealer ransomware stealth trojan

Malware Config

Signatures

FluBot
FluBot is an android banking trojan that uses overlays.
banker trojan infostealer flubot

FluBot payload 4 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_flubot
behavioral1/memory/4148-0.dex	family_flubot
behavioral1/memory/4210-0.dex	family_flubot
behavioral1/memory/4148-1.dex	family_flubot

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4148	com.tencent.mm

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin	4148	com.tencent.mm
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin	4210	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.tencent.mm/app_apkprotector_dex/oat/x86/classes-v1.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin	4148	com.tencent.mm

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.tencent.mm

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.tencent.mm

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mm

com.tencent.mm
1⤵
- Makes use of the framework's Accessibility service.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data).
PID:4148
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.tencent.mm/app_apkprotector_dex/oat/x86/classes-v1.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4210

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/app_apkprotector_dex/classes-v1.bin

Filesize
3.1MB

MD5
8538cc53fd4119591abd013f06d128d1

SHA1
39baf7deeec73f5b121f828a01e1ebc8c048cee4

SHA256
cdd4364a1f94ae4e1e7e5338eb77ac491d21077ebcd693d82cc017277e64c903

SHA512
93cf0afce901b84a4f33d636f61384fb4067dbcb325c23ee0b4723071bc07ec7b5fcb0a2e65f6a12a94bd02186ea65e2d69501b944c17f7e583847eca6ae0f2b

Download Submit
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin

Filesize
3.1MB

MD5
8538cc53fd4119591abd013f06d128d1

SHA1
39baf7deeec73f5b121f828a01e1ebc8c048cee4

SHA256
cdd4364a1f94ae4e1e7e5338eb77ac491d21077ebcd693d82cc017277e64c903

SHA512
93cf0afce901b84a4f33d636f61384fb4067dbcb325c23ee0b4723071bc07ec7b5fcb0a2e65f6a12a94bd02186ea65e2d69501b944c17f7e583847eca6ae0f2b

Download Submit
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin

Filesize
3.1MB

MD5
dd0d4d99c94877a69ddd9401239a66fb

SHA1
eaf899526878b3142ed78ce91394afe290227041

SHA256
83be8f048b2783af5632992bbca47424328a29055a889c8dde9ff663f0347b7f

SHA512
6d385cb669c284878b399f7e14209bbd95aa1fa38f93b9596245758a1429443c66849bad286045d227e020ea934cf17f942684552513a0217950a9d40aa14424

Download Submit
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin

Filesize
3.1MB

MD5
8538cc53fd4119591abd013f06d128d1

SHA1
39baf7deeec73f5b121f828a01e1ebc8c048cee4

SHA256
cdd4364a1f94ae4e1e7e5338eb77ac491d21077ebcd693d82cc017277e64c903

SHA512
93cf0afce901b84a4f33d636f61384fb4067dbcb325c23ee0b4723071bc07ec7b5fcb0a2e65f6a12a94bd02186ea65e2d69501b944c17f7e583847eca6ae0f2b

Download Submit