Overview

overview

10

Static

static

7

88e8bc678b...8b.apk

android-9-x86

1

88e8bc678b...8b.apk

android-10-x64

10

88e8bc678b...8b.apk

android-11-x64

10

qqlivejs.js

windows7-x64

1

qqlivejs.js

windows10-2004-x64

1

tcaptcha_webview.html

windows7-x64

1

tcaptcha_webview.html

windows10-2004-x64

1

Analysis

  • max time kernel
    895717s
  • max time network
    167s
  • platform
    android_x64
  • resource
    android-x64-arm64-20230831-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20230831-enlocale:en-usos:android-11-x64system
  • submitted
    15-10-2023 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88e8bc678b99ab7dfb6bf9336f322a0c1dc959e09459c6433b9830f9c718a68b.apk

  • Size

    4.6MB

  • MD5

    98f1b616fb6dda391b672523e1a211b4

  • SHA1

    3c3a6d61263837b84cb56a12bcce6957305d7927

  • SHA256

    88e8bc678b99ab7dfb6bf9336f322a0c1dc959e09459c6433b9830f9c718a68b

  • SHA512

    1be3a1a19d2cdbc002a835f3abba12811bb37a23656ca567085d2ce652a7e2b35ac40e49a1487b05a5a565f6817b157ff905bf10d92ed007d3e23798e07b350c

  • SSDEEP

    98304:YonHYXBsyc4NR9T13zE8HjhR1Iok8Jzijm0DucfuhKLtPG:YiYXXcCRjE8DlIWAjDDuc3Lte

Score
10/10
flubotbankerevasioninfostealerransomwarestealthtrojan

Malware Config

Signatures

  • FluBot

    FluBot is an android banking trojan that uses overlays.

    bankertrojaninfostealerflubot
  • FluBot payload 1 IoCs
  • Makes use of the framework's Accessibility service. 3 IoCs
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests enabling of the accessibility settings. 1 IoCs
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Removes a system notification. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
    ransomware

Processes

  • com.tencent.mobileqq
    1⤵
    • Makes use of the framework's Accessibility service.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests enabling of the accessibility settings.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    • Uses Crypto APIs (Might try to encrypt user data).
    PID:4587

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.tencent.mobileqq/sguggjU88d/drhUGIUfhIyyj98/base.apk.8Ugdjy81.h8g
    Filesize

    2.1MB

    MD5

    b8c8df5e956237219ca20d3751c91a4f

    SHA1

    4d298251bce8119417c29ef23227b54dea0a8ac8

    SHA256

    d4ced9cd73d14c09ed8515c7b9848e87a324474614362ba9595ba075747346bb

    SHA512

    fc81486620a5fb74221e85894dce55437984fc5094a10245478853296411127302f0d0ff8ab95357f8725b67824f976891eaec9fb087c5adcbe71192a4bbdf26

    Download Submit

  • /data/user/0/com.tencent.mobileqq/sguggjU88d/drhUGIUfhIyyj98/tmp-base.apk.8Ugdjy85047956824751022110.h8g
    Filesize

    938KB

    MD5

    7c6090ab20752152ac9e46c1e20938e3

    SHA1

    409711b6076754502d590b2b08379fdd63ada370

    SHA256

    18e7e1b3dd4dd0c1f597ced6ff27afa2e50fb64a8eeabd97c5167a34dd6f534c

    SHA512

    324fe0c487b16f1c6cdcd6f7d474adea66e767bcf59f109d45a567878b2e5d74ec0bebc463f475effeebcf953f1f181b32f914b4880513ae0f0d98b42fcfc8a5

    Download Submit